Cloudflare disclosed a 25-minute BGP route leak that affected IPv6 traffic, causing measurable congestion, packet loss, and roughly 12 Gbps of dropped traffic. The incident was triggered by an accidental router policy misconfiguration that exported internal IPv6 routes externally (a mixture of Type 3 and Type 4 route leaks under RFC7908), and Cloudflare reverted the change within 25 minutes while planning safeguards. #Cloudflare #BGP
Keypoints
- A 25-minute BGP route leak impacted IPv6 traffic, producing congestion, packet loss, and about 12 Gbps of dropped traffic.
- The root cause was an accidental policy change that removed prefix filters and made the export policy overly permissive.
- Cloudflare classified the event as a mixture of Type 3 and Type 4 route leaks per RFC7908, violating valley-free routing rules.
- The leak affected external networks beyond Cloudflare customers, causing suboptimal paths or complete traffic drops when filters discarded unexpected providers.
- Cloudflare reverted the configuration, paused automation, and proposed safeguards including stricter community-based exports, CI/CD policy checks, improved detection, RFC9234 validation, and RPKI ASPA adoption.