CONCEPT Cited by 1 source
Hairpin route leak (Type 1)¶
A Type 1 hairpin route leak (per RFC 7908) is the most common and simplest route-leak shape: a multi-homed customer takes routes from one of its providers and re-advertises them to its other provider.
Shape¶
Normal flow: origin → leaker → provider A or provider B → rest of the Internet.
Hairpin leak: provider B suddenly receives a path like
B → leaker → A → ... → origin when provider B expected to
reach origin through its own transit cone, not through its
customer and across to a competing provider.
Why it's called "hairpin"¶
The leaked path "hairpins" through the leaker — traffic comes in from provider B, bounces through the leaker AS, and exits to provider A (or vice versa). The leaker becomes an accidental transit network for the two providers, often at capacity it wasn't sized for.
Consequences¶
- Performance: traffic takes a longer, narrower path.
- Capacity: the leaker AS — which is a smaller network than its providers by construction — gets flooded with transit traffic.
- Opportunity for interception: if the leaker is malicious, they now see traffic that would normally flow directly between the two providers. (Not the case in the Cloudflare Venezuela event, per the post's analysis.)
Example from the Venezuela post¶
- Leaker: AS8048 (CANTV)
- Origin (customer of leaker): AS21980 (Dayco Telecom)
- Provider side 1 (routes taken from): AS6762 (Sparkle)
- Provider side 2 (routes leaked to): AS52320 (V.tal GlobeNet)
Resulting observed paths include
52320, 8048 (x9), 23520, 1299, 269832, 21980 — a textbook
Type 1 hairpin.
Why it violates valley-free routing¶
Per valley-free routing: the
leaked path ascends 52320 → 8048 (customer), then ascends
again 8048 → 6762 (customer) — two up-steps without an
intervening flat or descent. That is the "valley" violation.
Seen in¶
- sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — the canonical wiki example; Cloudflare's Radar page diagrams the shape directly.