CloudFlare issues?

Sandra Murphy sandy at tislabs.com
Fri Jul 5 18:46:23 UTC 2019


Martijn - i3D.net is not in the list Job posted yesterday of RPKI ROV deployment.  Your message below hints that you may be using RPKI.  Are you doing ROV?  (You may be in the “hundreds of others” category.)

—Sandy

Begin forwarded message:

From: Job Snijders <job at ntt.net>
Subject: Re: CloudFlare issues?
Date: July 4, 2019 at 11:33:57 AM EDT
To: Francois Lecavalier <Francois.Lecavalier at mindgeek.com>
Cc: "nanog at nanog.org" <nanog at nanog.org>

I believe at this point in time it is safe to accept valid and unknown
(combined with an IRR filter), and reject RPKI invalid BGP announcements
at your EBGP borders. Large examples of other organisations who already
are rejecting invalid announcements are AT&T, Nordunet, DE-CIX, YYCIX,
XS4ALL, MSK-IX, INEX, France-IX, Seacomm, Workonline, KPN International,
and hundreds of others.



> On Jul 4, 2019, at 5:56 AM, i3D.net - Martijn Schmidt via NANOG <nanog at nanog.org> wrote:
> 
> So that means it's time for everyone to migrate their ARIN resources to a sane RIR that does allow normal access to and redistribution of its RPKI TAL? ;-)
> 
> The RPKI TAL problem + an industry-standard IRRDB instead of WHOIS-RWS were both major reasons for us to bring our ARIN IPv4 address space to RIPE. Unfortunately we had to renumber our handful of IPv6 customers because ARIN doesn't do IPv6 inter-RIR transfers, but hey, no pain no gain.
> 
> Therefore, Cloudflare folks - when are you transferring your resources away from ARIN? :D
> 
> Best regards,
> Martijn
> 
> On 7/4/19 11:46 AM, Mark Tinka wrote:
>> I finally thought about this after I got off my beer high :-).
>> 
>> Some of our customers complained about losing access to Cloudflare's resources during the Verizon debacle. Since we are doing ROV and dropping Invalids, this should not have happened, given most of Cloudflare's IPv4 and IPv6 routes are ROA'd.
>> 
>> However, since we are not using the ARIN TAL (for known reasons), this explains why this also broke for us.
>> 
>> Back to beer now :-)...
>> 
>> Mark.
> 




More information about the NANOG mailing list