Cloudflare OCTO RPKI Validator - LACNIC CAs issues

Colin McIntosh nanog at
Fri Apr 23 00:31:49 UTC 2021

> Does anybody else have problems with Cloudflare's RPKI Validator with
prefixes from LACNIC?

We (Netflix) briefly saw Cloudflare's public instance of OctoRPKI missing
some ~13,000 ROAs on 2021-03-24 at ~12:30pm PT while our internal instance
of OctoRPKI had a complete list. Upon comparing the two lists Cloudflare's
instance seemed to be missing ROAs from only LACNIC so I'm thinking we saw
the same issue that you did.

I haven't had a chance to really look into it and AFAIK we haven't noticed
the issue since but my guess for what's happening is that OctoRPKI hits an
error while downloading the ROAs from LACNIC but then continues to collect
ROAs from the other RIRs resulting in an incomplete list. This seems to be
the case from a quick glance at the code:

This could probably be changed to instead break out of that loop and
propagate the error up to the main loop to let it continue without building
an incomplete ROA list, but that's just a quick guess... it's possible that
it's built this way for a reason or there may be a better way to handle
that failure mode.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list