nanog mailing list archives

Re: CloudFlare issues?

From: Job Snijders <job () ntt net>
Date: Thu, 4 Jul 2019 17:33:57 +0200

Dear Francois,

On Thu, Jul 04, 2019 at 03:22:23PM +0000, Francois Lecavalier wrote:

Following that Verizon debacle I got onboard with ROV, after a couple
research I stopped my choice on the ....drum roll.... CloudFlare GoRTR
(https://github.com/cloudflare/gortr).  If you trust them enough they
provide an updated JSON every 15 minutes of the global RIR aggregate.


At this point in time I think the ideal deployment model is to perform
the validation within your administrative domain and run your own
validators. You can combine routinator with gortr, or use cloudflare's
octorpki software https://github.com/cloudflare/cfrpki

I'll see down the road if we'll fetch them ourselves but at least it
got us up and running in less than an hour.  It was also easy for us
to deploy as the routers and the servers are on the same PoP directly
connected, so we don't need the whole encryption recipe they provide
for mass distribution.


yeah, that is true!

But I also have a question for all the ROA folks out there.  So far we
are not taking any action other than lowering the local-pref - we want
to make sure this is stable before we start denying prefixes.  So the
question, is it safe as of this date to : 1.Accept valid, 2. Accept
unknown, 3. Reject invalid?  Have any large network who implemented it
dealt with unreachable destinations?  I'm wondering as I haven't found
any blog mentioning anything in this regard and ClouFlare docs only
shows example for valid and invalid, but nothing for unknown.


I believe at this point in time it is safe to accept valid and unknown
(combined with an IRR filter), and reject RPKI invalid BGP announcements
at your EBGP borders. Large examples of other organisations who already
are rejecting invalid announcements are AT&T, Nordunet, DE-CIX, YYCIX,
XS4ALL, MSK-IX, INEX, France-IX, Seacomm, Workonline, KPN International,
and hundreds of others.

You can run an analysis yourself to see how traffic would be impacted in
your network using pmacct or Kentik, see this post for more info:
https://mailman.nanog.org/pipermail/nanog/2019-February/099522.html

My assumption is that 1.Accept valid, 2. Accept unknown, 3. Reject
invalid shouldn't break anything.


Correct! Let us know how it went :-)

Kind regards,

Job

Current thread:

Re: CloudFlare issues? Mark Tinka (Jul 04)
- Re: CloudFlare issues? i3D.net - Martijn Schmidt via NANOG (Jul 04)
  - Re: CloudFlare issues? Sandra Murphy (Jul 05)
    - Re: CloudFlare issues? i3D.net - Martijn Schmidt via NANOG (Jul 05)
- Re: CloudFlare issues? Brett Frankenberger (Jul 06)
  - Re: CloudFlare issues? Matt Corallo (Jul 06)
    - Re: CloudFlare issues? Matt Corallo (Jul 06)
    - Re: CloudFlare issues? Mark Tinka (Jul 07)
  - Re: CloudFlare issues? Mark Tinka (Jul 07)
- <Possible follow-ups>
- Re: CloudFlare issues? Francois Lecavalier (Jul 04)
  - Re: CloudFlare issues? Job Snijders (Jul 04)
    - Re: CloudFlare issues? Ben Maddison via NANOG (Jul 04)
    - Re: CloudFlare issues? Mark Tinka (Jul 04)
    - RE: CloudFlare issues? Francois Lecavalier (Jul 04)
    - Re: CloudFlare issues? Ben Maddison via NANOG (Jul 04)
    - Re: CloudFlare issues? Job Snijders (Jul 04)
    - Re: CloudFlare issues? Job Snijders (Jul 04)
    - Re: CloudFlare issues? Mark Tinka (Jul 04)
    - Re: CloudFlare issues? Mark Tinka (Jul 04)
    - Re: CloudFlare issues? Mark Tinka (Jul 04)
  - Re: CloudFlare issues? Mark Tinka (Jul 04)

(Thread continues...)