nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CloudFlare issues?

From: Mark Tinka <mark.tinka () seacom mu>
Date: Sun, 7 Jul 2019 19:15:11 +0200


On 6/Jul/19 22:05, Brett Frankenberger wrote:


These were more-specifics, though.  So if you drop all the
more-specifics as failing ROV, then you end up following the valid
shorter prefix to the destination.


I can't quite recall which Cloudflare prefixes were impacted. If you
have a sniff at https://bgp.he.net/AS13335#_prefixes and
https://bgp.he.net/AS13335#_prefixes6 you will see that Cloudflare have
a larger portion of their IPv6 prefixes ROA'd than the IPv4 ones. If you
remember which Cloudflare prefixes were affected by the Verizon debacle,
we can have a closer look.



  Quite possibly that points at the
upstream which sent you the more-specific which you rejected, at which
point your packets end up same going to the same place they would have
gone if you had accepted the invalid more-specific.


But that's my point... we did not have the chance to drop any of the
affected Cloudflare prefixes because we do not use the ARIN TAL.

That means that we are currently ignoring the RPKI value of Cloudflare's
prefixes that are under ARIN.

Also, AFAICT, none of our current upstreams are doing ROV. You can see
that list here:

    https://bgp.he.net/AS37100#_graph4

Mark.
Previous By Date Next
Previous By Thread Next

Current thread: