Martijn - i3D.net is not in the list Job posted yesterday of RPKI ROV deployment. Your message below hints that you may be using RPKI. Are you doing ROV? (You may be in the “hundreds of others” category.) —Sandy Begin forwarded message: From: Job Snijders <job@ntt.net> Subject: Re: CloudFlare issues? Date: July 4, 2019 at 11:33:57 AM EDT To: Francois Lecavalier <Francois.Lecavalier@mindgeek.com> Cc: "nanog@nanog.org" <nanog@nanog.org> I believe at this point in time it is safe to accept valid and unknown (combined with an IRR filter), and reject RPKI invalid BGP announcements at your EBGP borders. Large examples of other organisations who already are rejecting invalid announcements are AT&T, Nordunet, DE-CIX, YYCIX, XS4ALL, MSK-IX, INEX, France-IX, Seacomm, Workonline, KPN International, and hundreds of others.
On Jul 4, 2019, at 5:56 AM, i3D.net - Martijn Schmidt via NANOG <nanog@nanog.org> wrote:
So that means it's time for everyone to migrate their ARIN resources to a sane RIR that does allow normal access to and redistribution of its RPKI TAL? ;-)
The RPKI TAL problem + an industry-standard IRRDB instead of WHOIS-RWS were both major reasons for us to bring our ARIN IPv4 address space to RIPE. Unfortunately we had to renumber our handful of IPv6 customers because ARIN doesn't do IPv6 inter-RIR transfers, but hey, no pain no gain.
Therefore, Cloudflare folks - when are you transferring your resources away from ARIN? :D
Best regards, Martijn
On 7/4/19 11:46 AM, Mark Tinka wrote:
I finally thought about this after I got off my beer high :-).
Some of our customers complained about losing access to Cloudflare's resources during the Verizon debacle. Since we are doing ROV and dropping Invalids, this should not have happened, given most of Cloudflare's IPv4 and IPv6 routes are ROA'd.
However, since we are not using the ARIN TAL (for known reasons), this explains why this also broke for us.
Back to beer now :-)...
Mark.