On 6/Jul/19 22:05, Brett Frankenberger wrote:
These were more-specifics, though. So if you drop all the more-specifics as failing ROV, then you end up following the valid shorter prefix to the destination.
I can't quite recall which Cloudflare prefixes were impacted. If you have a sniff at https://bgp.he.net/AS13335#_prefixes and https://bgp.he.net/AS13335#_prefixes6 you will see that Cloudflare have a larger portion of their IPv6 prefixes ROA'd than the IPv4 ones. If you remember which Cloudflare prefixes were affected by the Verizon debacle, we can have a closer look.
Quite possibly that points at the upstream which sent you the more-specific which you rejected, at which point your packets end up same going to the same place they would have gone if you had accepted the invalid more-specific.
But that's my point... we did not have the chance to drop any of the affected Cloudflare prefixes because we do not use the ARIN TAL. That means that we are currently ignoring the RPKI value of Cloudflare's prefixes that are under ARIN. Also, AFAICT, none of our current upstreams are doing ROV. You can see that list here: https://bgp.he.net/AS37100#_graph4 Mark.