Cloudflare's rpki.json file is missing IPv4 ROAs longer than /24
Greeting, Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as an alternate source for RPKI-ROA information. We recently discovered that this file omits IPv4 ROAs longer than /24. It would be helpful if it included all ROAs. Interestingly, Cloudflare’s web-based validator does include longer ROAs: https://rpki.cloudflare.com/?view=validator&validateRoute=1351_209.198.99.64%2F27 Cloudflare, any chance you could include all ROAs in this file? thanks, steve Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu
Looking into this, will message you
On Sep 18, 2024, at 8:21 AM, Steven Wallace <ssw@internet2.edu> wrote:
Greeting,
Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as an alternate source for RPKI-ROA information. We recently discovered that this file omits IPv4 ROAs longer than /24. It would be helpful if it included all ROAs.
Interestingly, Cloudflare’s web-based validator does include longer ROAs: https://rpki.cloudflare.com/?view=validator&validateRoute=1351_209.198.99.64%2F27
Cloudflare, any chance you could include all ROAs in this file?
thanks,
steve
Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu
On Wed, Sep 18, 2024 at 6:21 AM Steven Wallace <ssw@internet2.edu> wrote:
Greeting,
Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as an alternate source for RPKI-ROA information. We recently discovered that this file omits IPv4 ROAs longer than /24. It would be helpful if it included all ROAs.
Interestingly, Cloudflare’s web-based validator does include longer ROAs:
https://rpki.cloudflare.com/?view=validator&validateRoute=1351_209.198.99.64%2F27
Cloudflare, any chance you could include all ROAs in this file?
Cloudflare rpki data is flawed in a few ways. They say 2001:4870:140::/44 is on the internet, but it is not. I reached out to many folks at Cloudflare many times for months, but they have a bad data issue and choose not to fix it. Long story short, cloudflare rpki data is not for production use.
thanks,
steve
Steven Wallace Director - Routing Integrity Internet2 ssw@internet2.edu
On Wed, Sep 18, 2024 at 07:33:37AM -0400, Steven Wallace wrote:
Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as an alternate source for RPKI-ROA information. We recently discovered that this file omits IPv4 ROAs longer than /24. It would be helpful if it included all ROAs.
Yup, that's a clear bug. Perhaps a suitable alternative for your application is https://console.rpki-client.org/rpki.json.gz (or rpki.json) The above file is produced by rpki-client instances and refreshed every few minutes. The backend servers are operated by me. The file format follows roughly the same JSON format as CF's, but has been extended with per-VRP-specific expiry dates expressed as Unix timestamps. Kind regards, Job
On 18 Sep 2024, at 15:48, Job Snijders via NANOG <nanog@nanog.org> wrote:
On Wed, Sep 18, 2024 at 07:33:37AM -0400, Steven Wallace wrote:
Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as an alternate source for RPKI-ROA information. We recently discovered that this file omits IPv4 ROAs longer than /24. It would be helpful if it included all ROAs.
Yup, that's a clear bug.
Perhaps a suitable alternative for your application is https://console.rpki-client.org/rpki.json.gz (or rpki.json)
The above file is produced by rpki-client instances and refreshed every few minutes. The backend servers are operated by me.
The file format follows roughly the same JSON format as CF's, but has been extended with per-VRP-specific expiry dates expressed as Unix timestamps.
Kind regards,
Job
Hi Steve, Another monitored, production-grade service provided by the RIPE NCC, based on their Routinator instance, is available here: https://rpki-validator.ripe.net/json Other output formats are available as well; a description of each is available here: https://routinator.docs.nlnetlabs.nl/en/stable/output-formats.html Cheers, Alex
participants (5)
-
Alex Band -
Bryton Herdes -
Ca By -
Job Snijders -
Steven Wallace