the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

Hi,

apparently Cloudflare will be enforcing RPKI route origin validation
"by the end of the year" [1].

https://blog.cloudflare.com/rpki-details/

If this is actually the case then some prefixes run at risk of loosing
the ability to reach Cloudflare.

This is a heads-up so you can check if you would be affected,
you can ctrl-f the list of 75 prefixes (ARIN region only)
bellow for your prefix or ASN.

(data as of 2018-09-19 14:06 UTC)

https://bgp.he.net/net/168.245.235.0/24 (AS13428)
https://bgp.he.net/net/69.28.67.0/24 (AS13768)
https://bgp.he.net/net/69.28.82.0/23 (AS13768)
https://bgp.he.net/net/68.64.234.0/24 (AS14237)
https://bgp.he.net/net/209.24.0.0/24 (AS15562)
https://bgp.he.net/net/172.98.214.0/24 (AS17139)
https://bgp.he.net/net/66.85.44.0/24 (AS19437)
https://bgp.he.net/net/23.139.0.0/24 (AS20860)
https://bgp.he.net/net/68.64.227.0/24 (AS262913)
https://bgp.he.net/net/192.136.187.0/24 (AS26827)
https://bgp.he.net/net/208.76.33.0/24 (AS26938)
https://bgp.he.net/net/208.76.39.0/24 (AS26938)
https://bgp.he.net/net/68.64.231.0/24 (AS30167)
https://bgp.he.net/net/192.133.106.0/24 (AS33060)
https://bgp.he.net/net/192.133.107.0/24 (AS33060)
https://bgp.he.net/net/192.209.63.0/24 (AS393398)
https://bgp.he.net/net/198.28.13.0/24 (AS393451)
https://bgp.he.net/net/2606:8e80:3000::/48 (AS394308)
https://bgp.he.net/net/2606:8e80:1000::/48 (AS394497)
https://bgp.he.net/net/2606:8e80:4000::/48 (AS394497)
https://bgp.he.net/net/2606:8e80::/48 (AS394497)
https://bgp.he.net/net/2606:8e80:5000::/48 (AS394497)
https://bgp.he.net/net/2606:8e80:2000::/48 (AS394644)
https://bgp.he.net/net/2606:8e80:4000::/48 (AS394644)
https://bgp.he.net/net/104.245.239.0/24 (AS395970)
https://bgp.he.net/net/172.98.209.0/24 (AS395970)
https://bgp.he.net/net/172.98.210.0/24 (AS395970)
https://bgp.he.net/net/172.98.212.0/24 (AS395970)
https://bgp.he.net/net/172.98.214.0/24 (AS395970)
https://bgp.he.net/net/172.98.215.0/24 (AS395970)
https://bgp.he.net/net/172.98.208.0/24 (AS41139)
https://bgp.he.net/net/172.98.211.0/24 (AS41139)
https://bgp.he.net/net/172.98.213.0/24 (AS41139)
https://bgp.he.net/net/168.245.223.0/24 (AS43181)
https://bgp.he.net/net/208.84.64.0/24 (AS52129)
https://bgp.he.net/net/208.86.200.0/24 (AS52129)
https://bgp.he.net/net/199.68.168.0/22 (AS53429)
https://bgp.he.net/net/199.68.175.0/24 (AS53429)
https://bgp.he.net/net/162.208.108.0/24 (AS55079)
https://bgp.he.net/net/162.208.109.0/24 (AS55079)
https://bgp.he.net/net/162.208.110.0/24 (AS55079)
https://bgp.he.net/net/162.208.111.0/24 (AS55079)
https://bgp.he.net/net/198.176.44.0/24 (AS55079)
https://bgp.he.net/net/198.176.46.0/24 (AS55079)
https://bgp.he.net/net/198.176.47.0/24 (AS55079)
https://bgp.he.net/net/2604:a680:2::/48 (AS55079)
https://bgp.he.net/net/2604:ab80:2::/48 (AS55079)
https://bgp.he.net/net/2604:ab80:5::/48 (AS55079)
https://bgp.he.net/net/198.176.45.0/24 (AS55097)
https://bgp.he.net/net/2604:a680:4::/48 (AS55097)
https://bgp.he.net/net/208.66.204.0/24 (AS6165)
https://bgp.he.net/net/208.66.205.0/24 (AS6165)
https://bgp.he.net/net/208.66.206.0/24 (AS6165)
https://bgp.he.net/net/208.66.207.0/24 (AS6165)
https://bgp.he.net/net/74.116.232.0/24 (AS6165)
https://bgp.he.net/net/74.116.233.0/24 (AS6165)
https://bgp.he.net/net/74.116.234.0/24 (AS6165)
https://bgp.he.net/net/74.116.235.0/24 (AS6165)
https://bgp.he.net/net/74.116.236.0/24 (AS6165)
https://bgp.he.net/net/74.116.237.0/24 (AS6165)
https://bgp.he.net/net/74.116.238.0/24 (AS6165)
https://bgp.he.net/net/198.24.10.0/24 (AS62541)
https://bgp.he.net/net/198.24.11.0/24 (AS62541)
https://bgp.he.net/net/104.171.208.0/20 (AS63267)
https://bgp.he.net/net/104.171.208.0/24 (AS63267)
https://bgp.he.net/net/69.28.64.0/20 (AS6364)
https://bgp.he.net/net/69.28.80.0/23 (AS6364)
https://bgp.he.net/net/69.28.84.0/23 (AS6364)
https://bgp.he.net/net/69.28.86.0/24 (AS6364)
https://bgp.he.net/net/69.28.87.0/24 (AS6364)
https://bgp.he.net/net/69.28.88.0/23 (AS6364)
https://bgp.he.net/net/69.28.88.0/24 (AS6364)
https://bgp.he.net/net/69.28.90.0/23 (AS6364)
https://bgp.he.net/net/69.28.92.0/22 (AS6364)
https://bgp.he.net/net/172.93.121.0/24 (AS8100)
https://bgp.he.net/net/66.85.45.0/24 (AS8100)
https://bgp.he.net/net/206.53.202.0/24 (AS11492) that is probably supposed to be invalid (DE-CIX Dallas peering LAN?

[1] https://twitter.com/Jerome_UZ/status/1042433414371205120

nusenu wrote :
apparently Cloudflare will be enforcing RPKI route origin validation "by the end of the year" [1].
RPKI and BGP: our path to securing Internet Routing
If this is actually the case then some prefixes run at risk of loosing the ability to reach Cloudflare.

This is the way we are going to get people to clean up their invalid prefixes. When people start to actually discard or block them and something breaks.

I still think that ARIN should be contacting them, if they are willing to do it.

Phil Lavin wrote :
That said, having recently done this with ARIN... they've got a long way to go before it's a simple process (like RIPE). Submitting numerous tickets over a 3 day period doesn't strike me as particularly efficient.

I was wondering if this is the reason ARIN is so far behind RIPE in terms of RPKI adoption. I did not find it bad personally, but I could understand that it may discourage people with a large number of prefixes.
There must be something else than the process not being as simple as RIPE's, IMHO.

Michel.

TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...

Note to self… It’s better not to do RPKI than to do it badly.

Owen

Owen DeLong wrote :
Note to self… It’s better not to do RPKI than to do it badly.

Not worse than IRR entries or SSL certificates. If you mess it up, resource will go down.

Michel.

TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...

Yep… It’s also better not to do SSL or IRR entries than to do it badly. Agreed.

Owen