Follow-up on Cloudflare RPKI deployment
Jérôme Fleury
jf at cloudflare.com
Wed Nov 28 15:34:11 EST 2018
Hi everyone,
a quick follow-up on RPKI deployment at Cloudflare.
Most of our Anycast routes, including DNS, are signed.
We are slowly rolling out RPKI validation in all our PoPs, 44 as of today
(see https://twitter.com/Jerome_UZ/status/1067586674090172416) with the
objective of having 90% of our PoPs doing validation by the end of the
year. Current limitation for the remaining 10% is Arista eOS that does not
support RTR natively so we'll have to code our own stuff.
We use our own lightweight RTR software to talk to routers.
https://github.com/cloudflare/gortr
And we pull data from our CDN (https://rpki.cloudflare.com/rpki.json)
We do invalid=reject on all peering sessions, and we'll follow-up with
transits in 2019Q1.
It's important to clarify that we're still keeping default routes to our
transits, we're not creating blackholes.
Let us know if you have any questions!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/mailman/private/rpki-deployers/attachments/20181128/f6b9269b/attachment.html>
More information about the RPKI-Deployers
mailing list