Re: CloudFlare issues?

2019-07-04 Thread Job Snijders
> Anyway, you can now enjoy https://rpki.net/s/rpki-test even more! :-) my apologies, I fumbled the ball on typing in that URL, I intended to point here: https://www.ripe.net/s/rpki-test

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
On 4/Jul/19 20:46, Francois Lecavalier wrote: > It's been close to 3 hours now since I dropped them - radio silence. > > Whoever fears implementing RPKI/ROA/ROV, simply don't. It's very easy to > implement, validate and troubleshoot. Well done! Congrats! Mark.

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
On 4/Jul/19 20:46, Francois Lecavalier wrote: > It's been close to 3 hours now since I dropped them - radio silence. > > Whoever fears implementing RPKI/ROA/ROV, simply don't. It's very easy to > implement, validate and troubleshoot. Well done! Congrats! Mark.

Re: CloudFlare issues?

2019-07-04 Thread Job Snijders
On Thu, Jul 4, 2019 at 8:46 PM Francois Lecavalier wrote: > It's been close to 3 hours now since I dropped them - radio silence. I am going to assume that "radio silence" for you means that your network is fully functional and none of your customers have raised issues! :-) > Whoever fears

Re: CloudFlare issues?

2019-07-04 Thread Ben Maddison via NANOG
Welcome to the club! Get Outlook for Android From: Francois Lecavalier Sent: Thursday, July 4, 2019 8:46:46 PM To: Ben Maddison; j...@ntt.net Cc: nanog@nanog.org Subject: RE: CloudFlare issues? >> At this point in time I think the ideal

RE: CloudFlare issues?

2019-07-04 Thread Francois Lecavalier
>> At this point in time I think the ideal deployment model is to perform >> the validation within your administrative domain and run your own >> validators. >+1 We'll definitely look into this shortly. I definitely don't want to leave a security measure in the end of a third party but with my

Real-world MPLS P/LSR experience on BCM T3 (X5/X7) vs T2+

2019-07-04 Thread Jason Lixfeld
Hey all, In the role of an MPLS P/LSR, I’m curious if there have been any gotchas (or fixes) revealed with BCM T3 vs. T2+. I remember reading somewhere some years ago that there were oddities on the T2+ that I’d like to believe have been addressed on T3, but does anyone have any real-world

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
On 4/Jul/19 17:50, Ben Maddison via NANOG wrote: > We have been dropping Invalids since April, and have had only a > (single-digit) handful of support requests related to those becoming > unreachable. We've had 2 cases where customers could not reach a prefix. Both were mistakes (as we've

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
On 4/Jul/19 17:33, Job Snijders wrote: > At this point in time I think the ideal deployment model is to perform > the validation within your administrative domain and run your own > validators. In essence, this is also my thought process. I think Cloudflare are very well-intentioned in

Re: CloudFlare issues?

2019-07-04 Thread Nick Hilliard
Francois Lecavalier wrote on 04/07/2019 16:22: My assumption is that 1.Accept valid, 2. Accept unknown, 3. Reject invalid shouldn’t break anything. Accepting valid ROAs is a better idea after checking that the source AS is legitimate from the peer. Nick

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
On 4/Jul/19 17:22, Francois Lecavalier wrote: >   > > Following that Verizon debacle I got onboard with ROV, after a couple > research I stopped my choice on the ….drum roll…. CloudFlare GoRTR > (https://github.com/cloudflare/gortr).  If you trust them enough they > provide an updated JSON

Re: CloudFlare issues?

2019-07-04 Thread Ben Maddison via NANOG
Hi Francois, On Thu, 2019-07-04 at 17:33 +0200, Job Snijders wrote: > Dear Francois, > > On Thu, Jul 04, 2019 at 03:22:23PM +, Francois Lecavalier wrote: > > > At this point in time I think the ideal deployment model is to > perform > the validation within your administrative domain and run

Re: CloudFlare issues?

2019-07-04 Thread Job Snijders
Dear Francois, On Thu, Jul 04, 2019 at 03:22:23PM +, Francois Lecavalier wrote: > Following that Verizon debacle I got onboard with ROV, after a couple > research I stopped my choice on the drum roll CloudFlare GoRTR > (https://github.com/cloudflare/gortr). If you trust them enough

Re: CloudFlare issues?

2019-07-04 Thread Francois Lecavalier
Hi Mark, Following that Verizon debacle I got onboard with ROV, after a couple research I stopped my choice on the drum roll CloudFlare GoRTR (https://github.com/cloudflare/gortr). If you trust them enough they provide an updated JSON every 15 minutes of the global RIR aggregate.

Re: CloudFlare issues?

2019-07-04 Thread i3D.net - Martijn Schmidt via NANOG
So that means it's time for everyone to migrate their ARIN resources to a sane RIR that does allow normal access to and redistribution of its RPKI TAL? ;-) The RPKI TAL problem + an industry-standard IRRDB instead of WHOIS-RWS were both major reasons for us to bring our ARIN IPv4 address space

Re: CloudFlare issues?

2019-07-04 Thread Mark Tinka
I finally thought about this after I got off my beer high :-). Some of our customers complained about losing access to Cloudflare's resources during the Verizon debacle. Since we are doing ROV and dropping Invalids, this should not have happened, given most of Cloudflare's IPv4 and IPv6 routes