Supporting Routing Security with Local Copies: Cloudflare’s Experience

18/11/2022

Global content delivery network Cloudflare is another organization that is performing route origin validation and providing services in Latin America and the Caribbean with local copies of content hosted on geographically remote servers.

Ticiane Takami is currently Interconnection Strategy & Partnerships Manager at Cloudflare. In her opinion, routing security is essential for Internet stability. In this sense, she shared that Cloudflare has created a website that allows determining whether an Internet Service Provider (ISP) is using Route Origin Validation (ROV) with Resource Public Key Infrastructure (RPKI). “Broad acceptance of origin validation allows for increased Internet security,” Takami noted.

As for the information that an organization that peers or installs a cache in a content distribution network must provide, the Cloudflare expert explained that this is highly dependent on each provider’s implementation, CDN, and network. Takami added that, at a high level, the objects in the RPKI and IRR databases must match the prefix announcements.

Use of AS-SETs. AS-SET objects define a group of ASNs related to a base autonomous system and are used to document all the routes that a network originates. Other networks use a network’s AS-SET to filter the routes they can announce, to prevent misconfigurations, or to prevent hijacks, thus helping to protect Internet routing. The name of the AS-SET can be flexible. “PeeringDB is a good place to store the AS-SET of our networks,” Takami said. According to Ticiane, users must ensure that their Internet Routing Registry (IRR) and Resource Certification System (RPKI) records are up to date, otherwise their Internet routing may not be optimal, or they may not be able to route at all. To conclude, the expert stressed that it is important for everyone to participate so that the Internet will be a safer place.