Transit providers
Opened this issue · 5 comments
I assume that if I can reach invalid.rpki.cloudflare.com, that both my ISP and all the transit providers are unsafe, because each of them should have filtered it.
The route I see to valid and invalid are actually different, I assume because of the prefered transit provider actually does filter.
For one test, I see valid going over NTT (AS2914), which happens to be marked as safe, and invalid going over Aorta (AS6830) and GTT (AS3257), and then to Cloudflare instead. But GTT is marked as partially safe, filtering peers only. If it's filtering it's peers only, I would not expect GTT to be the last transit provider before cloudflare, so I assume that that information is incorrect. I see the same effect over both IPv4 and IPv6 from Telenet (AS6848).
What you're seeing (I assume) is GTT accepting the invalid route from us and sending it to AS6830. We are a customer of GTT.
But GTT is currently marked as "filtering peers only". I understand that as GTT should not accept it from you, but it does.
Well, we're a customer, so they're not filtering their customers yet. This is why the route is accepted, and this is why they're only "partially safe".
I think you need to explain what this means in the FAQ. I guess with peers you then mean the transit providers?
Well, we're a customer, so they're not filtering their customers yet. This is why the route is accepted, and this is why they're only "partially safe".
so, when GTT (your upstream) will filter your invalid route (invalid.rpki.cloudflare.com), the "isbgpsage.com" website will become useless, as the prefix will not be propagated to the internet, right ?