RPKI for time.cloudflare.com IPv6

mnordhoff · April 27, 2022, 5:07pm

time.cloudflare.com (the NTP/NTS service) uses these IPs:

time.cloudflare.com has address 162.159.200.1
time.cloudflare.com has address 162.159.200.123
time.cloudflare.com has IPv6 address 2606:4700:f1::1
time.cloudflare.com has IPv6 address 2606:4700:f1::123

There is an ROA for 162.159.200.0/24, but there is none for 2606:4700:f1::/48. See e.g.:

https://rpki.cloudflare.com/?view=bgp&asn=13335&prefix=2606%3A4700%3Af1%3A%3A%2F48
https://bgp.he.net/AS13335#_prefixes6

While Cloudflare has over 200 unsigned routes, this one seems particularly concerning, since the NTP service is (unlike NTS) unauthenticated, and the IPs are seemingly not announced by every PoP, putting them at greater risk for hijacking.

Are there plans to sign that announcement?

mnordhoff · May 12, 2022, 12:00am

Is there any news on this?

In the meantime, are there plans to correct Cloudflare’s public statements that all routes are signed?

system · May 27, 2022, 12:00am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.