[BYOIP] Review get-started and IRR guidance (#18941)

RebeccaTamachiro · web-flow · commit a770e0e39155 · 2025-01-28T11:55:21.000Z
* Specify requirements for IRR route, route6, and origin

* Remove note on less specific prefixes being acceptable

* Add callout for when using RPKI and link to CF portal

* Nit: remove duplicated Overview h2

* Add glossary definition and tooltip for ROA

* Adjust ROA definition

* Remove dupe sentence and old button from Overview

* Add second source for RPKI validation
diff --git a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx
@@ -81,10 +81,6 @@ Add or update IRR entries when they meet any of these criteria:
 * The entry is incomplete or inaccurate — for example, when the route object does not show the correct origin.
 * The entry is complete but requires updating — for example, when they correspond to supernets but need to correspond to subnets used in Magic Transit.
 
-You are strongly encouraged to verify IRR entries for the exact prefixes you will use to onboard with Cloudflare.
-
-IRR entries for less specific prefixes are acceptable as long as you understand and accept the following risk: if you modify your IRR entries in the future (for example, by changing your ASN) and the IRR entry for the supernet no longer matches the prefix or origin mapping in your Magic Transit configuration, the prefix will have reduced reachability due to networks Cloudflare peers with automatically filtering the prefix. Having specific IRR entries helps minimize (but not entirely remove) this risk.
-
 ### IRR entry verification methods
 
 To verify your prefix and ASN route, use the tools and methods outlined on the table below:
diff --git a/src/content/docs/byoip/get-started.mdx b/src/content/docs/byoip/get-started.mdx
@@ -11,22 +11,23 @@ import { GlossaryTooltip } from "~/components"
 To bring your own IPs, you must work with your account team to understand everything you need to ensure a smooth transition during the onboarding process.
 
 :::note
-
-BYOIP is ingress only. 
+BYOIP is ingress only.
 :::
 
-## Overview
-
 Cloudflare requires a service-specific configuration for your prefixes, as well as some requirements common to all BYOIP customers regardless of service type. These requirements are common to all products compatible with BYOIP, such as [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), and [CDN services](/cache/).
 
 ## Prerequisites
 
 There are two major prerequisites before Cloudflare can begin onboarding your IP space.
 
-1. You must verify your [Internet Routing Registry (IRR)](/byoip/concepts/irr-entries/) records are up to date with the correct prefix or ASN information.
-2. Cloudflare must receive a [Letter of Agency (LOA)](/byoip/concepts/loa/) to announce your prefixes, which we will share with our transit partners as evidence that we are allowed to announce the route.
+1. Cloudflare must receive a [Letter of Agency (LOA)](/byoip/concepts/loa/) to announce your prefixes, which we will share with our transit partners as evidence that we are allowed to announce the route.
+2. You must verify that your [Internet Routing Registry (IRR)](/byoip/concepts/irr-entries/) records are up to date and contain:
+    - `route` or `route6` objects matching the exact prefixes you want to onboard
+    - `origin` matching the correct ASN you want to onboard
 
-Optionally, if you use the <GlossaryTooltip term="Resource Public Key Infrastructure (RPKI)">Resource Public Key Infrastructure (RPKI)</GlossaryTooltip> protocol to sign your routes, Cloudflare can help with this as well. Contact your account team if you are interested in using RPKI.
+:::caution[RPKI validation]
+You are not required to use <GlossaryTooltip term="Resource Public Key Infrastructure (RPKI)">Resource Public Key Infrastructure (RPKI)</GlossaryTooltip>. However, if you do, make sure your <GlossaryTooltip term="Route Origin Authorization (ROA)">ROAs</GlossaryTooltip> are accurate. You can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) and a second source such as [Routinator](https://rpki-validator.ripe.net/ui/) to double check your prefixes.
+:::
 
 After onboarding, [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) announcements for customer prefixes can be controlled with the [Dynamic Advertisement](/byoip/concepts/dynamic-advertisement/) API or via the Cloudflare dashboard.
 
@@ -47,5 +48,5 @@ To protect your network using a Cloudflare IP address, contact your account mana
 
 :::note
 
-When you use a Cloudflare-managed IP space, you do not need to provide a Letter of Agency (LOA) and advertise your prefixes that are associated with bringing your own IP. 
+When you use a Cloudflare-managed IP space, you do not need to provide a Letter of Agency (LOA) and advertise your prefixes that are associated with bringing your own IP.
 :::
diff --git a/src/content/docs/byoip/index.mdx b/src/content/docs/byoip/index.mdx
@@ -12,11 +12,6 @@ import { LinkButton, Plan } from "~/components";
 
 <Plan type="enterprise" />
 
-With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with Magic Transit, Spectrum, CDN services, or Gateway DNS.
+With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), or [Gateway DNS](/cloudflare-one/policies/gateway/dns-policies/).
 
-BYOIP is compatible with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), and [Gateway DNS](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip).
-
-{" "}
-<LinkButton variant="primary" href="/byoip/get-started/">
-	Get started
-</LinkButton>
+Learn how to [get started](/byoip/get-started/).
diff --git a/src/content/glossary/byoip.yaml b/src/content/glossary/byoip.yaml
@@ -23,6 +23,10 @@ entries:
     general_definition: |-
       a cryptographic method of signing records that associate a route with an originating autonomous system number.
 
+  - term: Route Origin Authorization (ROA)
+    general_definition: |-
+      the RPKI-signed object that states an autonomous system is authorized to originate a particular IP address prefix or set of prefixes.
+
   - term: Unicast Reverse Path Forwarding (uRPF)
     general_definition: |-
       a security feature that can prevent spoofing attacks.
