From 6087ae636bf85c8c7ae936b5840332f48835c830 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 26 Sep 2025 15:52:04 +0100 Subject: [PATCH 1/6] Bring changes from self-serve onboarding branch --- .../concepts/irr-entries/best-practices.mdx | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx index 17958789de3adb..fc5714dd51c043 100644 --- a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx +++ b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx @@ -11,22 +11,22 @@ head: import { GlossaryTooltip } from "~/components" -An Internet Routing Registry (IRR) record is what notifies internet service providers (ISPs) of how you are allowing your resources to be used. It is necessary to keep your IRR entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet. +An Internet Routing Registry (IRR) record is what notifies internet service providers (ISPs) of how you are allowing your resources to be used. This helps ensure ISPs will recognize your routes as legitimate and enables them to ignore unauthorized routes published by someone else. -The American Registry for Internet Numbers (ARIN) maintains an IRR that allows registrants of AS numbers and IP addresses to publish that information so that ISPs can make appropriate routing decisions. This helps ensure ISPs will recognize your routes as legitimate and enables them to ignore unauthorized routes published by someone else. +You must keep your IRR entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet. ## Configure an IRR entry -You can add or update an IRR entry by following the directions within any of the recommended internet registries listed in the [Internet Routing Registry](https://www.irr.net/index.html). +You can add or update an IRR entry by following the directions of your routing registry. If you own your own subnet, use the RIPE and APNIC routing registries. These registries allow you to verify subnet ownership. If you lease your subnet, follow these guidelines: -* When you do not need ownership verification, use the AFRINIC or NTT routing registry. +* When you do not need ownership verification, use the AFRINIC registry. * When you submit a route object via email, use the ARIN registry. Address blocks owned by others do not appear in the ARIN interface. -The recommended registries are AFRINIC, APNIC, ARIN, NTT, RADB, and RIPE. +The recommended registries are AFRINIC, APNIC, ARIN, LACNIC, and RIPE. Each routing registry has its own set of instructions to configure an IRR entry. Refer to the table below for more information. @@ -50,13 +50,9 @@ Each routing registry has its own set of instructions to configure an IRR entry. ARIN https://www.arin.net/resources/manage/irr/quickstart/ - - NTT - https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/ - - - RADB - https://www.radb.net/support/ + + LACNIC + https://lacnic.zendesk.com/hc/articles/360038667154-What-are-a-route-and-a-route-6-objects RIPE @@ -72,8 +68,8 @@ Verify your Internet Routing Registry (IRR) entries to ensure that the IP prefix Each IRR entry record must include the following information: * **Route**: Each IP prefix Cloudflare advertises for you. -* **Origin ASN**: Your ASN, or if you do not have your own ASN, the Cloudflare ASN (AS13335). -* **Source**: The name of the routing registry, for example, AFRINIC, APNIC, ARIN, RADB, RIPE, or NTT. +* **Origin ASN**: The Cloudflare ASN (AS13335) or your own ASN. +* **Source**: The name of the routing registry (for example, ARIN). Add or update IRR entries when they meet any of these criteria: From d8486fd35d78c72678be71ccc383ee9aa4e01e84 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 29 Sep 2025 14:28:41 +0100 Subject: [PATCH 2/6] Leverage Glossary components and remove duplicative text --- .../docs/byoip/concepts/irr-entries/best-practices.mdx | 6 ++---- src/content/docs/byoip/concepts/irr-entries/index.mdx | 8 ++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx index fc5714dd51c043..1c5f404316f870 100644 --- a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx +++ b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx @@ -9,11 +9,9 @@ head: --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -An Internet Routing Registry (IRR) record is what notifies internet service providers (ISPs) of how you are allowing your resources to be used. This helps ensure ISPs will recognize your routes as legitimate and enables them to ignore unauthorized routes published by someone else. - -You must keep your IRR entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet. +You must keep your Internet Routing Registry (IRR) entries up to date so that it is public information that Cloudflare has permission to advertise your prefix or prefixes and to ensure that your traffic can be properly routed on the internet. ## Configure an IRR entry diff --git a/src/content/docs/byoip/concepts/irr-entries/index.mdx b/src/content/docs/byoip/concepts/irr-entries/index.mdx index 609d7e796b5deb..2bc80979a05ec4 100644 --- a/src/content/docs/byoip/concepts/irr-entries/index.mdx +++ b/src/content/docs/byoip/concepts/irr-entries/index.mdx @@ -6,12 +6,12 @@ sidebar: --- -The [Internet Routing Registry (IRR)](http://www.irr.net/index.html) is a globally distributed database of routing information. The IRR contains announced routes and routing policies in a common format, and network operators use this information to configure their backbone routers. +import { GlossaryDefinition } from "~/components"; + + The IRR consists of many individual [routing registries](http://www.irr.net/docs/list.html), and some are managed by regional entities, such as APNIC, ARIN, and RIPE. Each routing registry contains IRR entries that provide information about IP prefixes and the [autonomous systems](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) authorized to announce them. To announce your subnet prefixes, Cloudflare requires accurate IRR entries for your prefixes and autonomous system numbers (ASNs). -When you configure network infrastructure for services such as [Magic Transit](/magic-transit/about/), [verify your IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry). - -For help with adding missing IRR entries or updating inaccurate entries, refer to the [best practices for IRR entries](/byoip/concepts/irr-entries/best-practices/). +When you configure network infrastructure for services such as [Magic Transit](/magic-transit/about/), or before onboarding your IP to Cloudflare, [verify your IRR entries](/byoip/concepts/irr-entries/best-practices/#verify-an-irr-entry). From 8d8e7b1ae69fd698fef5c04395b2a7808c63aad2 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 29 Sep 2025 14:34:21 +0100 Subject: [PATCH 3/6] Adjust IRR titles and labels --- .../docs/byoip/concepts/irr-entries/best-practices.mdx | 6 +----- src/content/docs/byoip/concepts/irr-entries/index.mdx | 9 +++++++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx index 1c5f404316f870..30693fab509c32 100644 --- a/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx +++ b/src/content/docs/byoip/concepts/irr-entries/best-practices.mdx @@ -1,12 +1,8 @@ --- -title: Best practices +title: Manage IRR entries pcx_content_type: reference sidebar: order: 7 -head: - - tag: title - content: IRR entry updates best practices - --- import { GlossaryTooltip } from "~/components"; diff --git a/src/content/docs/byoip/concepts/irr-entries/index.mdx b/src/content/docs/byoip/concepts/irr-entries/index.mdx index 2bc80979a05ec4..09d87d8cc94638 100644 --- a/src/content/docs/byoip/concepts/irr-entries/index.mdx +++ b/src/content/docs/byoip/concepts/irr-entries/index.mdx @@ -1,9 +1,14 @@ --- -title: Internet Routing Registry +title: Internet Routing Registry (IRR) pcx_content_type: concept sidebar: order: 2 - + label: Overview + group: + label: Internet Routing Registry +head: + - tag: title + content: IRR Overview --- import { GlossaryDefinition } from "~/components"; From 811fda78f2c4e199aa5e6e3086b45c42ac1f7e5d Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 29 Sep 2025 14:43:36 +0100 Subject: [PATCH 4/6] Create placeholder page for route filtering and ROKI --- src/content/docs/byoip/concepts/route-filtering-rpki.mdx | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 src/content/docs/byoip/concepts/route-filtering-rpki.mdx diff --git a/src/content/docs/byoip/concepts/route-filtering-rpki.mdx b/src/content/docs/byoip/concepts/route-filtering-rpki.mdx new file mode 100644 index 00000000000000..c0608b39a873ff --- /dev/null +++ b/src/content/docs/byoip/concepts/route-filtering-rpki.mdx @@ -0,0 +1,6 @@ +--- +title: Route filtering and RPKI +pcx_content_type: concept +sidebar: + order: 2 +--- \ No newline at end of file From dc3244432e05d37b4680a8d1d0fe821b992e8f67 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 7 Oct 2025 12:48:44 +0100 Subject: [PATCH 5/6] Add info on route filtering, RPKI, and ROAs --- .../docs/byoip/concepts/route-filtering-rpki.mdx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/content/docs/byoip/concepts/route-filtering-rpki.mdx b/src/content/docs/byoip/concepts/route-filtering-rpki.mdx index c0608b39a873ff..d6e29f43b84fee 100644 --- a/src/content/docs/byoip/concepts/route-filtering-rpki.mdx +++ b/src/content/docs/byoip/concepts/route-filtering-rpki.mdx @@ -3,4 +3,14 @@ title: Route filtering and RPKI pcx_content_type: concept sidebar: order: 2 ---- \ No newline at end of file +--- + +import { GlossaryTooltip } from "~/components"; + +As referred in the [IRR concept page](/byoip/concepts/irr-entries/), network operators use IRR records to configure backbone routers. In summary, it is the IRR records that provide information about IP prefixes and the autonomous systems authorized to announce them. Then, network operators will apply filtering policies to avoid invalid announcements. + +Considering this important role of IRR records, validation via Resource Public Key Infrastructure (RPKI) was introduced. With RPKI, the IP/ASN association is cryptographically validated before being passed on to the routers. + +When registering your prefix under one of the five Regional Internet Registries (RIRs)[^1], you can generate a cryptographically-signed object called Route Origin Authorization (ROA). ROAs are public and you can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) or other sources, such as [Routinator](https://rpki-validator.ripe.net/ui/), to check your prefixes. + +[^1]: AFRINIC, APNIC, ARIN, LACNIC, and RIPE. \ No newline at end of file From b1308681ab69c4202d3b2160562dce95ee10a814 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 7 Oct 2025 12:56:28 +0100 Subject: [PATCH 6/6] Link to new page from get-started and IRR (via glossary entry) --- src/content/docs/byoip/get-started.mdx | 2 +- src/content/glossary/byoip.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/byoip/get-started.mdx b/src/content/docs/byoip/get-started.mdx index 6a62fc6e4d6ad9..8fd78269abed01 100644 --- a/src/content/docs/byoip/get-started.mdx +++ b/src/content/docs/byoip/get-started.mdx @@ -21,7 +21,7 @@ You must verify that your [Internet Routing Registry (IRR)](/byoip/concepts/irr- - `origin` matching the correct ASN you want to onboard :::caution[RPKI validation] -You are not required to use Resource Public Key Infrastructure (RPKI). However, if you do, make sure your ROAs are accurate. You can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) and a second source such as [Routinator](https://rpki-validator.ripe.net/ui/) to double-check your prefixes. +You are not required to use Resource Public Key Infrastructure (RPKI). However, if you do, make sure your ROAs are accurate. You can use [Cloudflare's RPKI Portal](https://rpki.cloudflare.com/?view=validator) and a second source such as [Routinator](https://rpki-validator.ripe.net/ui/) to double-check your prefixes. ::: ## Process overview diff --git a/src/content/glossary/byoip.yaml b/src/content/glossary/byoip.yaml index ce2e3c4cb280d7..3006f107601e54 100644 --- a/src/content/glossary/byoip.yaml +++ b/src/content/glossary/byoip.yaml @@ -17,7 +17,7 @@ entries: - term: Internet Routing Registry (IRR) general_definition: |- - a globally distributed database of routing information which contains announced routes and routing policies in a common format. Network operators use this information to configure backbone routers. + a globally distributed database of routing information which contains announced routes and routing policies in a common format. Network operators use this information, as well as [RPKI](/byoip/concepts/route-filtering-rpki/), to configure backbone routers. - term: Resource Public Key Infrastructure (RPKI) general_definition: |-