RPKI and BGP: our path to securing Internet Routing

Cloudflare has started deploying active filtering using RPKI (Resource Public Key Infrastructure) for routing decisions and signing its routes, aiming to protect users from route hijacks and misconfigurations. The company is also encouraging adoption of Route Origin Validation on the Internet by providing this service to everyone for free. Cloudflare's approach involves signing prefixes through regional internet registries (RIR) portals or APIs, validating certificates, distributing RPKI cache securely via its own content delivery network, and using a lightweight local RTR server. The company is also working on providing a public RTR server using its Spectrum service.