- Beginning on February 24, 2020, Netflix enabled RPKI filtering on BGP sessions to embedded Open Connect Appliances (OCAs)
- Beginning on September 2, 2020, Netflix enabled RPKI filtering on all peering and transit BGP sessions
Resource Public Key Infrastructure (RPKI) provides a method for networks who have been assigned IP addresses to specify which ASNs are authorized to originate those IP address prefixes via route origin authorizations (ROAs), which are stored and distributed by the regional Internet registries.
By implementing RPKI-based filtering, Netflix is honoring the wishes of ISPs who have chosen to opt into the RPKI ecosystem to protect their IP address space. For ISPs who have not signed their address space, there is no impact.
If you want to check your embedded route announcements to ensure that your ROAs match the routes that Netflix is receiving, you can do so by running a Route Optimizer report in the Partner Portal.
Note: The Route Optimizer report currently does not identify filtered routes that are announced on peering or transit sessions.
Because RPKI-based filtering is being deployed by an increasingly large number of network operators and internet exchange points, the value of signing your address space continues to increase. If you have not yet signed your address space, we recommend that you consider doing so.
For more information about RPKI, see these additional resources:
- https://www.arin.net/resources/manage/rpki/
- https://www.ripe.net/manage-ips-and-asns/resource-management/certification/what-is-rpki
- https://www.lacnic.net/1150/1/lacnic/rpki-faq