Mitigating stuck BGP routes

When you prepare to remove traffic for a Bring Your Own IP (BYOIP) prefix from the Cloudflare edge, a direct BGP withdrawal action carries the risk of a stuck BGP route. This state occurs when a route becomes stuck in the Internet's Default-Free Zone (DFZ) ↗, meaning core routers that missed the withdrawal announcement continue forwarding traffic to a now-inactive next-hop (what is know as the blackhole). You can read more on this in our blog post BGP zombies and excessive path hunting ↗.

This risk is especially evident in the use case where the global routing table relies on more-specific to less-specific prefix routing fallback. Since this fallback mechanism is highly prone to route instability, Cloudflare recommends a multi-step draining process.

Multi-step BYOIP withdrawal process

When draining traffic, use the same prefix length on Cloudflare and on your ISP, since matching prefix lengths gives the most effective and deterministic behavior.

The following steps outline the recommended multi-step draining process to achieve a clean traffic cutover and prevent blackholing.