On 18/Apr/20 12:45, Antonio Prado via cisco-nsp wrote: > Hello, > > is there anyone who is using in production "RPKI extended-community" to > carry the validation state inside an autonomous system (RFC8097)? > > If yes, how large is your AS? > > If not, can you elaborate on the reasons?
As part of the BCP's we taught and discussed during the last APRICOT meeting in Melbourne, I advise against using BGP communities to convey RPKI state. One of the most elegant things about RPKI is that every router in your network can make RPKI-based decisions independently of any other router. That means you could have thousands of nodes each maintaining the same RPKI state, without ever speaking to each other. When you choose to convey RPKI state in BGP communities, you create a dependence between routers which degrades your resiliency. If you have multiple vendors in your network, you open yourself up to issues when you upgrade or downgrade code that breaks things. As we discovered in Melbourne, earlier versions of Junos break the well-known RPKI BGP communities. Imagine the havoc this could cause on your network if you assumed one vendor was doing the right thing. and they aren't. Don't use BGP communities to convey RPKI state. You don't need to. Servers scale better than router control planes. A server handling RTR sessions for thousands of routers is far better than trying to get your entire network to exchange RPKI BGP communities cohesively. For the Melbourne number, see here: https://2020.apricot.net/program/schedule/#/day/7/rpki-deployment-1 Mark. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
