On 12/18/20 08:58, Jakob Heitz (jheitz) wrote:
Hi Lukas, Mark, Ben,
The default bestpath prefix-validate behavior treats invalid routes
as unfeasible and prefers valid routes over not-found.
The default bestpath prefix-validate behavior cannot be used unless
all paths of a net have the correct RPKI validity. That can only
happen if all EBGP sessions into an AS validate their incoming
routes and apply the RFC8097 extended community.
If these conditions are not satisfied, then you cannot use the
bestpath prefix-validate behavior and you must use
route-maps to process the RPKI validity, like this:
router bgp ...
bgp rpki server tcp [...]
address-family ipv4
bgp bestpath prefix-validate disable
[...]
route-map RM_EBGP_IN deny 10
match rpki invalid
[...]
I have a proposal to improve the bestpath prefix-validate behavior
to better match how most operators use it. By a new configuration,
I would treat valid and not-found with the same preference. Invalid
would continue to be unfeasible. Then, a received IBGP route without
the RFC8097 community will be fine.
Thoughts?
What I've been asking Cisco to do since 2014 is to prevent IOS XE from
applying policy by default. This is broken and is in direct violation of
the RFC.
All RPKI policy must only be applied by the operator.
The router has no business using RPKI state as part of its best path
calculation process, unless specifically told to do so by the operator.
Mark.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
