On Thu, 11 Nov 2021 at 10:19, Mark Tinka <mark@tinka.africa> wrote: > Thanks for the clue, Saku. Hopefully someone here has the energy to ask > Cisco to update their documentation, to make this a recommendation. I > can't be asked :-).
I think it should just be a config error. You're not just cucking yourself, but your peers and customers. So it shouldn't be a choice you can make. We can also imagine improvements 1) by default keep all RPKI rejects, and have 'soft-inbound never' optionally to turn that off 2) have 1 bit per neighbor indicating policy had rpki rejects and 2 bits for validation database update iindicating database become less/more permissive IFF database became more permissive and neighbor has rpki rejects and we have soft-inbound never, then refresh -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/