On Sun, Jan 15, 2017 at 03:39:37PM +0100, Marco Marzetti wrote: > On Sun, Jan 15, 2017 at 1:32 AM, Randy Bush <[email protected]> wrote: > > [ first, i do not use route serves (because of the data/control non- > > congruence), so my opinion here is worth even less than it normally > > is. ] > > > >> An ixp route-server is not a transit provider, all of the nexthops > >> exposed are in fact peers. So no I do not consider such a device an > >> "upstream" it exists to service the policy needs of the peers on the > >> fabric rather than that of the exchange operator. > > > > to repeat my previous; those policy needs might vary across ix members. > > some may want the ix to enforce origin validation for them, some may > > not. those exchanges which offer validation today offer the choice. i > > think that is the right thing; let the member make the choice at set-up > > with the route server. > > I think RSs should do RPKI by default and allow for two behaviors: > 1) Drop (default) > 2) Add ext-community as this draft suggests (upon request)
Or perhaps we consider a Route Server to be "Just Yet Another Autonomous System"? Why should there be a difference between Autonomous Systems with regard to routing security recommendations? If the recommendation is to drop/ignore/reject "RPKI Invalid" announcements, then that applies to Route Servers too, if the recommendation is to just attach an Extended BGP Community, then that will apply to all ASNs. Kind regards, Job _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
