On Sun, Jan 15, 2017 at 3:49 PM, Job Snijders <[email protected]> wrote: > On Sun, Jan 15, 2017 at 03:39:37PM +0100, Marco Marzetti wrote: >> On Sun, Jan 15, 2017 at 1:32 AM, Randy Bush <[email protected]> wrote: >> > [ first, i do not use route serves (because of the data/control non- >> > congruence), so my opinion here is worth even less than it normally >> > is. ] >> > >> >> An ixp route-server is not a transit provider, all of the nexthops >> >> exposed are in fact peers. So no I do not consider such a device an >> >> "upstream" it exists to service the policy needs of the peers on the >> >> fabric rather than that of the exchange operator. >> > >> > to repeat my previous; those policy needs might vary across ix members. >> > some may want the ix to enforce origin validation for them, some may >> > not. those exchanges which offer validation today offer the choice. i >> > think that is the right thing; let the member make the choice at set-up >> > with the route server. >> >> I think RSs should do RPKI by default and allow for two behaviors: >> 1) Drop (default) >> 2) Add ext-community as this draft suggests (upon request) > > Or perhaps we consider a Route Server to be "Just Yet Another Autonomous > System"? Why should there be a difference between Autonomous Systems > with regard to routing security recommendations? >
I do consider it "another AS". > If the recommendation is to drop/ignore/reject "RPKI Invalid" > announcements, then that applies to Route Servers too, if the > recommendation is to just attach an Extended BGP Community, then that > will apply to all ASNs. What's the current recommendation now? Regards -- Marco _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
