Hi Francois, On Thu, 2019-07-04 at 17:33 +0200, Job Snijders wrote: > Dear Francois, > > On Thu, Jul 04, 2019 at 03:22:23PM +0000, Francois Lecavalier wrote: > > > At this point in time I think the ideal deployment model is to > perform > the validation within your administrative domain and run your own > validators.
+1 > > > But I also have a question for all the ROA folks out there. So far > > we > > are not taking any action other than lowering the local-pref - we > > want > > to make sure this is stable before we start denying prefixes. So > > the > > question, is it safe as of this date to : 1.Accept valid, 2. Accept > > unknown, 3. Reject invalid? Have any large network who implemented > > it > > dealt with unreachable destinations? I'm wondering as I haven't > > found > > any blog mentioning anything in this regard and ClouFlare docs only > > shows example for valid and invalid, but nothing for unknown. > We have been dropping Invalids since April, and have had only a (single-digit) handful of support requests related to those becoming unreachable. The larger challenge has been related to vendor implementation choices and bugs, particularly on ios-xe. Happy to go into more detail if anyone is interested. I would recommend *not* taking any policy action that distinguishes Valid from Unknown. If you find that you have routes for the same prefix/len with both statuses, then that is a bug and/or misconfiguration which you could turn into a loop by taking policy action on that difference. Cheers, Ben
