[c-nsp] RPKI extended-community RFC8097

Job Snijders job at ntt.net
Sat Apr 18 10:05:57 EDT 2020


On Sat, Apr 18, 2020 at 03:23:33PM +0200, Gert Doering wrote:
> On Sat, Apr 18, 2020 at 12:41:43PM +0000, Ben Maddison wrote:
> > Feel free to tell your Cisco SE if you think that's dumb.
> 
> Indeed, that's dumb... and worse, nonintuitively dangerous.

And this comes on top of XE's lack of RFC 8212 compliance! The default
settings on those Cisco IOS XE boxes really seem to set their owners up
for failure.

These devices - without explicit manual workarounds - will leak full BGP
tables, loop traffic around, drop it on the floor, and attempt to take
the rest of the Internet down with them, all in one go! thisisfine.jpg

I wish IOS XE was more like Cisco IOS XR in this regard: XR provides
clever visual clues if no policies are attached to an EBGP neighbor, and
by default XR won't import or export BGP routes on EBGP sessions. This
is a much safer approach to internet routing, probably has prevented a
good many incidents. XR also doesn't require fiddling with communities
to get RPKI OV going.

Kind regards,

Job


More information about the cisco-nsp mailing list