[c-nsp] RPKI extended-community RFC8097
Robert Raszuk
robert at raszuk.net
Sat Apr 18 12:02:42 EDT 2020
Hi Ben,
On XE and Classic:
> 1. you can only preform validation on eBGP-received routes;
> 2. any iBGP-received route will get marked "Valid" unless it has a 8097
> extcomm to the contrary; and
> 2. bestpath selection will prefer "Valid" to "Unknown", at the first-
> step in the selection process.
>
Yes that is exactly the default dumb behaviour. And frankly these days I am
not sure who to even talk in Cisco with about XE BGP :)
Thus, without 8097 extcomms to mark validation status, you get a
> forwarding loop for every prefix that a) you learn at two-or-more ASBRs
> and b) has no covering ROA.
> That's the majority of the DFZ table for any multihomed AS.
>
Well that one I do not think is going to be always the case. It may be if
your ASBRs are also RRs or you enable best external or add-paths.
In the described case I just tested this and one ASBR will use local EBGP
path as best and the other one IBGP learned which pretends to be valid. So
there is no forwarding loop. If it would always be one perhaps cisco
regression testing would fail :)
In the mean time adding the knob "announce rpki state" is the way to go.
Thx,
R.
More information about the cisco-nsp
mailing list