[c-nsp] RPKI extended-community RFC8097
Mark Tinka
mark.tinka at seacom.mu
Sat Apr 18 20:56:29 EDT 2020
On 18/Apr/20 12:45, Antonio Prado via cisco-nsp wrote:
> Hello,
>
> is there anyone who is using in production "RPKI extended-community" to
> carry the validation state inside an autonomous system (RFC8097)?
>
> If yes, how large is your AS?
>
> If not, can you elaborate on the reasons?
As part of the BCP's we taught and discussed during the last APRICOT
meeting in Melbourne, I advise against using BGP communities to convey
RPKI state.
One of the most elegant things about RPKI is that every router in your
network can make RPKI-based decisions independently of any other router.
That means you could have thousands of nodes each maintaining the same
RPKI state, without ever speaking to each other.
When you choose to convey RPKI state in BGP communities, you create a
dependence between routers which degrades your resiliency. If you have
multiple vendors in your network, you open yourself up to issues when
you upgrade or downgrade code that breaks things.
As we discovered in Melbourne, earlier versions of Junos break the
well-known RPKI BGP communities. Imagine the havoc this could cause on
your network if you assumed one vendor was doing the right thing. and
they aren't.
Don't use BGP communities to convey RPKI state. You don't need to.
Servers scale better than router control planes. A server handling RTR
sessions for thousands of routers is far better than trying to get your
entire network to exchange RPKI BGP communities cohesively.
For the Melbourne number, see here:
https://2020.apricot.net/program/schedule/#/day/7/rpki-deployment-1
Mark.
More information about the cisco-nsp
mailing list