[c-nsp] RPKI extended-community RFC8097

Mark Tinka mark.tinka at seacom.com
Fri Dec 18 02:25:24 EST 2020



On 12/18/20 08:58, Jakob Heitz (jheitz) wrote:
> Hi Lukas, Mark, Ben,
>
> The default bestpath prefix-validate behavior treats invalid routes
> as unfeasible and prefers valid routes over not-found.
>
> The default bestpath prefix-validate behavior cannot be used unless
> all paths of a net have the correct RPKI validity. That can only
> happen if all EBGP sessions into an AS validate their incoming
> routes and apply the RFC8097 extended community.
> If these conditions are not satisfied, then you cannot use the
> bestpath prefix-validate behavior and you must use
> route-maps to process the RPKI validity, like this:
>
> router bgp ...
>   bgp rpki server tcp [...]
>   address-family ipv4
>    bgp bestpath prefix-validate disable
> [...]
> route-map RM_EBGP_IN deny 10
>   match rpki invalid
> [...]
>
> I have a proposal to improve the bestpath prefix-validate behavior
> to better match how most operators use it. By a new configuration,
> I would treat valid and not-found with the same preference. Invalid
> would continue to be unfeasible. Then, a received IBGP route without
> the RFC8097 community will be fine.
>
> Thoughts?

What I've been asking Cisco to do since 2014 is to prevent IOS XE from 
applying policy by default. This is broken and is in direct violation of 
the RFC.

All RPKI policy must only be applied by the operator.

The router has no business using RPKI state as part of its best path 
calculation process, unless specifically told to do so by the operator.

Mark.


More information about the cisco-nsp mailing list