[c-nsp] RPKI extended-community RFC8097
Saku Ytti
saku at ytti.fi
Mon Dec 21 11:48:43 EST 2020
On Mon, 21 Dec 2020 at 18:07, <adamv0025 at netconsultings.com> wrote:
> Good point, also all the potential attribute filtering (in XR) would it be
> applied prior to accepting the route into soft-reconfig version of the
> table?
IOS-XR is only post-policy. So whatever you reject does not contribute
towards the limit, allowing DRAM exhaustion attack.
SROS is only pre-policy. So if someone leaks bad prefixes you reject
in policy, it's still going to be flap, potentially BGP reset attack.
JunOS supports pre and post.
Both are needed as they protect from different issues.
--
++ytti
More information about the cisco-nsp
mailing list