[c-nsp] RPKI validation weirdness

Mark Tinka mark.tinka at seacom.mu
Thu May 7 19:12:25 EDT 2020



On 7/May/20 23:29, Pierre Emeriaud wrote:

> This is exactly what's happening. But why did Cisco rpki algorithm
> chose to trust ibgp relationship over the validators, even though
> extcommunity wasn't sent, this is weird...

I spent a whole week in 2014 trying to figure out why Cisco would think
this is useful, despite the RFC's saying "Don't do such". I gave up and
focused on better-written implementations.


> While I can grasp why one could announce (and trust) rpki state over
> ibgp, in this situation the asr1k had both a validator and no
> extcommunity whatsoever received, this I don't understand why it would
> validate such a prefix...

Stupid. Don't bang your head against a wall trying to figure out how
Cisco reached this conclusion in their interpretation and implementation
of the RFC.

And what's even more annoying - IOS XR is well implemented, i.e., it
does not have this stupidity. Makes you wonder.

Mark.


More information about the cisco-nsp mailing list