[c-nsp] RPKI validation weirdness
Mark Tinka
mark.tinka at seacom.mu
Thu May 7 19:12:25 EDT 2020
On 7/May/20 23:29, Pierre Emeriaud wrote:
> This is exactly what's happening. But why did Cisco rpki algorithm
> chose to trust ibgp relationship over the validators, even though
> extcommunity wasn't sent, this is weird...
I spent a whole week in 2014 trying to figure out why Cisco would think
this is useful, despite the RFC's saying "Don't do such". I gave up and
focused on better-written implementations.
> While I can grasp why one could announce (and trust) rpki state over
> ibgp, in this situation the asr1k had both a validator and no
> extcommunity whatsoever received, this I don't understand why it would
> validate such a prefix...
Stupid. Don't bang your head against a wall trying to figure out how
Cisco reached this conclusion in their interpretation and implementation
of the RFC.
And what's even more annoying - IOS XR is well implemented, i.e., it
does not have this stupidity. Makes you wonder.
Mark.
More information about the cisco-nsp
mailing list