[c-nsp] RPKI extended-community RFC8097

Ben Maddison benm at workonline.africa
Sun Nov 29 20:19:30 EST 2020 

Hi Lukas,

On 11/28, Lukas Tribus wrote:
> Hi Ben,
> 
> 
> On Sat, 28 Nov 2020 at 01:32, Ben Maddison <benm at workonline.africa> wrote:
> > > router bgp ...
> > >  bgp rpki server tcp [...]
> > >  address-family ipv4
> > >   bgp bestpath prefix-validate disable
> > > [...]
> > > route-map RM_EBGP_IN deny 10
> > >  match rpki invalid
> > > route-map RM_EBGP_IN permit 20
> > >  [...]
> > >
> > Does the route-map 'match' still work here? Which release?
> > I remember trying this workaround before our initial rollout of ROV and
> > nothing matched that statement when 'prefix-validate disable' was
> > configured. I forget the exact release, but that would have been
> > 16.9.3-ish.
> 
> It works for me in both recent (Amsterdam, 17.03.02) and older (Fuji,
> 16.09.02) code.
> 
> I did not try matching NotFound or Valid, or setting different
> locpref's, just denying invalid routes.
> 
Interesting, perhaps I'm mis-remembering. I'll take another look when I
get a chance...
> 
> > > Vpnv[46] support and RTR via SSH is still not there.
> > >
> > Hahaha, don't hold your breath. Source interface selection isn't even
> > available.
> 
> With SSH support we would get source interface selection for free :(
> 
Well, at the expense of brining all other ssh-client connections along
for the ride, sure!

> CLI helptext actually mentions SSH username and password and a
> "local-port" option, but it's undocumented and unclear how it is
> supposed to work...
> 
> LAB1(config-router)#$bgp rpki server tcp 1.2.3.4 port 3232 ref 600
> password secret ?
>   username  SSH Username
>   <cr>         <cr>
> LAB1(config-router)#$bgp rpki server tcp 1.2.3.4 port 3232 ref 600
> password secret username user1 password secret2 ?
>   local-port   SSH Local Port
> LAB1(config-router)#$
> 
> 
> It's probably a leftover from someone trying to get SSH support in.
> Unsure why SSH support would be combined with TCP-MD5 support on the
> socket (which is what the first password argument is about).
> 
That's really weird. In any other feature bundle it might even make it
into the top-10 weirdest design choices, but the competition is stiff
here ;-)

Cheers,

Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20201130/38d47fc2/attachment.sig>

More information about the cisco-nsp mailing list