[j-nsp] rfc8097 (rpki) communities ?

Alexandre Snarskii snar at snar.spb.ru
Thu Feb 28 08:17:19 EST 2019


Hi!

Somewhat stupid question: while experimenting with rpki, I found that
while rfc8097 declares origin validation state as extended community
(0x4300:0.0.0.0:N in juniper configuration terms), Juniper documentation 
uses standard communities 0x4300:N for this purpose:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-origin-as-validation.html

Junos OS supports the following well-known extended communities for 
route validation:

origin-validation-state-valid
origin-validation-state-invalid
origin-validation-state-unknown

[...]

set policy-options community origin-validation-state-invalid members 0x4300:2
set policy-options community origin-validation-state-unknown members 0x4300:1
set policy-options community origin-validation-state-valid members 0x4300:0

Of course, these communities are not translated to extended ones and
sent as standard 17152:N ones.

One more interesting thing: when I configure RPKI communities manually:

set policy-options community origin_invalid members 0x4300:0.0.0.0:2
set policy-options community origin_unknown members 0x4300:0.0.0.0:1
set policy-options community origin_valid members 0x4300:0.0.0.0:0

and use them to announce validation information to other routers,
these communities displayed either as 'unknown iana opaque':

     Communities: unknown iana opaque 0x4300:0x0:0x2 

(junos 17.3R3-S3.3 and 18.3R1-S2.1) or even as just 'unknown iana 4300' 
(15.1R6).

Question: is it just a bit outdated documentaton and I shall follow
RFC and use extended communities, or there are some other reasons
to use standard ones ?



More information about the juniper-nsp mailing list