On 01/05/17 17:27, joel jaeggli wrote: > On 5/1/17 8:12 AM, Charles van Niman wrote: >> I would also support this change. >> >> Currently, on software that doesn't have this policy, I feel my only >> safe action is to install sessions disabled, ensure that an import and >> export filter is in place, and only then enable a session. Avoiding this >> action, and following draft-ietf-grow-bgp-reject makes this more >> convenient and safer for all I feel. There is something to be said for >> the disruption of default behavior change, but I think a major point >> release is one of the best opportunities to do this. > In general I find it necessary to template safe by default import/export > policy,and then apply more progressive policy, irrespective of platform. > > given that the minimal policy neccessary to over-ride a safe by default > import policy is something like: > > accept; > > that seems like a pretty low bar. > I agree, and a major bump is the perfect time to do it!
If necessary, converting existing configuration is also simple, the upgrade script can check for the presence of an import policy, if it's not there, then accept all is assumed, an explicit policy can be added for it during the upgrade. -- Wilco
signature.asc
Description: OpenPGP digital signature
