On Thu, 11 Nov 2021 at 10:19, Mark Tinka <[email protected]> wrote:
> Thanks for the clue, Saku. Hopefully someone here has the energy to ask
> Cisco to update their documentation, to make this a recommendation. I
> can't be asked :-).
I think it should just be a config error. You're not just cucking
yourself, but your peers and customers. So it shouldn't be a choice
you can make.
We can also imagine improvements
1) by default keep all RPKI rejects, and have 'soft-inbound never'
optionally to turn that off
2) have 1 bit per neighbor indicating policy had rpki rejects and 2
bits for validation database update iindicating database become
less/more permissive
IFF database became more permissive and neighbor has rpki
rejects and we have soft-inbound never, then refresh
--
++ytti
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
