On 11/11/21 11:22, Saku Ytti wrote:
I think it should just be a config error. You're not just cucking
yourself, but your peers and customers. So it shouldn't be a choice
you can make.
I don't disagree, especially as there are likely several other operators
working this way, and not knowing it because the neighbor either hasn't
complained, or isn't detecting for Route Refresh noise.
However, the documentation should still be updated for folk running old
code earlier than the new code which would have this improvement.
We can also imagine improvements
1) by default keep all RPKI rejects, and have 'soft-inbound never'
optionally to turn that off
Similar to how Junos does it, but specifically for RPKI. That would make
sense.
Of course, if someone already uses 'soft-reconfiguration inbound' for
historical reasons, then keeping it as they enable ROV works out for
them anyway.
2) have 1 bit per neighbor indicating policy had rpki rejects and 2
bits for validation database update iindicating database become
less/more permissive
IFF database became more permissive and neighbor has rpki
rejects and we have soft-inbound never, then refresh
Reasonable.
Mark.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
