On 11/13/21 17:20, Saku Ytti wrote:
I chose my words carefully when I said 'RPKI rejects', instead of 'invalid'.
Well, this only really happens on IOS XE since Cisco apply policy by
default.
On IOS XR, you'll need 'bgp bestpath origin-as allow invalid' for
Invalids not to be automatically dropped.
The problem only cursorily relates to a specific RPKI validation
state. We may reject RPKI 'unknown', we may even imagine policies
which reject based on some criteria AND RPKI 'valid' (maybe I have my
own motivations for how I use VRP and want to capitalise on all three
states arbitrarily, maybe I'm rejecting valids, because I'm collecting
invalids to some separate RIB for research purposes).
And that is all fine, provided YOU, as the operator, are deciding policy.
The problem is that Cisco seem to want to automatically apply policy,
particularly on IOS XE. We've hounded them about this since 2015, and
nothing has changed.
IOS XR is a little better in this specific regard, but not by much when
compared against Junos.
soft-reconfiguration inbound rpki ## default, keep if policy
rejected route while using validation database state (may have used
something else, but as long as reject policy used validation state,
regardless of state, we need to keep it).
This is what we are trying to write the RFC for - to decouple the
historical need to keep or drop Adj-RIB-In from the operational
requirements of RTR dynamics, i.e., leverage the value of Route Refresh
to its fullest extent.
Mark.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
