Hello Sriram,
The example you provide is the primary **safe** use of NO_EXPORT that
I’ve seen used in networks. If NO_EXPORT is being used for a prefix
and global reachability is needed for the prefix, then there generally
needs to be an aggregate/less-specific prefix advertised without
NO_EXPORT. I’ve seen plenty of unsafe uses of NO_EXPORT that result
in reachability issues.
Several of the responders pointed to using NO_EXPORT as a way of
preventing a peer network from advertising your route to their peers and
transit neighbors. A couple of responses pointed out the danger of this
approach, since it also prevents the network from advertising the route
to any of its downstream/customer neighbors. If those customers are
expecting to receive a full table, it won’t include the NO_EXPORT
tagged routes. These customer networks may, as a result, make a poor
routing decision. In a failure situation, where the customer network
only has access to this almost full table, they have no path to the
NO_EXPORT prefix.
NO_EXPORT isn’t the correct tool to use to both allow a peer to use a
route for its customers and prevent the peer from leaking the route to
its peers and transit. If we can get our router vendors to implement
it, [RFC9234 - Route Leak Prevention and Detection Using Roles in UPDATE
and OPEN Messages](https://datatracker.ietf.org/doc/rfc9234/) is a much
better tool for this problem. Thanks for your work on this RFC.
Jeff
--
Jeff Bartig
Interconnection Architect
Internet2 [AS11164](https://as11164.peeringdb.com) / AS11537
+1-608-616-9908
jbar...@internet2.edu
On 19 Sep 2024, at 12:26, Sriram, Kotikalapudi (Fed) via NANOG wrote:
For some IETF work in progress related to Source Address Validation
(SAV), it is useful to know the purposes for which NO_EXPORT may be
attached to routes announced in BGP, especially towards transit
providers?
I know it makes sense for an AS to announce an aggregate less-specific
prefix to transit providers and peers without NO_EXPORT while
announcing some more-specific prefixes (subsumed under the aggregate)
with NO_EXPORT towards customer ASes. But are there good reasons when
an AS might announce a prefix (route) to a transit provider with
NO_EXPORT attached? The IP address space in consideration here is
meant to have global reachability.
Sriram
