On Fri, Dec 06, 2024 at 10:55:30PM +0000, Ryan Hamel wrote: > That means (at least for Noction) the operator has to go out of their > way to disable safety, so those that claim it has bad defaults, may > want to RTFM.
While I appreciate various business drivers and motivations exist to deploy software solutions to modify & optimize routing on the fly, I think I disagree with you on this one point. Operators *literally* have to go out of their way to configure Noction to be safe to use. It is not safe to use out of the box. Page 29: https://www.noction.com/wp-content/uploads/2016/09/irp-lite-documentation.pdf """ improvements should be stopped from propagating across routing domains. A route map is used to address this. [snip] Refer your router capabilities in order to produce the correct route map. The route map MUST be integrated into existing route maps. It is not sufficient to simply append them. """ (red: Noction calls the synthetic unauthorized more-specific hijack route announcements "improvements") >From Noction's other documentation at >https://www.noction.com/blog/route-optimizers """ In order to further reduce the likelihood of these problems occurring in the future, we will be adding a feature within Noction IRP to give an option to tag all the more specific prefixes that it generates with the BGP NO_EXPORT community. -->>> This will not be enabled by default <<<--- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ """ Noction made their software UNSAFE BY DEFAULT. In my opinion this is a very poor product design choice, and the very reason we keep coming back to this specific topic. Other routing optimizers product never make the news, guess what they all have in common? They set NO_EXPORT by default! :-) Efforts to define new extensions to the BGP protocol to make this type of product safer in use (creating a new AFI/SAFI or something else) via IETF is interesting, but it appears Noction is not even doing the bare minimum within the existing standards. Kind regards, Job
