Large communities indicating RPKI VALID status
Job Snijders
job at fastly.com
Mon Apr 29 21:33:56 CEST 2024
On Mon, 29 Apr 2024 at 21:27, Nigel Kukard via Bird-users <
bird-users at network.cz> wrote:
> Hi there Richard,
>
> On 4/29/24 19:14, Richard Laager wrote:
>
> Perhaps I am naive, but I assumed one would validate RPKI on the eBGP edge and simply reject INVALID routes.
>
> Why would one want to accept INVALID at all?
>
> If we agree one would reject INVALID, then what is left to tag?
>
> For my specific use case I wanted to add a community for VALID and
> UNKNOWN. I'm going to look into the non-transitive extended communities to
> see how this works out.
>
Sure, but why add such communities? It reduces performance and doesn’t add
security benefits.
OTOH - it can satisfy curiosity about where traffic is flowing - then
again, using a traffic analyser like pmacct or Kentik helps offer insight
how much traffic is going to Valid vs Not-Found destinations, without the
need to add any communities.
I’m not saying you shouldn’t pursue adding a few non-transitive extended
communities here and there for your use case; just that generally speaking,
operators probably should not apply different policies for Valid and
Not-Found states.
Kind regards,
Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20240429/ee89ac90/attachment.htm>
More information about the Bird-users
mailing list