On Mon, 29 Apr 2024 at 21:27, Nigel Kukard via Bird-users < bird-users@network.cz> wrote:
> Hi there Richard, > > On 4/29/24 19:14, Richard Laager wrote: > > Perhaps I am naive, but I assumed one would validate RPKI on the eBGP edge > and simply reject INVALID routes. > > Why would one want to accept INVALID at all? > > If we agree one would reject INVALID, then what is left to tag? > > For my specific use case I wanted to add a community for VALID and > UNKNOWN. I'm going to look into the non-transitive extended communities to > see how this works out. > Sure, but why add such communities? It reduces performance and doesn’t add security benefits. OTOH - it can satisfy curiosity about where traffic is flowing - then again, using a traffic analyser like pmacct or Kentik helps offer insight how much traffic is going to Valid vs Not-Found destinations, without the need to add any communities. I’m not saying you shouldn’t pursue adding a few non-transitive extended communities here and there for your use case; just that generally speaking, operators probably should not apply different policies for Valid and Not-Found states. Kind regards, Job >
