On 7/May/20 23:29, Pierre Emeriaud wrote:
> This is exactly what's happening. But why did Cisco rpki algorithm
> chose to trust ibgp relationship over the validators, even though
> extcommunity wasn't sent, this is weird...
I spent a whole week in 2014 trying to figure out why Cisco would think
this is useful, despite the RFC's saying "Don't do such". I gave up and
focused on better-written implementations.
> While I can grasp why one could announce (and trust) rpki state over
> ibgp, in this situation the asr1k had both a validator and no
> extcommunity whatsoever received, this I don't understand why it would
> validate such a prefix...
Stupid. Don't bang your head against a wall trying to figure out how
Cisco reached this conclusion in their interpretation and implementation
of the RFC.
And what's even more annoying - IOS XR is well implemented, i.e., it
does not have this stupidity. Makes you wonder.
Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
