On Mon, 21 Dec 2020 at 18:07, <adamv0...@netconsultings.com> wrote: > Good point, also all the potential attribute filtering (in XR) would it be > applied prior to accepting the route into soft-reconfig version of the > table?
IOS-XR is only post-policy. So whatever you reject does not contribute towards the limit, allowing DRAM exhaustion attack. SROS is only pre-policy. So if someone leaks bad prefixes you reject in policy, it's still going to be flap, potentially BGP reset attack. JunOS supports pre and post. Both are needed as they protect from different issues. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/