On Fri, Jul 26, 2019 at 05:16:27PM +0200, Claudio Jeker wrote: > On Fri, Jul 26, 2019 at 02:49:55PM +0000, Job Snijders wrote: > > My recommendation to BGP implementers would be to implement all > > three types of prefix limits. My recommendation to operators is to > > configure both pre-policy and post-policy limits, as each limit has > > different advantages in context of Internet routing. > > For BGP implementation having more then just one Loc-RIB implementing > a post-policy check is more comples and the result will depend on > which of the RIBs the count is done. For this reasons OpenBGPD only > does pre-policy inbound limits and until now nobody ever complained > about that being not good enough.
In context of Internet routing the *pre* policy limit is the most useful one; so I'm happy openbgpd has it. This is the feature that helps protect against full route table leaks. On the other hand, *post* policy limits are not entirely effective against full table route leaks. I've explained the difference at the IETF 104 GROW session. The *post* policy limit is most useful if there are FIB size restrictions (for instance on a layer-3 switch with constrained ASIC); or if there are Loc-RIB memory constraints. Since the most common deployment of OpenBGPD seems to be on 'server-based routers' and 'route servers', I am not surprised so far the feature hasn't come up yet. If OpenBGPD decides not to implement post-policy limits, that is fine, it just means that OpenBGPD cannot claim compliance with the full Internet-Draft. However, when the draft is published at RFC at least openbgpd can reference *exactly* what is implemented. Kind regards, Job _______________________________________________ GROW mailing list GROW@ietf.org https://www.ietf.org/mailman/listinfo/grow