On 5/24/26 13:07, Jared Mauch wrote:
On May 23, 2026, at 1:21 PM, Mikael Abrahamsson
<[email protected]> wrote:
On Sat, 23 May 2026, Robert Raszuk wrote:
But what about BGP Attributes which should never be sent interdomain ? As you
can see from csv there are lots of them and the list keeps growing.
I think this "never be sent interdomain" registry is a good suggestion, but we need a
knob to tell what is "interdomain" and not, on peer level, if that's where the filtering
is going.
I have EBGP peers that are to other ISPs, and I have EBGP peers that are
internal. Some EBGP peers need my VXLAN nexthops (the internal ones), other
EBGP peers definitely don't.
The way this was typically handled in the past was the idea of BGP
confederations and you would configure a list of internal vs external ASNs.
This has also meant things like internal ASNs in private ASN ranges, through
commands like remove-private and such.
OAD, as noted earlier, is another recent reminder that we're getting
steady pressure for a cluster of confederation-like features applied to
normal BGP. Configuration, as confederations do, is one way to "solve"
this. Unfortunately anyone that's deployed confederations knows that
the list is a bit fragile and the source of issues.
These days we'll probably want to capability protect a border rather
than only expect the list to be configured. Likely, "by default, any
ebgp isn't with someone internal". If you configure a peer-as with the
"treat-as-internal" flag, and it capability negotiates, you know that
you have a pair of consenting networks.
We are regularly finding gaps in policies where our communities are leaking out
to the internet and have to later clean them up.
This is largely why we have had to move to standardized templates on the
network devices and eventually can deploy clean configurations on devices that
are not regularly touched.
If some of the template practices distill into a more general form, the
update to 7454 in grow could certainly use that advice.
I’ve also been surprised that not all implementations dump/expose these well
known attributes so this requires updates and changes as well to detect what is
exported. The network is always a bit wilder than what we expect.
Sorry, do you mean communities here or something else?
-- Jeff
_______________________________________________
GROW mailing list -- [email protected]
To unsubscribe send an email to [email protected]
