Hello all. In operating RPKI on Cisco IOS and IOS XE devices, we note that this vendor is deliberately making BGP best path decisions based on RPKI state of a route without the explicit input of operator-based routing policy.
So in addition to the normal (i.e., historically known) BGP best path decision process, the presence of an RTR session causes this vendor to, by default, add RPKI state to the BGP best path decision process when there does not exist a routing policy initiated by the operator to do so. This is in violation of RFC 6811, Section 2, which clearly states: "An implementation MUST NOT exclude a route from the Adj-RIB-In or from consideration in the decision process as a side effect of its validation state, unless explicitly configured to do so." Official documentation from the vendor confirms this default behaviour as well: http://tinyurl.com/pqpjmen While the vendor provides knobs to disable this default behaviour, operators could generally miss this information. And given that there is no clear reason why a "normally" best path would be rejected on grounds of RPKI state not initiated by the operator, this is a hard problem to troubleshoot, even with prior (working) knowledge of RPKI. Cheers, Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr