Hello all. In operating RPKI on Cisco IOS and IOS XE devices, we note that this vendor is deliberately making BGP best path decisions based on RPKI state of a route without the explicit input of operator-based routing policy.
So in addition to the normal (i.e., historically known) BGP
best path decision process, the presence of an RTR session
causes this vendor to, by default, add RPKI state to the BGP
best path decision process when there does not exist a
routing policy initiated by the operator to do so.
This is in violation of RFC 6811, Section 2, which clearly
states:
"An implementation MUST NOT exclude a route from the
Adj-RIB-In or from consideration in the decision
process as a side effect of its validation state,
unless explicitly configured to do so."
Official documentation from the vendor confirms this default
behaviour as well:
http://tinyurl.com/pqpjmen
While the vendor provides knobs to disable this default
behaviour, operators could generally miss this information.
And given that there is no clear reason why a "normally"
best path would be rejected on grounds of RPKI state not
initiated by the operator, this is a hard problem to
troubleshoot, even with prior (working) knowledge of RPKI.
Cheers,
Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
