Hi, On Thu, May 05, 2011 at 05:11:33AM -0400, Martin Millnert wrote:
"Considering invalid routes for BGP decision process is a pure ***local policy matter*** and should be done with utmost care." (Emphasis mine)
I am hoping you can give some practical examples on how one goes about considering routes invalid with utmost care.
You could, for example, adjust routing preference in accordance to the availability of an RPKI signature - prefer routes with a valid RPKI ROA - if no routes with a valid ROA can be found, consider routes with no ROA (neither matching nor invalid) - if no such routes can be found, accept any route, even if the ROA lists a wrong origin AS Randy has demonstrated in the workshop on last Monday morning how to do that in IOS. The implementation is such that the BGP engine doesn't *care* about the validity of a route/ROA, it will just mark the prefix with the result of the validation check - and then you can use the normal local policy language to influence your policy with that result. One *choice* could be "drop all routes that have a ROA mismatch" - or, as outlined above "accept everything, but only use those routes as last-resort". Local policy decision. The workshop was very enlightening, to actually see how the pieces fit together and how local policy is applied to the data coming from the (various) RPKI data stores. Gert Doering -- APWG chair -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279