This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Havard Eidnes
he at uninett.no
Tue May 21 09:06:25 CEST 2013
Hi, off on a tangent(?): > And from > http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-origin-as.pdf: > "You can allow an invalid prefix to be used as the BGP best > path, even if valid prefixes are available. This is the default > behavior." I keep seeing/hearing this when RPKI is discussed. While strictly true, the way I've understood this, it will also defeat one of the main purposes of RPKI, namely to be able to defend against certain route hijacking or route leak events, where more-specific routes are propagated and accepted. In order to defend against that type of events, due to the "longest matching prefix always wins, irrespective of BGP attributes" behaviour (which isn't a trait of BGP but of how our routers look up forwarding entries), you cannot have your router configured to install RPKI- invalid prefixes in your forwarding table. Regards, - Håvard
- Previous message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
- Next message (by thread): [ncc-services-wg] 2013-04 New Policy Proposal (Resource Certification for non-RIPE NCC Members)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]