bgpd: Do not advertise aggregate routes to contributing ASes #17961
Conversation
|
@ton31337 This mechanism does not look safe, and I don't think we should do it. The AS-SET has been there for more than 20+ years, and most likely will continue to exist for years to come as people usually do not change working configs. This mechanism would cause an outage for a customer that receives and accepts the aggregate currently (say, along with "allows-as" feature). |
Maybe the new logic introduced in this PR could be coupled with the |
|
I disagree, it was implemented from the beginning incorrectly, and here is just a fixup. At least saying that in the documentation would be good. |
|
Ok, then my comment is more about the proposal of "Do not advertise aggregate routes to contributing ASes", not the specific code in the patch. |
|
Then it's not a best place to discuss the draft, there's already a long discussion ongoing on this draft, and most likely it's going to be RFC'ed anyway. as-set causes more issues than gives the benefits in terms of security. |
I have seen "as-set" in a number of customers' configs. Usually they will not change working configs regardless what a RFC says. To be safe, I think there should be a knob for this, and it should off be default. |
|
There is a knob, see "bgp reject-as-set". |
ton31337
force-pushed
the
fix/bgp_reject_as_aggregate
branch
from
fb44ed8 to
e5e5cc5
Compare
draft-ietf-idr-deprecate-as-set-confed-set-16 defines that we MUST NOT advertise an aggregate prefix to the contributing ASes. Signed-off-by: Donatas Abraitis <[email protected]>
Signed-off-by: Donatas Abraitis <[email protected]>
Signed-off-by: Donatas Abraitis <[email protected]>
ton31337
force-pushed
the
fix/bgp_reject_as_aggregate
branch
from
e5e5cc5 to
28178dd
Compare
=> updates according to https://datatracker.ietf.org/doc/html/draft-ietf-idr-deprecate-as-set-confed-set-16