Ryan Hamel wrote on 05/12/2024 23:45:
What does "these devices don't follow standard BGP behaviors" have to do with adding a NO_EXPORT or specific community on the import policy when a route is accepted, and being belt & suspenders with matching those communities to drop those routes on export to carriers/IX/PNI sessions?
Ryan, BGP ensures loop-free interdomain path computation by inspecting the AS path of each NLRI. If a routing optimiser rewrites all the AS paths for all the NLRIs it receives, then it's just pooped all over the primary component of BGP that's designed to ensure that interdomain BGP actually works in the way that it's supposed to do in the first place, which also acts as an intrinsic safety guard against dfz hijacking. Removing an intrinsic safety guard like this is an inherently risky thing to do. When you elevate the inherent risk of a system, you necessarily elevate either the likelihood of failure or the consequences of a failure, or both. As an industry, we should be well beyond the point of having to tell people that this is a poor idea, in the same way that we don't need to tell people that bypassing electrical fuse boxes is a poor idea, or removing railings on stair-cases, or not wearing motorbike helmets, or anything else designed to mitigate the unfortunate consequences of entirely predictable accidents. Nick