enforce-first-as disable
Daniel Suchy
danny at danysek.cz
Thu Feb 7 18:24:06 CET 2019
Hello,
On 2/7/19 4:09 PM, Ondrej Filip wrote:> This is not necessary. BIRD does
not check the first AS unless this is
> configured in filters.
I think this behavior mightt be reconsidered for eBGP peers for upcoming
versions, mainly due to security reasons.
Even RFC 4271 isn't strict here for leftmost ASN validation ("may
check", as stated in section 6.3., page 34), RFC 7353 expects more
strict checks on AS_PATH attribute (section 4.6), with respect to RFC
7606, section 7.2. (withdrawn affected route).
Also spirit of RFC 8212 was to move implicit BGP speaker behavior to
more secure manner (of course, there must be knob disabling strict
checking, when this is really needed - for IXP RS clients, for example).
With regards,
Daniel
More information about the Bird-users
mailing list