<div dir="ltr"><div>I would also support this change.<br><br>Currently, on software that doesn't have this policy, I feel my only safe action is to install sessions disabled, ensure that an import and export filter is in place, and only then enable a session. Avoiding this action, and following <span class="gmail-im">draft-ietf-grow-bgp-reject makes this more convenient and safer for all I feel. There is something to be said for the disruption of default behavior change, but I think a major point release is one of the best opportunities to do this.<br><br></span></div><span class="gmail-im">/Charles<br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 1, 2017 at 8:36 AM, Stefan Jakob <span dir="ltr"><<a href="mailto:tinysammy@gmail.com" target="_blank">tinysammy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01.05.17 11:55, Job Snijders wrote:<br>
> On Mon, May 01, 2017 at 11:45:58AM +0200, Ondrej Zajicek wrote:<br>
>> On Sun, Apr 30, 2017 at 10:42:19AM +0200, Job Snijders wrote:<br>
>>> On Sun, Apr 30, 2017 at 12:46:04AM +0200, Ondrej Filip wrote:<br>
>>>> Let me announce a new addition to 2.0.x branch.<br>
>>><br>
>>> Congratulations!<br>
>>><br>
>>> Does this 2.0.0-pre1 version follow draft-ietf-grow-bgp-reject ?<br>
>><br>
>> No, like 1.6.x, it has default policy of import all, export none.<br>
>><br>
>> While i see that it is a good idea to have export none as default, i<br>
>> do not see much advantage to have import none as default.<br>
><br>
> I'd argue this is insecure behaviour and I'm disappointed you do not see<br>
> an advantage.<br>
><br>
> The default of "import all" fully relies on the EBGP neighbor not<br>
> announcing crap to you. Relying on others to do the right thing means<br>
> you are operating from a position of weakness rather then strength.<br>
<br>
</span>I totally support the "default deny" pattern. This forces people to<br>
think what they want to achieve.<br>
<br>
This pattern is used on lot of device classes like FW devices,<br>
loadbalancers and even in router software like IOS-XR in most of the<br>
corners.<br>
<br>
default deny +1<br>
<br>
Imho, SJ<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></div><br></div>