Hi all, In 5. Best Practices
>Don't prepend ASNs that you don't own Should the language here be stronger and expand a bit why doing so is a bad idea. Some BGP daemons don't prevent or even warn the user when a non-local ASN is used in prepending, which opens the door for misconfigurations / malicious activities * if the peer has properly configured enforce-first-as on the session, prepending with non-local ASN would cause the route to be rejected * configuration errors from mixing up how many times to prepend and ASN to prepend with * injecting third party ASN to creatively / mistakenly poison a route, e.g. prepending with 65536 in aspath causes AS65536 to reject the route due to aspath loop prevention * complications with aspath validation Cheer, Yang _______________________________________________ GROW mailing list -- [email protected] To unsubscribe send an email to [email protected]
