The Security Consideration addition to ensure boundary nodes not leaking Metadata on accident

[lindadunbar]

Jeff Haas suggested that RR attaching NO-ADVERTISE well-known community to the UPDATE when sending the UPDATE to the ingress routers.

[lindadunbar]

The following paragraphs have been added to the Security Consideration of -v15:

To prevent the BGP UPDATE receivers (a.k.a. ingress routers in this document) from leaking the Metadata Path Attribute by accident to nodes outside the trusted domain [ATTRIBUTE-ESCAPE], the following practice should be enforced:

• The Metadata Path Attribute originator sets the attribute as Non-transitive when sending the BGP UPDATE message to its corresponding RR. According to [RFC4271], Non-transitive Path Attributes are only guaranteed to be dropped during BGP route propagation by implementations that do not recognize them.

• The RR (Route Reflector) can append the NO-ADVERTISE well-known community to the BGP UPDATE message with Metadata Path Attribute when forwarding to the ingress routers. By doing so, the Route Reflector signals to ingress nodes that the associated route's Metadata Path Attribute should not be further advertised beyond their scope. This precautionary measure ensures that the receiver of the BGP UPDATE message refrains from forwarding the received update to its peers, preventing the undesired propagation of the information carried by the Metadata Path Attribute.