Concerning the structure of ASPA tables and AS0

Maria Matejka maria.matejka at nic.cz
Fri Dec 27 18:31:05 CET 2024 

Hello Ralph,

> Yes, "I have no providers" is a much more accurate description of AS 0.  It
> can be used by tier 1 networks as well as people trying to depreciate their
> old ASN.

Well, yes, a deprecated ASN has also no providers, yet it can still be
(maliciously) placed into a valid AS path if it is on the top place.
OTOH, with that, the attack surface is limited only to your downstream
networks.

> It looks like the source of my confusion was that I was under the
> assumption that the transit ASPA entries could be used to auto-detect
> upstream vs downstream as opposed to doing the check in the filter script. 
> Sorry about that!

No problem, everybody is confused by ASPA. It's hard to get it right.

> I noticed in aspa_check() you check for confeds but AS_PATH_SET is never
> checked for.

Well, that looks like another oversight, thank you for reporting.

> The specs say they should return ASPA_INVALID however I noticed when I did
> that I lost about 64 routes which caused some customer complaints.  I had to
> end up slightly changing the code to return ASPA_INVALID if upstream and
> ASPA_UNKNOWN if downstream.

Mhmmm. That's definitely a problem. We can do various things with and
around that. First of all, the default behavior of `aspa_check()` must
conform to the RFC.

Brainstorming:

- something like `if bgp_path.contains_sets`
- allowing a more precise for-cycle over `bgp_path`, e.g.
  ```
  for bgppath_segment bs in bgp_path do {
    case bgppath_segment.type {
      AS_PATH_SEQUENCE: for int a in bs do { ... }
      AS_PATH_SET: for int a in bs do { ... }
      AS_PATH_CONFED_SEQUENCE: ...
    }
  }
  ```
- adding an optional argument to `aspa_check()` to allow sets, treting
  them as "any of the ASNs in the set"
- adding an `aspa_is_customer(table, A, B)` function, returning whether A
  can be a custormer of B according to the given table

Any other thoughts on that?

Thanks, 
Maria

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20241227/98122d2b/attachment.htm>

More information about the Bird-users mailing list