Example configuration for ASPA with rpki-client?

[Maria Matejka]

Hi Jelle and Robert,

On Fri, Apr 04, 2025 at 08:11:47PM +0000, Jelle Luteijn via Bird-users wrote:

> I have ASPA implemented.
> I use the following function:
> function is_aspa_invalid(bool is_upstream) -> bool {
>     if aspa_check(ASPAS, bgp_path, is_upstream) = ASPA_INVALID then {
>         print "Reject: ASPA INVALID: ", net, " ", bgp_path, " protocol: ", proto;
>         return true;
>     }
>     
>     return false;
> }
> 
> and I call this function in my filter for upstream as follows:
>     if is_aspa_invalid(false) then {
>         reject;
>     }
> 
> What I found, for ASPA the upstream question is, is your ASN the upstream of the peer. In case of a transit the answer is no.

with ASPA, you get several cases of what you are actually testing, and
the check itself has two variants, upstream and downstream.

The upstream check requires (kinda contradictorily), as you correctly
state, that the AS Path is upstream *only*.

In other words, for most of your clients, you do the upstream check.
You also do the upstream check for your lateral peers e.g. in IXPs,
unless you wanna use them as transit.

Only if the neighbor is your transit (or transit-like), you do the
downstream check.

> does somebody have an example configuration snippet for ASPA in BIRD with rpki-client? I've read https://bird.network.cz/?get_doc&v=20&f=bird-6.html
> but I'm still not sure how the configuration in BIRD for an AS with two transit providers (just upstreams, no downstreams) would look like...

And with that, exactly as Jelle writes, you do the _downstream_ check
for all your transits, i.e.

```
if aspa_check_downstream(ASPAS) = ASPA_INVALID then reject "ASPA INVALID ", net, " ", bgp_path, " ", proto;
```

Happy routing! 
Maria

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20250408/37146395/attachment.htm>