<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Maria!</p>
<p>Interesting stuff! I suppose you could consider the different
AS's in the SET as "lateral" from each other on "the mountain".</p>
<p>It looks like the newest (aspa-19) wording of the standard
demands that you throw them all out as invalid anyway.<br>
</p>
<p><a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/">https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/</a><br>
<br>
7.2. Algorithm for Upstream Paths<br>
<br>
3. If the AS_PATH has an AS_SET, then the procedure halts with
the<br>
outcome "Invalid".<br>
<br>
7.3. Algorithm for Downstream Paths<br>
<br>
3. If the AS_PATH has an AS_SET, then the procedure halts with
the<br>
outcome "Invalid".<br>
</p>
<p>I am going to see if I can convince the powers that be to change
7.3.3 to "Unknown".<br>
</p>
<p>Thanks again!<br>
</p>
<pre class="moz-signature" cols="72">Ralph Covelli
Network Engineer
Hurricane Electric / AS6939</pre>
<div class="moz-cite-prefix">On 12/27/2024 12:31 PM, Maria Matejka
via Bird-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Z27kWQdDi4l5t9Lo@livanecnik.jmq.cz">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="viewport"
content="width=device-width, initial-scale=1.0, user-scalable=yes">
<style>html {
line-height: 1.2;
font-family: serif;
font-size: 0.9em;
color: black;
background-color: white;
}body {
margin: 0;
margin-right: auto;
max-width: 36em;
padding: 1em;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}p {
margin: 1em 0;
}a {
color: black;
}a:visited {
color: black;
}img {
max-width: 100%;
}h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}h5, h6 {
font-size: 1em;
font-style: italic;
}h6 {
font-weight: normal;
}ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}li > ol, li > ul {
margin-top: 0;
}blockquote {
margin: 0.5em;
padding-left: 0.5em;
border-left: 2px solid #e6e6e6;
color: #444;
}code {
font-family: 'Lucida Console', monospace;
font-size: 95%;
margin: 0;
}pre {
margin: 1em 0;
overflow: auto;
max-width: unset;
width: fit-content;
}pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
max-width: unset;
white-space: pre-wrap;
}pre code span {
white-space: pre;
}.sourceCode {
background-color: transparent;
overflow: visible;
}code.diff span.kw,
code.diff span.dt {
font-weight: bold;
}code.diff span.va {
background-color: rgba(192, 255, 192, 64);
color: rgb(0, 64, 0);
}code.diff span.st {
background-color: rgba(255, 192, 192, 64);
color: rgb(64, 0, 0);
}pre.diff {
background-color: rgb(240, 240, 240);
padding: 0.4em;
border: 1pt solid grey;
}hr {
background-color: black;
border: none;
height: 1px;
margin: 1em 0;
}table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}table caption {
margin-bottom: 0.75em;
}tbody {
margin-top: 0.5em;
border-top: 1px solid black;
border-bottom: 1px solid black;
}th {
border-top: 1px solid black;
padding: 0.25em 0.5em 0.25em 0.5em;
}td {
padding: 0.125em 0.5em 0.25em 0.5em;
}header {
margin-bottom: 4em;
text-align: center;
}code{white-space: pre-wrap;}span.smallcaps{font-variant: small-caps;}span.underline{text-decoration: underline;}div.column{display: inline-block; vertical-align: top; width: 50%;}div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}ul.task-list{list-style: none;}q { quotes: "„" "”" "»" "«"; }.display.math{display: block; text-align: center; margin: 0.5rem auto;}</style>
<p>Hello Ralph,</p>
<blockquote>
<p>Yes, “I have no providers” is a much more accurate
description of AS
0. It can be used by tier 1 networks as well as people trying
to
depreciate their old ASN.</p>
</blockquote>
<p>Well, yes, a deprecated ASN has also no providers, yet it can
still
be (maliciously) placed into a valid AS path if it is on the top
place.
OTOH, with that, the attack surface is limited only to your
downstream
networks.</p>
<blockquote>
<p>It looks like the source of my confusion was that I was under
the
assumption that the transit ASPA entries could be used to
auto-detect
upstream vs downstream as opposed to doing the check in the
filter
script. Sorry about that!</p>
</blockquote>
<p>No problem, everybody is confused by ASPA. It’s hard to get it
right.</p>
<blockquote>
<p>I noticed in aspa_check() you check for confeds but
AS_PATH_SET is
never checked for.</p>
</blockquote>
<p>Well, that looks like another oversight, thank you for
reporting.</p>
<blockquote>
<p>The specs say they should return ASPA_INVALID however I
noticed when
I did that I lost about 64 routes which caused some customer
complaints. I had to end up slightly changing the code to
return
ASPA_INVALID if upstream and ASPA_UNKNOWN if downstream.</p>
</blockquote>
<p>Mhmmm. That’s definitely a problem. We can do various things
with and
around that. First of all, the default behavior of
<code>aspa_check()</code> must conform to the RFC.</p>
<p>Brainstorming:</p>
<ul>
<li>
<p>something like <code>if bgp_path.contains_sets</code></p>
</li>
<li>
<p>allowing a more precise for-cycle over <code>bgp_path</code>,
e.g.</p>
<pre><code>for bgppath_segment bs in bgp_path do {
case bgppath_segment.type {
AS_PATH_SEQUENCE: for int a in bs do { ... }
AS_PATH_SET: for int a in bs do { ... }
AS_PATH_CONFED_SEQUENCE: ...
}
}</code></pre>
</li>
<li>
<p>adding an optional argument to <code>aspa_check()</code>
to allow
sets, treting them as “any of the ASNs in the set”</p>
</li>
<li>
<p>adding an <code>aspa_is_customer(table, A, B)</code>
function,
returning whether A can be a custormer of B according to the
given
table</p>
</li>
</ul>
<p>Any other thoughts on that?</p>
<p>Thanks,<br>
Maria</p>
<p>–<br>
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.</p>
</blockquote>
</body>
</html>