<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello!<br>
</p>
<p>At one point it seems like there was a helper function already
written for this that has been lost in time. It used to be right
next to as_path_contains_confed() in the code.</p>
<p>Maybe its time to bring it back? :-)</p>
<p>Thanks!<br>
</p>
<p><font face="monospace">int<br>
as_path_contains_set(const struct adata *path)<br>
{<br>
const byte *pos = path->data;<br>
const byte *end = pos + path->length;<br>
<br>
while (pos < end)<br>
{<br>
uint type = pos[0];<br>
uint slen = 2 + BS * pos[1];<br>
<br>
if ((type == AS_PATH_SET) ||<br>
(type == AS_PATH_CONFED_SET))<br>
return 1;<br>
<br>
pos += slen;<br>
}<br>
<br>
return 0;<br>
}</font></p>
<p><font face="monospace"><br>
</font></p>
<div class="moz-cite-prefix">On 12/27/2024 5:29 PM, Ralph Covelli
via Bird-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:50e981a7-436d-4934-bf15-1e383d1a5fc6@he.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Okay!</p>
<p>I talked to Job. It looks like they have no interest in easing
the transition for stragglers who are still announcing AS_SETs
in their AS_PATHs.<br>
</p>
<p>All AS_SETs should result in ASPA_INVALID.</p>
<p>I also just learned the Dutch have a saying... "soft doctors
make wounds stink".</p>
<p>Haha! Thanks again for all your help.</p>
<pre class="moz-signature" cols="72">Ralph Covelli
Network Engineer
Hurricane Electric / AS6939</pre>
<div class="moz-cite-prefix">On 12/27/2024 4:40 PM, Ralph Covelli
via Bird-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:52ef2a71-de80-4329-a61c-234b56e463d7@he.net">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<p>Hi Maria!</p>
<p>Interesting stuff! I suppose you could consider the
different AS's in the SET as "lateral" from each other on "the
mountain".</p>
<p>It looks like the newest (aspa-19) wording of the standard
demands that you throw them all out as invalid anyway.<br>
</p>
<p><a class="moz-txt-link-freetext"
href="https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/"
moz-do-not-send="true">https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/</a><br>
<br>
7.2. Algorithm for Upstream Paths<br>
<br>
3. If the AS_PATH has an AS_SET, then the procedure halts
with the<br>
outcome "Invalid".<br>
<br>
7.3. Algorithm for Downstream Paths<br>
<br>
3. If the AS_PATH has an AS_SET, then the procedure halts
with the<br>
outcome "Invalid".<br>
</p>
<p>I am going to see if I can convince the powers that be to
change 7.3.3 to "Unknown".<br>
</p>
<p>Thanks again!<br>
</p>
<pre class="moz-signature" cols="72">Ralph Covelli
Network Engineer
Hurricane Electric / AS6939</pre>
<div class="moz-cite-prefix">On 12/27/2024 12:31 PM, Maria
Matejka via Bird-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:Z27kWQdDi4l5t9Lo@livanecnik.jmq.cz">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="viewport"
content="width=device-width, initial-scale=1.0, user-scalable=yes">
<style>html {
line-height: 1.2;
font-family: serif;
font-size: 0.9em;
color: black;
background-color: white;
}body {
margin: 0;
margin-right: auto;
max-width: 36em;
padding: 1em;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}p {
margin: 1em 0;
}a {
color: black;
}a:visited {
color: black;
}img {
max-width: 100%;
}h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}h5, h6 {
font-size: 1em;
font-style: italic;
}h6 {
font-weight: normal;
}ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}li > ol, li > ul {
margin-top: 0;
}blockquote {
margin: 0.5em;
padding-left: 0.5em;
border-left: 2px solid #e6e6e6;
color: #444;
}code {
font-family: 'Lucida Console', monospace;
font-size: 95%;
margin: 0;
}pre {
margin: 1em 0;
overflow: auto;
max-width: unset;
width: fit-content;
}pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
max-width: unset;
white-space: pre-wrap;
}pre code span {
white-space: pre;
}.sourceCode {
background-color: transparent;
overflow: visible;
}code.diff span.kw,
code.diff span.dt {
font-weight: bold;
}code.diff span.va {
background-color: rgba(192, 255, 192, 64);
color: rgb(0, 64, 0);
}code.diff span.st {
background-color: rgba(255, 192, 192, 64);
color: rgb(64, 0, 0);
}pre.diff {
background-color: rgb(240, 240, 240);
padding: 0.4em;
border: 1pt solid grey;
}hr {
background-color: black;
border: none;
height: 1px;
margin: 1em 0;
}table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}table caption {
margin-bottom: 0.75em;
}tbody {
margin-top: 0.5em;
border-top: 1px solid black;
border-bottom: 1px solid black;
}th {
border-top: 1px solid black;
padding: 0.25em 0.5em 0.25em 0.5em;
}td {
padding: 0.125em 0.5em 0.25em 0.5em;
}header {
margin-bottom: 4em;
text-align: center;
}code{white-space: pre-wrap;}span.smallcaps{font-variant: small-caps;}span.underline{text-decoration: underline;}div.column{display: inline-block; vertical-align: top; width: 50%;}div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}ul.task-list{list-style: none;}q { quotes: "„" "”" "»" "«"; }.display.math{display: block; text-align: center; margin: 0.5rem auto;}</style>
<p>Hello Ralph,</p>
<blockquote>
<p>Yes, “I have no providers” is a much more accurate
description of AS 0. It can be used by tier 1 networks as
well as people trying to depreciate their old ASN.</p>
</blockquote>
<p>Well, yes, a deprecated ASN has also no providers, yet it
can still be (maliciously) placed into a valid AS path if it
is on the top place. OTOH, with that, the attack surface is
limited only to your downstream networks.</p>
<blockquote>
<p>It looks like the source of my confusion was that I was
under the assumption that the transit ASPA entries could
be used to auto-detect upstream vs downstream as opposed
to doing the check in the filter script. Sorry about
that!</p>
</blockquote>
<p>No problem, everybody is confused by ASPA. It’s hard to get
it right.</p>
<blockquote>
<p>I noticed in aspa_check() you check for confeds but
AS_PATH_SET is never checked for.</p>
</blockquote>
<p>Well, that looks like another oversight, thank you for
reporting.</p>
<blockquote>
<p>The specs say they should return ASPA_INVALID however I
noticed when I did that I lost about 64 routes which
caused some customer complaints. I had to end up slightly
changing the code to return ASPA_INVALID if upstream and
ASPA_UNKNOWN if downstream.</p>
</blockquote>
<p>Mhmmm. That’s definitely a problem. We can do various
things with and around that. First of all, the default
behavior of <code>aspa_check()</code> must conform to the
RFC.</p>
<p>Brainstorming:</p>
<ul>
<li>
<p>something like <code>if bgp_path.contains_sets</code></p>
</li>
<li>
<p>allowing a more precise for-cycle over <code>bgp_path</code>,
e.g.</p>
<pre><code>for bgppath_segment bs in bgp_path do {
case bgppath_segment.type {
AS_PATH_SEQUENCE: for int a in bs do { ... }
AS_PATH_SET: for int a in bs do { ... }
AS_PATH_CONFED_SEQUENCE: ...
}
}</code></pre>
</li>
<li>
<p>adding an optional argument to <code>aspa_check()</code>
to allow sets, treting them as “any of the ASNs in the
set”</p>
</li>
<li>
<p>adding an <code>aspa_is_customer(table, A, B)</code>
function, returning whether A can be a custormer of B
according to the given table</p>
</li>
</ul>
<p>Any other thoughts on that?</p>
<p>Thanks,<br>
Maria</p>
<p>–<br>
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC,
z.s.p.o.</p>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>