Hi. According the current ASPA draft the AS_PATH should be categorized as invalid if it's empty, contains an AS_SET or most recently added AS in the AS_PATH does not match the neighbor AS except if the AS performing the ASPA check is a route-server client. aspa_check() in nest/rt-table.c returns ASPA_INVALID for empty AS_PATH and for AS_PATH containing AS_SET. However, the enforce-first-as check is not performed. I briefly tried to understand how such check could be added to aspa_check() in nest/rt-table.c, but there does not seem to be a simple and clean solution. However, I could be wrong here. It's trivial to get the leftmost AS number with as_path_get_first(), but the filter module does not seem to have access to peer AS number and doesn't know whether it's a route-server client. As a workaround, one could use a function in filters and pass this information as function arguments, e.g: function bgp_in(int peer_as; bool route_server_client) -> bool { if ! route_server_client && bgp_path.first != peer_as then reject "Invalid left-most ASN ", bgp_path.first, ". Reject ", net; ... }; .. but perhaps it's at least worth documenting it in "BIRD User's Guide" that the aspa_check_downstream(), aspa_check_upstream() and aspa_check() do not enforce first AS check. Especially as the "enforce first as" option under BGP configuration is off by default. I tested on BIRD 3.2.1. Martin