diff -ruN bird-2.15.1/README.aspa-asn-pairs bird-2.15.1-aspa-asn-pairs/README.aspa-asn-pairs
--- bird-2.15.1/README.aspa-asn-pairs	1969-12-31 16:00:00.000000000 -0800
+++ bird-2.15.1-aspa-asn-pairs/README.aspa-asn-pairs	2024-12-17 21:14:23.000000000 -0800
@@ -0,0 +1,239 @@
+
+This patch implements ASPA using tables of customer/provider ASN pairs.
+
+It is based off bird's original static ASPA implementation that can be found here:
+
+https://gitlab.nic.cz/labs/bird/-/tree/aspa
+
+The original ASPA code was written by Eugene Bogomazov.
+
+This patch adds support for customer_asn and provider_asn selection, RTR v2 support and updates draft-ietf-sidrops-aspa-verification. 
+
+https://www.ietf.org/id/draft-ietf-sidrops-8210bis-16.html
+https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-verification/
+
+Here is an example static ASPA table:
+
+$ cat bird-aspa.conf
+aspa table at;
+
+protocol static
+{
+        aspa;
+        route aspa 970 54874;
+        route aspa 11358 835;
+        route aspa 11358 924;
+        route aspa 11358 6939;
+        route aspa 11358 20473;
+        route aspa 11358 34927;
+        route aspa 13852 6939;
+        route aspa 13852 20473;
+        route aspa 13852 34927;
+        route aspa 13852 52025;
+        route aspa 13852 209533;
+        route aspa 15562 2914;
+        route aspa 15562 8283;
+        route aspa 15562 51088;
+        route aspa 15562 206238;
+        route aspa 19330 393577;
+        route aspa 21957 970;
+...
+        route aspa 401111 1012;
+        route aspa 401111 2497;
+        route aspa 401111 17676;
+}
+
+---
+
+The first AS number is the customer_asn.  The second AS number is the provider_asn.
+
+Here is an example script that uses json dumps from rpki-client to generate a config file that can be included in your bird.conf:
+
+$ cat rpki-client-aspa-to-bird.pl
+#!/usr/bin/perl
+
+use JSON;
+
+my $argc = $#ARGV+1;
+
+if ($argc < 2) {
+  die("not enough args");
+}
+
+my $filename_in = @ARGV[0];
+my $filename_out = @ARGV[1];
+
+my $json_text = do {
+    open(my $json_fh, "<:encoding(UTF-8)", $filename_in)
+        or die("Can't open \"$filename_in\": $!\n");
+    local $/;
+    <$json_fh>
+};
+
+open(my $bird_fh, ">:encoding(UTF-8)", $filename_out)
+    or die("Can't open \"$filename_out\": $!\n");
+
+my $json = JSON->new;
+my $data = $json->decode($json_text);
+
+my $customer;
+
+print $bird_fh "aspa table at;\n";
+print $bird_fh "\n";
+print $bird_fh "protocol static\n";
+print $bird_fh "{\n";
+print $bird_fh "\taspa;\n";
+for ( @{$data->{aspas}} ) {
+    $customer = $_->{customer_asid};
+    for ( @{$_->{providers}} ) {
+        print $bird_fh "\troute aspa $customer $_;\n";
+    }
+}
+print $bird_fh "}\n";
+
+close($json_fh);
+close($bird_fh);
+
+---
+
+Here is a sample crontab script:
+
+$ cat update-bird-conf.sh
+#!/bin/bash
+
+LOCKFILE="/home/rpki/bird/etc/.update-bird-conf.sh.lock"
+
+touch $LOCKFILE
+
+exec {FDLOCK}<>$LOCKFILE
+
+if ! flock -n -x $FDLOCK; then
+  exit 1
+fi
+
+trap "rm -f $LOCKFILE" EXIT
+
+RPKI_CLIENT_BIN="/home/rpki/rpki-client/sbin/rpki-client"
+RPKI_CLIENT_JSON_DUMP="/home/rpki/rpki-client/var/db/rpki-client/json"
+BIRD_ASPA_TABLE_NEW="/home/rpki/bird/etc/bird-aspa.conf.new"
+BIRD_ASPA_TABLE="/home/rpki/bird/etc/bird-aspa.conf"
+BIRD_CONV_SCRIPT="/home/rpki/rpki-client-aspa-to-bird.pl"
+BIRDC_BIN="/home/rpki/bird/sbin/birdc"
+MIN_ASPA_COUNT=250
+
+TZ=Etc/UTC $RPKI_CLIENT_BIN -j
+
+$BIRD_CONV_SCRIPT $RPKI_CLIENT_JSON_DUMP $BIRD_ASPA_TABLE_NEW
+
+ASPA_COUNT=`grep route $BIRD_ASPA_TABLE_NEW | wc -l`
+
+if [ $ASPA_COUNT -le $MIN_ASPA_COUNT ]; then
+  rm -f $BIRD_ASPA_TABLE_NEW
+  exit 1
+fi
+
+mv $BIRD_ASPA_TABLE_NEW $BIRD_ASPA_TABLE
+
+$BIRDC_BIN 'configure'
+$BIRDC_BIN 'reload "bgp4"'
+$BIRDC_BIN 'reload "bgp6"'
+
+exit 0
+
+---
+
+Here is a function from bird.conf that can be called from a filter:
+
+include "bird-aspa.conf";
+
+# AS12345 as transit
+
+function is_aspa_invalid (bgppath path) -> bool {
+  if (path.len > 0) then {
+    if (path.first ~ [ 12345 ]) then {
+      return aspa_check(at, path, BGP_DIR_DOWN) = ASPA_INVALID;
+    } else {
+      return aspa_check(at, path, BGP_DIR_UP) = ASPA_INVALID;
+    }
+  } else {
+    return false;
+  }
+}
+
+---
+
+This is what the table looks like:
+
+bird> show route table at
+Table at:
+aspa AS50555 AS970    [static1 2024-11-27] * (200)
+aspa AS270470 AS53062  [static1 2024-11-27] * (200)
+aspa AS47272 AS212895  [static1 2024-11-27] * (200)
+aspa AS47272 AS212514  [static1 2024-11-27] * (200)
+aspa AS47272 AS210667  [static1 2024-11-27] * (200)
+aspa AS47272 AS58057  [static1 2024-11-27] * (200)
+aspa AS47272 AS52210  [static1 2024-11-27] * (200)
+aspa AS47272 AS52025  [static1 2024-11-27] * (200)
+aspa AS47272 AS50917  [static1 2024-11-27] * (200)
+...
+aspa AS203843 AS53667  [static1 2024-11-27] * (200)
+aspa AS203843 AS20473  [static1 2024-11-27] * (200)
+aspa AS203843 AS6939  [static1 2024-11-27] * (200)
+aspa AS216265 AS215051  [static1 2024-12-11] * (200)
+aspa AS216265 AS202673  [static1 2024-12-11] * (200)
+bird>
+
+---
+
+Selecting multiple customer_asns:
+
+bird> show route table at where net.customer_asn ~ [ 11358, 28584, 54218 ]
+Table at:
+aspa AS54218 AS57196  [static1 2024-12-04] * (200)
+aspa AS54218 AS35487  [static1 2024-12-02] * (200)
+aspa AS54218 AS59678  [static1 2024-11-27] * (200)
+aspa AS54218 AS53667  [static1 2024-11-27] * (200)
+aspa AS54218 AS37988  [static1 2024-11-27] * (200)
+aspa AS54218 AS16509  [static1 2024-11-27] * (200)
+aspa AS54218 AS917    [static1 2024-11-27] * (200)
+aspa AS11358 AS34927  [static1 2024-11-27] * (200)
+aspa AS11358 AS20473  [static1 2024-11-27] * (200)
+aspa AS11358 AS6939   [static1 2024-11-27] * (200)
+aspa AS11358 AS924    [static1 2024-11-27] * (200)
+aspa AS11358 AS835    [static1 2024-11-27] * (200)
+aspa AS28584 AS28605  [static1 2024-11-27] * (200)
+bird>
+
+---
+
+Selecting a provider_asn:
+
+bird> show route table at where net.provider_asn = 16509
+Table at:
+aspa AS216107 AS16509  [static1 2024-11-27] * (200)
+aspa AS54218 AS16509  [static1 2024-11-27] * (200)
+bird>
+
+---
+
+Configuring RPKI for ASPA:
+
+protocol rpki rpki1 {
+       roa4 { table r4; };
+       roa6 { table r6; };
+       aspa { table at; };
+
+       remote 127.0.0.1;
+       port 3323;
+
+       retry keep 90;
+       refresh keep 900;
+       expire keep 172800;
+       transport tcp;
+}
+
+
+---
+Ralph Covelli
+Hurricane Electric / AS6939
+rcovelli@he.net
diff -ruN bird-2.15.1/autogen.sh bird-2.15.1-aspa-asn-pairs/autogen.sh
--- bird-2.15.1/autogen.sh	1969-12-31 16:00:00.000000000 -0800
+++ bird-2.15.1-aspa-asn-pairs/autogen.sh	2024-09-17 18:03:26.000000000 -0700
@@ -0,0 +1,88 @@
+#! /bin/sh
+
+TOP_DIR=$(dirname $0)
+
+if test ! -f $TOP_DIR/configure.ac ; then
+   echo "You must execute this script from the top level directory."
+   exit 1
+fi
+
+AUTOCONF=${AUTOCONF:-autoconf}
+ACLOCAL=${ACLOCAL:-aclocal}
+#AUTOMAKE=${AUTOMAKE:-automake}
+AUTOHEADER=${AUTOHEADER:-autoheader}
+LIBTOOLIZE=${LIBTOOLIZE:-libtoolize}
+#SHTOOLIZE=${SHTOOLIZE:-shtoolize}
+
+dump_help_screen ()
+{
+   echo "Usage: $0 [options]"
+   echo
+   echo "options:"
+   echo "  -n           skip CVS changelog creation"
+   echo "  -h,--help    show this help screen"
+   echo
+   exit 0
+}
+
+parse_options ()
+{
+   while test "$1" != "" ; do
+      case $1 in
+         -h|--help)
+            dump_help_screen
+            ;;
+         -n)
+            SKIP_CVS_CHANGELOG=yes
+            ;;
+         *)
+            echo Invalid argument - $1
+            dump_help_screen
+            ;;
+      esac
+      shift
+   done
+}
+
+run_or_die ()
+{
+   COMMAND=$1
+
+   # check for empty commands
+   if test -z "$COMMAND" ; then
+      echo "*warning* no command specified"
+      return 1
+   fi
+
+   shift;
+
+   OPTIONS="$@"
+
+   # print a message
+   echo -n "*info* running $COMMAND"
+   if test -n "$OPTIONS" ; then
+      echo " ($OPTIONS)"
+   else
+      echo
+   fi
+
+   # run or die
+   $COMMAND $OPTIONS ; RESULT=$?
+   if test $RESULT -ne 0 ; then
+      echo "*error* $COMMAND failed. (exit code = $RESULT)"
+      exit 1
+   fi
+
+   return 0
+}
+
+parse_options "$@"
+
+echo "Building main autotools files."
+
+run_or_die $ACLOCAL -I m4
+run_or_die $LIBTOOLIZE --force --copy
+run_or_die $AUTOHEADER
+run_or_die $AUTOCONF
+#run_or_die $AUTOMAKE --add-missing --copy
+#run_or_die $SHTOOLIZE all
diff -ruN bird-2.15.1/bird-gdb.py bird-2.15.1-aspa-asn-pairs/bird-gdb.py
--- bird-2.15.1/bird-gdb.py	2023-10-07 04:59:53.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/bird-gdb.py	2024-09-17 18:23:56.000000000 -0700
@@ -31,6 +31,8 @@
             "T_ENUM_NETTYPE": "i",
             "T_ENUM_RA_PREFERENCE": "i",
             "T_ENUM_AF": "i",
+            "T_ENUM_ASPA": "i",
+            "T_ENUM_BGP_DIR": "i",
             "T_IP": "ip",
             "T_NET": "net",
             "T_STRING": "s",
diff -ruN bird-2.15.1/conf/confbase.Y bird-2.15.1-aspa-asn-pairs/conf/confbase.Y
--- bird-2.15.1/conf/confbase.Y	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/conf/confbase.Y	2024-09-26 20:14:21.000000000 -0700
@@ -118,7 +118,7 @@
 %type <time> expr_us time
 %type <a> ipa
 %type <net> net_ip4_ net_ip4 net_ip6_ net_ip6 net_ip_ net_ip net_or_ipa
-%type <net_ptr> net_ net_any net_vpn4_ net_vpn6_ net_vpn_ net_roa4_ net_roa6_ net_roa_ net_ip6_sadr_ net_mpls_
+%type <net_ptr> net_ net_any net_vpn4_ net_vpn6_ net_vpn_ net_roa4_ net_roa6_ net_roa_ net_ip6_sadr_ net_mpls_ net_aspa_
 %type <mls> label_stack_start label_stack
 
 %type <t> text opttext
@@ -138,7 +138,7 @@
 
 %start config
 
-CF_KEYWORDS(DEFINE, ON, OFF, YES, NO, S, MS, US, PORT, VPN, MPLS, FROM, MAX, AS)
+CF_KEYWORDS(DEFINE, ON, OFF, YES, NO, S, MS, US, PORT, VPN, MPLS, ASPA, FROM, MAX, AS)
 
 CF_GRAMMAR
 
@@ -299,6 +299,12 @@
   net_fill_mpls($$, $2);
 }
 
+net_aspa_: ASPA NUM NUM
+{
+  $$ = cfg_alloc(sizeof(net_addr_aspa));
+  net_fill_aspa($$, $2, $3);
+}
+
 net_ip_: net_ip4_ | net_ip6_ ;
 net_vpn_: net_vpn4_ | net_vpn6_ ;
 net_roa_: net_roa4_ | net_roa6_ ;
@@ -310,6 +316,7 @@
  | net_flow_
  | net_ip6_sadr_
  | net_mpls_
+ | net_aspa_
  ;
 
 
diff -ruN bird-2.15.1/filter/config.Y bird-2.15.1-aspa-asn-pairs/filter/config.Y
--- bird-2.15.1/filter/config.Y	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/filter/config.Y	2024-09-26 19:59:24.000000000 -0700
@@ -365,6 +365,7 @@
 	FROM, GW, NET, PROTO, SOURCE, SCOPE, DEST, IFNAME, IFINDEX, WEIGHT, GW_MPLS, GW_MPLS_STACK, ONLINK,
 	PREFERENCE,
 	ROA_CHECK,
+	ASPA_CHECK,
 	DEFINED,
 	ADD, DELETE, RESET,
 	PREPEND,
@@ -947,6 +948,9 @@
  | ROA_CHECK '(' rtable ')' { $$ = f_new_inst(FI_ROA_CHECK_IMPLICIT, $3); }
  | ROA_CHECK '(' rtable ',' term ',' term ')' { $$ = f_new_inst(FI_ROA_CHECK_EXPLICIT, $5, $7, $3); }
 
+ | ASPA_CHECK '(' rtable ',' term ')' { $$ = f_new_inst(FI_ASPA_CHECK_IMPLICIT, $5, $3); }
+ | ASPA_CHECK '(' rtable ',' term ',' term ')' { $$ = f_new_inst(FI_ASPA_CHECK_EXPLICIT, $5, $7, $3); }
+
  | FORMAT '(' term ')' {  $$ = f_new_inst(FI_FORMAT, $3); }
 
  | term_bs
diff -ruN bird-2.15.1/filter/data.h bird-2.15.1-aspa-asn-pairs/filter/data.h
--- bird-2.15.1/filter/data.h	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/filter/data.h	2024-09-17 19:03:23.000000000 -0700
@@ -43,6 +43,8 @@
   T_ENUM_RA_PREFERENCE = 0x37,
   T_ENUM_AF = 0x38,
   T_ENUM_MPLS_POLICY = 0x39,
+  T_ENUM_ASPA = 0x3a,
+  T_ENUM_BGP_DIR = 0x3b,
 
 /* new enums go here */
   T_ENUM_EMPTY = 0x3f,	/* Special hack for atomic_aggr */
diff -ruN bird-2.15.1/filter/f-inst.c bird-2.15.1-aspa-asn-pairs/filter/f-inst.c
--- bird-2.15.1/filter/f-inst.c	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/filter/f-inst.c	2024-10-08 21:18:30.000000000 -0700
@@ -1094,6 +1094,22 @@
           ((net_addr_roa6 *) v1.val.net)->asn);
   ]]);
 
+  /* Get ASPA CUSTOMER_ASN */
+  METHOD(T_NET, customer_asn, 0, [[
+        if (!net_is_aspa(v1.val.net))
+          runtime( "ASPA expected" );
+
+        RESULT(T_INT, i, ((net_addr_aspa *) v1.val.net)->customer_asn);
+  ]]);
+
+  /* Get ASPA PROVIDER_ASN */
+  METHOD(T_NET, provider_asn, 0, [[
+        if (!net_is_aspa(v1.val.net))
+          runtime( "ASPA expected" );
+
+        RESULT(T_INT, i, ((net_addr_aspa *) v1.val.net)->provider_asn);
+  ]]);
+
   /* Convert prefix to IP */
   METHOD_R(T_NET, ip, T_IP, ip, net_prefix(v1.val.net));
 
@@ -1606,6 +1622,52 @@
 
   }
 
+  INST(FI_ASPA_CHECK_IMPLICIT, 1, 1) {	/* ASPA Check */
+    NEVER_CONSTANT;
+    ARG(1, T_ENUM_BGP_DIR);
+    RTC(2);
+    struct rtable *table = rtc->table;
+    ACCESS_RTE;
+    ACCESS_EATTRS;
+    const net_addr *net = (*fs->rte)->net->n.addr;
+
+    if (!table)
+      runtime("Missing ASPA table");
+
+    if (table->addr_type != NET_ASPA)
+      runtime("Table type must be ASPA");
+
+    /* We ignore temporary attributes, probably not a problem here */
+    /* 0x02 is a value of BA_AS_PATH, we don't want to include BGP headers */
+    eattr *e = ea_find(*fs->eattrs, EA_CODE(PROTOCOL_BGP, 0x02));
+
+    if (!e || ((e->type & EAF_TYPE_MASK) != EAF_TYPE_AS_PATH))
+      runtime("Missing AS_PATH attribute");
+
+    uint dir = v1.val.i;
+
+    if (!net_is_ip(net))
+      runtime("Network type must be IPv4 or IPv6");
+
+    RESULT(T_ENUM_ASPA, i, [[ net_aspa_check(fpool, table, e->u.ptr, dir) ]]);
+  }
+
+  INST(FI_ASPA_CHECK_EXPLICIT, 2, 1) {	/* ASPA Check */
+    NEVER_CONSTANT;
+    ARG(1, T_PATH);
+    ARG(2, T_ENUM_BGP_DIR);
+    RTC(3);
+    struct rtable *table = rtc->table;
+
+    if (!table)
+      runtime("Missing ASPA table");
+
+    if (table->addr_type != NET_ASPA)
+      runtime("Table type must be ASPA");
+
+    RESULT(T_ENUM_ASPA, i, [[ net_aspa_check(fpool, table, v1.val.ad, v2.val.i) ]]);
+  }
+
   INST(FI_FROM_HEX, 1, 1) {	/* Convert hex text to bytestring */
     ARG(1, T_STRING);
 
diff -ruN bird-2.15.1/filter/test.conf bird-2.15.1-aspa-asn-pairs/filter/test.conf
--- bird-2.15.1/filter/test.conf	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/filter/test.conf	2024-09-26 20:01:32.000000000 -0700
@@ -2222,6 +2222,72 @@
 
 bt_test_suite(t_roa_check, "Testing ROA");
 
+aspa table at;
+
+protocol static
+{
+	aspa;
+	route aspa 65000 65001;
+	route aspa 65000 65002;
+	route aspa 64999 65001;
+	route aspa 65004 64999;
+	route aspa 65001 0;
+	route aspa 65006 65100;
+	route aspa 65000 65003;
+}
+
+function t_aspa_check()
+bgppath p1;
+bgppath p2;
+{
+	# empty path
+	p1 = + empty + ;
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_VALID);
+
+	# 65000
+	p1 = prepend(p1, 65000);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_VALID);
+
+	# 65000 65000
+	p1 = prepend(p1, 65000);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_VALID);
+
+	# 65001 65000 65000
+	p1 = prepend(p1, 65001);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_VALID);
+
+	# 65003 65000
+	p1 = prepend(+ empty +, 65000);
+	p1 = prepend(p1, 65003);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_INVALID);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_VALID);
+
+	# 65000 65003
+	p1 = prepend(+ empty +, 65003);
+	p1 = prepend(p1, 65000);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_UNKNOWN);
+
+	# 65004 64999 65001 65001 65000
+	p1 = prepend(+ empty +, 65000);
+	p1 = prepend(p1, 65001);
+	p1 = prepend(p1, 65001);
+	p1 = prepend(p1, 64999);
+	p1 = prepend(p1, 65004);
+	bt_assert(aspa_check(at, p1, BGP_DIR_UP) = ASPA_INVALID);
+	bt_assert(aspa_check(at, p1, BGP_DIR_DOWN) = ASPA_VALID);
+
+	# 65005 65004 64999 65001 65001 65000
+	p2 = prepend(p1, 65005);
+	bt_assert(aspa_check(at, p2, BGP_DIR_UP) = ASPA_INVALID);
+	bt_assert(aspa_check(at, p2, BGP_DIR_DOWN) = ASPA_UNKNOWN);
+
+	# 65006 65004 64999 65001 65001 65000
+	p2 = prepend(p1, 65006);
+	bt_assert(aspa_check(at, p2, BGP_DIR_UP) = ASPA_INVALID);
+	bt_assert(aspa_check(at, p2, BGP_DIR_DOWN) = ASPA_INVALID);
+}
+
+bt_test_suite(t_aspa_check, "Testing ASPA");
 
 
 
diff -ruN bird-2.15.1/lib/net.c bird-2.15.1-aspa-asn-pairs/lib/net.c
--- bird-2.15.1/lib/net.c	2023-04-21 00:06:23.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/lib/net.c	2024-09-26 20:03:12.000000000 -0700
@@ -16,6 +16,7 @@
   [NET_FLOW6]	= "flow6",
   [NET_IP6_SADR]= "ipv6-sadr",
   [NET_MPLS]	= "mpls",
+  [NET_ASPA]	= "aspa",
 };
 
 const u16 net_addr_length[] = {
@@ -29,6 +30,7 @@
   [NET_FLOW6]	= 0,
   [NET_IP6_SADR]= sizeof(net_addr_ip6_sadr),
   [NET_MPLS]	= sizeof(net_addr_mpls),
+  [NET_ASPA]	= sizeof(net_addr_aspa),
 };
 
 const u8 net_max_prefix_length[] = {
@@ -42,6 +44,7 @@
   [NET_FLOW6]	= IP6_MAX_PREFIX_LENGTH,
   [NET_IP6_SADR]= IP6_MAX_PREFIX_LENGTH,
   [NET_MPLS]	= 0,
+  [NET_ASPA]	= 0,
 };
 
 const u16 net_max_text_length[] = {
@@ -55,6 +58,7 @@
   [NET_FLOW6]	= 0,	/* "flow6 { ... }" */
   [NET_IP6_SADR]= 92,	/* "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 from ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128" */
   [NET_MPLS]	= 7,	/* "1048575" */
+  [NET_ASPA]	= 30,	/* "aspa AS4294967295 AS4294967295" */
 };
 
 /* There should be no implicit padding in net_addr structures */
@@ -69,6 +73,7 @@
 STATIC_ASSERT(sizeof(net_addr_flow6)	== 20);
 STATIC_ASSERT(sizeof(net_addr_ip6_sadr)	== 40);
 STATIC_ASSERT(sizeof(net_addr_mpls)	==  8);
+STATIC_ASSERT(sizeof(net_addr_aspa)	== 12);
 
 
 int
@@ -123,6 +128,8 @@
     return bsnprintf(buf, buflen, "%I6/%d from %I6/%d", n->ip6_sadr.dst_prefix, n->ip6_sadr.dst_pxlen, n->ip6_sadr.src_prefix, n->ip6_sadr.src_pxlen);
   case NET_MPLS:
     return bsnprintf(buf, buflen, "%u", n->mpls.label);
+  case NET_ASPA:
+    return bsnprintf(buf, buflen, "aspa AS%u AS%u", n->aspa.customer_asn, n->aspa.provider_asn);
   }
 
   bug("unknown network type");
@@ -147,6 +154,7 @@
     return ipa_from_ip6(ip6_mkmask(net6_pxlen(a)));
 
   case NET_MPLS:
+  case NET_ASPA:
   default:
     return IPA_NONE;
   }
@@ -180,6 +188,8 @@
     return net_compare_ip6_sadr((const net_addr_ip6_sadr *) a, (const net_addr_ip6_sadr *) b);
   case NET_MPLS:
     return net_compare_mpls((const net_addr_mpls *) a, (const net_addr_mpls *) b);
+  case NET_ASPA:
+    return net_compare_aspa((const net_addr_aspa *) a, (const net_addr_aspa *) b);
   }
   return 0;
 }
@@ -201,6 +211,7 @@
   case NET_FLOW6: return NET_HASH(n, flow6);
   case NET_IP6_SADR: return NET_HASH(n, ip6_sadr);
   case NET_MPLS: return NET_HASH(n, mpls);
+  case NET_ASPA: return NET_HASH(n, aspa);
   default: bug("invalid type");
   }
 }
@@ -223,6 +234,7 @@
   case NET_FLOW6: return NET_VALIDATE(n, flow6);
   case NET_IP6_SADR: return NET_VALIDATE(n, ip6_sadr);
   case NET_MPLS: return NET_VALIDATE(n, mpls);
+  case NET_ASPA: return NET_VALIDATE(n, aspa);
   default: return 0;
   }
 }
@@ -250,6 +262,7 @@
     return net_normalize_ip6_sadr(&n->ip6_sadr);
 
   case NET_MPLS:
+  case NET_ASPA:
     return;
   }
 }
@@ -277,6 +290,7 @@
     return ip6_zero(n->ip6_sadr.dst_prefix) ? (IADDR_HOST | SCOPE_UNIVERSE) : ip6_classify(&n->ip6_sadr.dst_prefix);
 
   case NET_MPLS:
+  case NET_ASPA:
     return IADDR_HOST | SCOPE_UNIVERSE;
   }
 
@@ -310,6 +324,7 @@
 			    ip6_mkmask(net6_pxlen(n))));
 
   case NET_MPLS:
+  case NET_ASPA:
   default:
     return 0;
   }
diff -ruN bird-2.15.1/lib/net.h bird-2.15.1-aspa-asn-pairs/lib/net.h
--- bird-2.15.1/lib/net.h	2023-10-07 04:59:48.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/lib/net.h	2024-10-06 21:22:27.000000000 -0700
@@ -23,7 +23,8 @@
 #define NET_FLOW6	8
 #define NET_IP6_SADR	9
 #define NET_MPLS	10
-#define NET_MAX		11
+#define NET_ASPA	11
+#define NET_MAX		12
 
 #define NB_IP4		(1 << NET_IP4)
 #define NB_IP6		(1 << NET_IP6)
@@ -35,6 +36,7 @@
 #define NB_FLOW6	(1 << NET_FLOW6)
 #define NB_IP6_SADR	(1 << NET_IP6_SADR)
 #define NB_MPLS		(1 << NET_MPLS)
+#define NB_ASPA		(1 << NET_ASPA)
 
 #define NB_IP		(NB_IP4 | NB_IP6)
 #define NB_VPN		(NB_VPN4 | NB_VPN6)
@@ -124,6 +126,14 @@
   u32 label;
 } net_addr_mpls;
 
+typedef struct net_addr_aspa {
+  u8 type;
+  u8 padding;
+  u16 length;
+  u32 customer_asn;
+  u32 provider_asn;
+} net_addr_aspa;
+
 typedef struct net_addr_ip6_sadr {
   u8 type;
   u8 dst_pxlen;
@@ -145,6 +155,7 @@
   net_addr_flow6 flow6;
   net_addr_ip6_sadr ip6_sadr;
   net_addr_mpls mpls;
+  net_addr_aspa aspa;
 } net_addr_union;
 
 
@@ -186,6 +197,8 @@
 #define NET_ADDR_MPLS(label) \
   ((net_addr_mpls) { NET_MPLS, 20, sizeof(net_addr_mpls), label })
 
+#define NET_ADDR_ASPA(customer_asn, provider_asn) \
+  ((net_addr_aspa) { NET_ASPA, 0, sizeof(net_addr_aspa), customer_asn, provider_asn })
 
 static inline void net_fill_ip4(net_addr *a, ip4_addr prefix, uint pxlen)
 { *(net_addr_ip4 *)a = NET_ADDR_IP4(prefix, pxlen); }
@@ -211,6 +224,9 @@
 static inline void net_fill_mpls(net_addr *a, u32 label)
 { *(net_addr_mpls *)a = NET_ADDR_MPLS(label); }
 
+static inline void net_fill_aspa(net_addr *a, u32 customer_asn, u32 provider_asn)
+{ *(net_addr_aspa *)a = NET_ADDR_ASPA(customer_asn, provider_asn); }
+
 static inline void net_fill_ipa(net_addr *a, ip_addr prefix, uint pxlen)
 {
   if (ipa_is_ip4(prefix))
@@ -272,6 +288,9 @@
 static inline int net_is_sadr(const net_addr *a)
 { return (a->type == NET_IP6_SADR); }
 
+static inline int net_is_aspa(const net_addr *a)
+{ return (a->type == NET_ASPA); }
+
 static inline ip4_addr net4_prefix(const net_addr *a)
 { return ((net_addr_ip4 *) a)->prefix; }
 
@@ -296,6 +315,7 @@
     return ipa_from_ip6(net6_prefix(a));
 
   case NET_MPLS:
+  case NET_ASPA:
   default:
     return IPA_NONE;
   }
@@ -366,6 +386,9 @@
 static inline int net_equal_mpls(const net_addr_mpls *a, const net_addr_mpls *b)
 { return !memcmp(a, b, sizeof(net_addr_mpls)); }
 
+static inline int net_equal_aspa(const net_addr_aspa *a, const net_addr_aspa *b)
+{ return !memcmp(a, b, sizeof(net_addr_aspa)); }
+
 
 static inline int net_equal_prefix_roa4(const net_addr_roa4 *a, const net_addr_roa4 *b)
 { return ip4_equal(a->prefix, b->prefix) && (a->pxlen == b->pxlen); }
@@ -379,6 +402,9 @@
 static inline int net_equal_src_ip6_sadr(const net_addr_ip6_sadr *a, const net_addr_ip6_sadr *b)
 { return ip6_equal(a->src_prefix, b->src_prefix) && (a->src_pxlen == b->src_pxlen); }
 
+static inline int net_equal_customer_aspa(const net_addr_aspa *a, const net_addr_aspa *b)
+{ return (a->customer_asn == b->customer_asn); }
+
 
 static inline int net_zero_ip4(const net_addr_ip4 *a)
 { return !a->pxlen && ip4_zero(a->prefix); }
@@ -407,6 +433,9 @@
 static inline int net_zero_mpls(const net_addr_mpls *a)
 { return !a->label; }
 
+static inline int net_zero_aspa(const net_addr_aspa *a)
+{ return !a->customer_asn && !a->provider_asn; }
+
 
 static inline int net_compare_ip4(const net_addr_ip4 *a, const net_addr_ip4 *b)
 { return ip4_compare(a->prefix, b->prefix) ?: uint_cmp(a->pxlen, b->pxlen); }
@@ -442,6 +471,9 @@
 static inline int net_compare_mpls(const net_addr_mpls *a, const net_addr_mpls *b)
 { return uint_cmp(a->label, b->label); }
 
+static inline int net_compare_aspa(const net_addr_aspa *a, const net_addr_aspa *b)
+{ return uint_cmp(a->customer_asn, b->customer_asn) ?: uint_cmp(a->provider_asn, b->provider_asn); }
+
 int net_compare(const net_addr *a, const net_addr *b);
 
 
@@ -478,6 +510,8 @@
 static inline void net_copy_mpls(net_addr_mpls *dst, const net_addr_mpls *src)
 { memcpy(dst, src, sizeof(net_addr_mpls)); }
 
+static inline void net_copy_aspa(net_addr_aspa *dst, const net_addr_aspa *src)
+{ memcpy(dst, src, sizeof(net_addr_aspa)); }
 
 static inline u32 px4_hash(ip4_addr prefix, u32 pxlen)
 { return ip4_hash(prefix) ^ (pxlen << 26); }
@@ -521,6 +555,9 @@
 static inline u32 net_hash_mpls(const net_addr_mpls *n)
 { return u32_hash(n->label); }
 
+static inline u32 net_hash_aspa(const net_addr_aspa *n)
+{ return u32_hash(n->customer_asn); }
+
 u32 net_hash(const net_addr *a);
 
 
@@ -573,6 +610,9 @@
 static inline int net_validate_ip6_sadr(const net_addr_ip6_sadr *n)
 { return net_validate_px6(n->dst_prefix, n->dst_pxlen) && net_validate_px6(n->src_prefix, n->src_pxlen); }
 
+static inline int net_validate_aspa(const net_addr_aspa *n)
+{ return n->customer_asn > 0; }
+
 int net_validate(const net_addr *N);
 
 
diff -ruN bird-2.15.1/nest/a-path.c bird-2.15.1-aspa-asn-pairs/nest/a-path.c
--- bird-2.15.1/nest/a-path.c	2023-10-07 04:59:53.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/a-path.c	2024-10-13 20:17:09.000000000 -0700
@@ -177,6 +177,27 @@
   return 0;
 }
 
+int
+as_path_contains_set(const struct adata *path)
+{
+  const byte *pos = path->data;
+  const byte *end = pos + path->length;
+
+  while (pos < end)
+  {
+    uint type = pos[0];
+    uint slen = 2 + BS * pos[1];
+
+    if ((type == AS_PATH_SET) ||
+	(type == AS_PATH_CONFED_SET))
+      return 1;
+
+    pos += slen;
+  }
+
+  return 0;
+}
+
 struct adata *
 as_path_strip_confed(struct linpool *pool, const struct adata *path)
 {
@@ -206,6 +227,55 @@
   return res;
 }
 
+int
+as_path_get_reverse_unique_asns(struct linpool *pool, const struct adata *path, u32 **data)
+{
+  u32 *asns = lp_alloc(pool, as_path_getlen(path) * sizeof(u32));
+  const byte *src = path->data;
+  const byte *end = src + path->length;
+  u32 *dst = asns;
+  u32 prev_as = 0;
+  u32 as;
+  uint i;
+
+  /* Step 1: create array of unique asns */
+  while (src < end)
+  {
+    uint t = src[0];
+    uint l = src[1];
+    src += 2;
+
+    if (t == AS_PATH_SEQUENCE)
+    {
+      for (i = 0; i < l; i++)
+      {
+        as = get_as(src);
+        if (as != prev_as)
+          *dst++ = as;
+        prev_as = as;
+        src += BS;
+      }
+    }
+    else
+      src += BS * l;
+  }
+  u32 num = dst - asns;
+
+  /* Step 2: Reverse the array */
+  u32 as_1, as_2;
+  for (i = 0; i < num/2; i++)
+  {
+    as_1 = asns[i];
+    as_2 = asns[num-i-1];
+    asns[i] = as_2;
+    asns[num-i-1] = as_1;
+  }
+
+  *data = asns;
+
+  return num;
+}
+
 struct adata *
 as_path_prepend2(struct linpool *pool, const struct adata *op, int seq, u32 as)
 {
diff -ruN bird-2.15.1/nest/attrs.h bird-2.15.1-aspa-asn-pairs/nest/attrs.h
--- bird-2.15.1/nest/attrs.h	2023-10-07 04:59:53.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/attrs.h	2024-09-17 19:51:34.000000000 -0700
@@ -36,12 +36,14 @@
 int as_path_32to16(byte *dst, const byte *src, uint len);
 int as_path_contains_as4(const struct adata *path);
 int as_path_contains_confed(const struct adata *path);
+int as_path_contains_set(const struct adata *path);
 struct adata *as_path_strip_confed(struct linpool *pool, const struct adata *op);
 struct adata *as_path_prepend2(struct linpool *pool, const struct adata *op, int seq, u32 as);
 struct adata *as_path_to_old(struct linpool *pool, const struct adata *path);
 struct adata *as_path_cut(struct linpool *pool, const struct adata *path, uint num);
 const struct adata *as_path_merge(struct linpool *pool, const struct adata *p1, const struct adata *p2);
 void as_path_format(const struct adata *path, byte *buf, uint size);
+int as_path_get_reverse_unique_asns(struct linpool *pool, const struct adata *path, u32 **data);
 int as_path_getlen(const struct adata *path);
 int as_path_getlen_int(const struct adata *path, int bs);
 int as_path_get_first(const struct adata *path, u32 *orig_as);
diff -ruN bird-2.15.1/nest/config.Y bird-2.15.1-aspa-asn-pairs/nest/config.Y
--- bird-2.15.1/nest/config.Y	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/config.Y	2024-09-19 19:29:40.000000000 -0700
@@ -115,7 +115,7 @@
 
 CF_KEYWORDS(ROUTER, ID, HOSTNAME, PROTOCOL, TEMPLATE, PREFERENCE, DISABLED, DEBUG, ALL, OFF, DIRECT)
 CF_KEYWORDS(INTERFACE, IMPORT, EXPORT, FILTER, NONE, VRF, DEFAULT, TABLE, TABLES, STATES, ROUTES, FILTERS)
-CF_KEYWORDS(IPV4, IPV6, VPN4, VPN6, ROA4, ROA6, FLOW4, FLOW6, SADR, MPLS)
+CF_KEYWORDS(IPV4, IPV6, VPN4, VPN6, ROA4, ROA6, FLOW4, FLOW6, SADR, MPLS, ASPA)
 CF_KEYWORDS(RECEIVE, LIMIT, ACTION, WARN, BLOCK, RESTART, DISABLE, KEEP, FILTERED, RPKI)
 CF_KEYWORDS(PASSWORD, KEY, FROM, PASSIVE, TO, ID, EVENTS, PACKETS, PROTOCOLS, CHANNELS, INTERFACES)
 CF_KEYWORDS(ALGORITHM, KEYED, HMAC, MD5, SHA1, SHA256, SHA384, SHA512, BLAKE2S128, BLAKE2S256, BLAKE2B256, BLAKE2B512)
@@ -130,7 +130,7 @@
 CF_KEYWORDS(MPLS_LABEL, MPLS_POLICY, MPLS_CLASS)
 
 /* For r_args_channel */
-CF_KEYWORDS(IPV4, IPV4_MC, IPV4_MPLS, IPV6, IPV6_MC, IPV6_MPLS, IPV6_SADR, VPN4, VPN4_MC, VPN4_MPLS, VPN6, VPN6_MC, VPN6_MPLS, ROA4, ROA6, FLOW4, FLOW6, MPLS, PRI, SEC)
+CF_KEYWORDS(IPV4, IPV4_MC, IPV4_MPLS, IPV6, IPV6_MC, IPV6_MPLS, IPV6_SADR, VPN4, VPN4_MC, VPN4_MPLS, VPN6, VPN6_MC, VPN6_MPLS, ROA4, ROA6, FLOW4, FLOW6, MPLS, ASPA, PRI, SEC)
 
 CF_ENUM(T_ENUM_RTS, RTS_, STATIC, INHERIT, DEVICE, STATIC_DEVICE, REDIRECT,
 	RIP, OSPF, OSPF_IA, OSPF_EXT1, OSPF_EXT2, BGP, PIPE, BABEL, RPKI, L3VPN,
@@ -138,6 +138,7 @@
 CF_ENUM(T_ENUM_SCOPE, SCOPE_, HOST, LINK, SITE, ORGANIZATION, UNIVERSE, UNDEFINED)
 CF_ENUM(T_ENUM_RTD, RTD_, UNICAST, BLACKHOLE, UNREACHABLE, PROHIBIT)
 CF_ENUM(T_ENUM_ROA, ROA_, UNKNOWN, VALID, INVALID)
+CF_ENUM(T_ENUM_ASPA, ASPA_, UNKNOWN, VALID, INVALID, UNVERIFIED)
 CF_ENUM_PX(T_ENUM_AF, AF_, AFI_, IPV4, IPV6)
 CF_ENUM(T_ENUM_MPLS_POLICY, MPLS_POLICY_, NONE, STATIC, PREFIX, AGGREGATE, VRF)
 
@@ -200,6 +201,7 @@
  | VPN6 { $$ = NET_VPN6; }
  | ROA4 { $$ = NET_ROA4; }
  | ROA6 { $$ = NET_ROA6; }
+ | ASPA { $$ = NET_ASPA; }
  | FLOW4{ $$ = NET_FLOW4; }
  | FLOW6{ $$ = NET_FLOW6; }
  ;
@@ -209,7 +211,7 @@
  | MPLS { $$ = NET_MPLS; }
  ;
 
-CF_ENUM(T_ENUM_NETTYPE, NET_, IP4, IP6, VPN4, VPN6, ROA4, ROA6, FLOW4, FLOW6, IP6_SADR, MPLS)
+CF_ENUM(T_ENUM_NETTYPE, NET_, IP4, IP6, VPN4, VPN6, ROA4, ROA6, FLOW4, FLOW6, IP6_SADR, MPLS, ASPA)
 
 
 /* Creation of routing tables */
@@ -840,6 +842,7 @@
  | FLOW4	{ $$ = "flow4"; }
  | FLOW6	{ $$ = "flow6"; }
  | MPLS		{ $$ = "mpls"; }
+ | ASPA		{ $$ = "aspa"; }
  | PRI		{ $$ = "pri"; }
  | SEC		{ $$ = "sec"; }
  ;
diff -ruN bird-2.15.1/nest/proto.c bird-2.15.1-aspa-asn-pairs/nest/proto.c
--- bird-2.15.1/nest/proto.c	2023-10-07 04:59:53.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/proto.c	2024-12-14 19:06:47.000000000 -0800
@@ -187,6 +187,7 @@
   c->reloadable = 1;
 
   init_list(&c->roa_subscriptions);
+  init_list(&c->aspa_subscriptions);
 
   CALL(c->channel->init, c, cf);
 
@@ -445,6 +446,143 @@
     channel_roa_unsubscribe(s);
 }
 
+// ---
+
+static void
+channel_aspa_in_changed(struct rt_subscription *s)
+{
+  struct channel *c = s->data;
+  int active = c->reload_event && ev_active(c->reload_event);
+
+  CD(c, "Reload triggered by RPKI change%s", active ? " - already active" : "");
+
+  if (!active)
+    channel_request_reload(c);
+  else
+    c->reload_pending = 1;
+}
+
+static void
+channel_aspa_out_changed(struct rt_subscription *s)
+{
+  struct channel *c = s->data;
+  int active = (c->export_state == ES_FEEDING);
+
+  CD(c, "Feeding triggered by RPKI change%s", active ? " - already active" : "");
+
+  if (!active)
+    channel_request_feeding(c);
+  else
+    c->refeed_pending = 1;
+}
+
+struct aspa_subscription {
+  struct rt_subscription s;
+  node aspa_node;
+};
+
+static int
+channel_aspa_is_subscribed(struct channel *c, rtable *tab, int dir)
+{
+  void (*hook)(struct rt_subscription *) =
+    dir ? channel_aspa_in_changed : channel_aspa_out_changed;
+
+  struct aspa_subscription *s;
+  node *n;
+
+  WALK_LIST2(s, n, c->aspa_subscriptions, aspa_node)
+    if ((s->s.tab == tab) && (s->s.hook == hook))
+      return 1;
+
+  return 0;
+}
+
+
+static void
+channel_aspa_subscribe(struct channel *c, rtable *tab, int dir)
+{
+  if (channel_aspa_is_subscribed(c, tab, dir))
+    return;
+
+  struct aspa_subscription *s = mb_allocz(c->proto->pool, sizeof(struct aspa_subscription));
+
+  s->s.hook = dir ? channel_aspa_in_changed : channel_aspa_out_changed;
+  s->s.data = c;
+  rt_subscribe(tab, &s->s);
+
+  add_tail(&c->aspa_subscriptions, &s->aspa_node);
+}
+
+static void
+channel_aspa_unsubscribe(struct aspa_subscription *s)
+{
+  rt_unsubscribe(&s->s);
+  rem_node(&s->aspa_node);
+  mb_free(s);
+}
+
+static void
+channel_aspa_subscribe_filter(struct channel *c, int dir)
+{
+  const struct filter *f = dir ? c->in_filter : c->out_filter;
+  struct rtable *tab;
+  int valid = 1, found = 0;
+
+  if ((f == FILTER_ACCEPT) || (f == FILTER_REJECT))
+    return;
+
+  /* No automatic reload for non-reloadable channels */
+  if (dir && !channel_reloadable(c))
+    valid = 0;
+
+#ifdef CONFIG_BGP
+  /* No automatic reload for BGP channels without in_table / out_table */
+  if (c->channel == &channel_bgp)
+    valid = dir ? !!c->in_table : !!c->out_table;
+#endif
+
+  struct filter_iterator fit;
+  FILTER_ITERATE_INIT(&fit, f, c->proto->pool);
+
+  FILTER_ITERATE(&fit, fi)
+  {
+    switch (fi->fi_code)
+    {
+    case FI_ASPA_CHECK_IMPLICIT:
+      tab = fi->i_FI_ASPA_CHECK_IMPLICIT.rtc->table;
+      if (valid) channel_aspa_subscribe(c, tab, dir);
+      found = 1;
+      break;
+
+    case FI_ASPA_CHECK_EXPLICIT:
+      tab = fi->i_FI_ASPA_CHECK_EXPLICIT.rtc->table;
+      if (valid) channel_aspa_subscribe(c, tab, dir);
+      found = 1;
+      break;
+
+    default:
+      break;
+    }
+  }
+  FILTER_ITERATE_END;
+
+  FILTER_ITERATE_CLEANUP(&fit);
+
+  if (!valid && found)
+    log(L_WARN "%s.%s: Automatic RPKI reload not active for %s",
+	c->proto->name, c->name ?: "?", dir ? "import" : "export");
+}
+
+static void
+channel_aspa_unsubscribe_all(struct channel *c)
+{
+  struct aspa_subscription *s;
+  node *n, *x;
+
+  WALK_LIST2_DELSAFE(s, n, x, c->aspa_subscriptions, aspa_node)
+    channel_aspa_unsubscribe(s);
+}
+
 static void
 channel_start_export(struct channel *c)
 {
@@ -569,6 +707,8 @@
   {
     channel_roa_subscribe_filter(c, 1);
     channel_roa_subscribe_filter(c, 0);
+    channel_aspa_subscribe_filter(c, 1);
+    channel_aspa_subscribe_filter(c, 0);
   }
 }
 
@@ -591,6 +731,7 @@
   c->out_table = NULL;
 
   channel_roa_unsubscribe_all(c);
+  channel_aspa_unsubscribe_all(c);
 }
 
 static void
@@ -878,11 +1019,14 @@
   if (import_changed || export_changed || rpki_reload_changed)
   {
     channel_roa_unsubscribe_all(c);
+    channel_aspa_unsubscribe_all(c);
 
     if (c->rpki_reload)
     {
       channel_roa_subscribe_filter(c, 1);
       channel_roa_subscribe_filter(c, 0);
+      channel_aspa_subscribe_filter(c, 1);
+      channel_aspa_subscribe_filter(c, 0);
     }
   }
 
diff -ruN bird-2.15.1/nest/protocol.h bird-2.15.1-aspa-asn-pairs/nest/protocol.h
--- bird-2.15.1/nest/protocol.h	2023-10-07 04:59:53.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/protocol.h	2024-12-14 18:56:58.000000000 -0800
@@ -563,6 +563,7 @@
   struct rtable *out_table;		/* Internal table for exported routes */
 
   list roa_subscriptions;		/* List of active ROA table subscriptions based on filters roa_check() */
+  list aspa_subscriptions;		/* List of active ASPA table subscriptions based on filters aspa_check() */
 };
 
 
diff -ruN bird-2.15.1/nest/route.h bird-2.15.1-aspa-asn-pairs/nest/route.h
--- bird-2.15.1/nest/route.h	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/route.h	2024-10-08 21:46:46.000000000 -0700
@@ -360,6 +360,8 @@
 static inline int rt_is_flow(rtable *tab)
 { return (tab->addr_type == NET_FLOW4) || (tab->addr_type == NET_FLOW6); }
 
+static inline int rt_is_aspa(rtable *tab)
+{ return (tab->addr_type == NET_ASPA); }
 
 /* Default limit for ECMP next hops, defined in sysdep code */
 extern const int rt_default_ecmp;
@@ -577,7 +579,6 @@
 static inline int adata_same(const struct adata *a, const struct adata *b)
 { return (a->length == b->length && !memcmp(a->data, b->data, a->length)); }
 
-
 typedef struct ea_list {
   struct ea_list *next;			/* In case we have an override list */
   byte flags;				/* Flags: EALF_... */
@@ -590,6 +591,7 @@
 #define EALF_BISECT 2			/* Use interval bisection for searching */
 #define EALF_CACHED 4			/* Attributes belonging to cached rta */
 
+int net_aspa_check(struct linpool *lp, rtable *tab, const struct adata *path, uint dir);
 struct rte_src *rt_find_source(struct proto *p, u32 id);
 struct rte_src *rt_get_source(struct proto *p, u32 id);
 static inline void rt_lock_source(struct rte_src *src) { src->uc++; }
@@ -780,4 +782,17 @@
 #define ROA_VALID	1
 #define ROA_INVALID	2
 
+/*
+ *	ASPA verification status
+ */
+
+#define ASPA_UNKNOWN	0
+#define ASPA_VALID	1
+#define ASPA_INVALID	2
+#define ASPA_UNVERIFIED 3
+
+#define ASPA_HOP_PROVIDER       0
+#define ASPA_HOP_NOT_PROVIDER   1
+#define ASPA_HOP_NO_ATTESTATION 2
+
 #endif
diff -ruN bird-2.15.1/nest/rt-fib.c bird-2.15.1-aspa-asn-pairs/nest/rt-fib.c
--- bird-2.15.1/nest/rt-fib.c	2023-06-22 08:02:43.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/rt-fib.c	2024-09-17 20:00:29.000000000 -0700
@@ -279,6 +279,7 @@
   case NET_FLOW6: return FIB_FIND(f, a, flow6);
   case NET_IP6_SADR: return FIB_FIND(f, a, ip6_sadr);
   case NET_MPLS: return FIB_FIND(f, a, mpls);
+  case NET_ASPA: return FIB_FIND(f, a, aspa);
   default: bug("invalid type");
   }
 }
@@ -300,6 +301,7 @@
   case NET_FLOW6: FIB_INSERT(f, a, e, flow6); return;
   case NET_IP6_SADR: FIB_INSERT(f, a, e, ip6_sadr); return;
   case NET_MPLS: FIB_INSERT(f, a, e, mpls); return;
+  case NET_ASPA: FIB_INSERT(f, a, e, aspa); return;
   default: bug("invalid type");
   }
 }
diff -ruN bird-2.15.1/nest/rt-table.c bird-2.15.1-aspa-asn-pairs/nest/rt-table.c
--- bird-2.15.1/nest/rt-table.c	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/nest/rt-table.c	2024-12-20 14:14:16.000000000 -0800
@@ -346,6 +346,132 @@
 #undef FW
 }
 
+static int
+net_aspa_hop_check(rtable *tab, u32 customer_asn, u32 provider_asn)
+{
+  struct net_addr_aspa n = NET_ADDR_ASPA(customer_asn, provider_asn);
+  struct fib_node *fn;
+  int found_customer = 0;
+
+  for (fn = fib_get_chain(&tab->fib, (net_addr *) &n); fn; fn = fn->next)
+  {
+    net_addr_aspa *aspa = (void *) fn->addr;
+    net *r = fib_node_to_user(&tab->fib, fn);
+
+    if (net_equal_customer_aspa(aspa, &n) && rte_is_valid(r->routes))
+    {
+      found_customer = 1;
+      if (net_equal_aspa(aspa, &n))
+        return ASPA_HOP_PROVIDER;
+    }
+  }
+
+  return found_customer ? ASPA_HOP_NOT_PROVIDER : ASPA_HOP_NO_ATTESTATION;
+}
+
+/* draft-ietf-sidrops-aspa-verification-19 */
+
+int
+net_aspa_check(linpool *lp, rtable *tab, const struct adata *path, uint dir)
+{
+  u32 *as_path;
+  int n;
+
+  int i, j;
+  u32 customer;
+  u32 provider;
+  int hc;
+
+  int max_up_ramp, max_down_ramp;
+  int min_up_ramp, min_down_ramp;
+
+  ASSERT(tab->addr_type == NET_ASPA);
+
+  if (as_path_contains_set(path))
+  {
+    if (dir == BGP_DIR_UP)
+      return ASPA_INVALID;
+    else
+      return ASPA_UNKNOWN;
+  }
+
+  n = as_path_get_reverse_unique_asns(lp, path, &as_path);
+
+  if (n < 1)
+    return ASPA_INVALID;
+
+  /* AS_PATH {AS(N), AS(N-1),..., AS(2), AS(1)} */
+
+  max_up_ramp = n;
+  for (i = 0; i < n - 1; i++)
+  {
+    customer = as_path[i];
+    provider = as_path[i + 1];
+    hc = net_aspa_hop_check(tab, customer, provider);
+    if (hc == ASPA_HOP_NOT_PROVIDER)
+    {
+      max_up_ramp = i + 1;
+      break;
+    }
+  }
+
+  min_up_ramp = n;
+  for (i = 0; i < n - 1; i++)
+  {
+    customer = as_path[i];
+    provider = as_path[i + 1];
+    hc = net_aspa_hop_check(tab, customer, provider);
+    if (hc != ASPA_HOP_PROVIDER)
+    {
+      min_up_ramp = i + 1;
+      break;
+    }
+  }
+
+  if (dir == BGP_DIR_DOWN)
+  {
+    max_down_ramp = n;
+    for(j = n - 1; j > 0; j--)
+    {
+      customer = as_path[j];
+      provider = as_path[j - 1];
+      hc = net_aspa_hop_check(tab, customer, provider);
+      if (hc == ASPA_HOP_NOT_PROVIDER)
+      {
+        max_down_ramp = n - (j + 1) + 1;
+        break;
+      }
+    }
+
+    min_down_ramp = n;
+    for(j = n - 1; j > 0; j--)
+    {
+      customer = as_path[j];
+      provider = as_path[j - 1];
+      hc = net_aspa_hop_check(tab, customer, provider);
+      if (hc != ASPA_HOP_PROVIDER)
+      {
+        min_down_ramp = n - (j + 1) + 1;
+        break;
+      }
+    }
+  }
+  else
+  {
+    /* BGP_DIR_UP */
+    max_down_ramp = 0;
+    min_down_ramp = 0;
+  }
+
+  if (max_up_ramp + max_down_ramp < n)
+    return ASPA_INVALID;
+
+  if (min_up_ramp + min_down_ramp < n)
+    return ASPA_UNKNOWN;
+
+  return ASPA_VALID;
+}
+
 /**
  * rte_find - find a route
  * @net: network node
diff -ruN bird-2.15.1/proto/bgp/bgp.h bird-2.15.1-aspa-asn-pairs/proto/bgp/bgp.h
--- bird-2.15.1/proto/bgp/bgp.h	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/proto/bgp/bgp.h	2024-09-17 20:03:38.000000000 -0700
@@ -816,5 +816,9 @@
 #define ORIGIN_EGP		1
 #define ORIGIN_INCOMPLETE	2
 
+/* BGP dir */
+
+#define BGP_DIR_DOWN		0
+#define BGP_DIR_UP		1
 
 #endif
diff -ruN bird-2.15.1/proto/bgp/config.Y bird-2.15.1-aspa-asn-pairs/proto/bgp/config.Y
--- bird-2.15.1/proto/bgp/config.Y	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/proto/bgp/config.Y	2024-09-17 20:06:41.000000000 -0700
@@ -34,6 +34,9 @@
 	FIRST, FREE, VALIDATE, BASE, ROLE, ROLES, PEER, PROVIDER, CUSTOMER,
 	RS_SERVER, RS_CLIENT, REQUIRE, BGP_OTC, GLOBAL, SEND)
 
+CF_ENUM(T_ENUM_BGP_ORIGIN, ORIGIN_, IGP, EGP, INCOMPLETE)
+CF_ENUM(T_ENUM_BGP_DIR, BGP_DIR_, DOWN, UP)
+
 %type <i> bgp_nh
 %type <i32> bgp_afi
 
@@ -391,8 +394,6 @@
   cf_define_symbol(new_config, $5, SYM_ATTRIBUTE, attribute, a);
 };
 
-CF_ENUM(T_ENUM_BGP_ORIGIN, ORIGIN_, IGP, EGP, INCOMPLETE)
-
 CF_CODE
 
 CF_END
diff -ruN bird-2.15.1/proto/rpki/packets.c bird-2.15.1-aspa-asn-pairs/proto/rpki/packets.c
--- bird-2.15.1/proto/rpki/packets.c	2023-06-22 08:02:43.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/proto/rpki/packets.c	2024-12-14 20:29:46.000000000 -0800
@@ -35,6 +35,8 @@
   UNSUPPORTED_PDU_TYPE 		= 5,
   WITHDRAWAL_OF_UNKNOWN_RECORD 	= 6,
   DUPLICATE_ANNOUNCEMENT 	= 7,
+  UNEXPECTED_PROTOCOL_VERSION	= 8,
+  ASPA_PROVIDER_LIST_ERROR	= 9,
   PDU_TOO_BIG 			= 32
 };
 
@@ -47,6 +49,8 @@
   [UNSUPPORTED_PDU_TYPE] 	= "Unsupported-PDU-Type",
   [WITHDRAWAL_OF_UNKNOWN_RECORD]= "Withdrawal-Of-Unknown-Record",
   [DUPLICATE_ANNOUNCEMENT] 	= "Duplicate-Announcement",
+  [UNEXPECTED_PROTOCOL_VERSION] = "Unexpected-Protocol-Version",
+  [ASPA_PROVIDER_LIST_ERROR]	= "ASPA-Provider-List-Error",
   [PDU_TOO_BIG] 		= "PDU-Too-Big",
 };
 
@@ -62,6 +66,7 @@
   CACHE_RESET 			= 8,
   ROUTER_KEY 			= 9,
   ERROR 			= 10,
+  ASPA_PDU 			= 11,
   PDU_TYPE_MAX
 };
 
@@ -76,7 +81,8 @@
   [END_OF_DATA] 		= "End of Data",
   [CACHE_RESET] 		= "Cache Reset",
   [ROUTER_KEY] 			= "Router Key",
-  [ERROR] 			= "Error"
+  [ERROR] 			= "Error",
+  [ASPA_PDU] 			= "ASPA PDU"
 };
 
 static const char *str_pdu_type(uint type) {
@@ -193,6 +199,16 @@
 				 * Error Diagnostic Message */
 } PACKED;
 
+struct pdu_aspa {
+  u8 ver;
+  u8 type;
+  u8 flags;
+  u8 zero;
+  u32 len;
+  u32 customer_asn;
+  u32 provider_asns[];			/* 0 or more u32 provider_asn entries */
+} PACKED;
+
 struct pdu_reset_query {
   u8 ver;
   u8 type;
@@ -231,6 +247,7 @@
   [CACHE_RESET] 		= sizeof(struct pdu_cache_response),
   [ROUTER_KEY] 			= sizeof(struct pdu_header), /* FIXME */
   [ERROR] 			= 16,
+  [ASPA_PDU] 			= sizeof(struct pdu_aspa),
 };
 
 static int rpki_send_error_pdu(struct rpki_cache *cache, const enum pdu_error_type error_code, const u32 err_pdu_len, const struct pdu_header *erroneous_pdu, const char *fmt, ...);
@@ -272,7 +289,7 @@
 rpki_pdu_to_host_byte_order(struct pdu_header *pdu)
 {
   /* The Router Key PDU has two one-byte fields instead of one two-bytes field. */
-  if (pdu->type != ROUTER_KEY)
+  if ((pdu->type != ROUTER_KEY) && (pdu->type != ASPA_PDU))
     pdu->reserved = ntohs(pdu->reserved);
 
   pdu->len = ntohl(pdu->len);
@@ -293,7 +310,7 @@
     struct pdu_end_of_data_v0 *eod0 = (void *) pdu;
     eod0->serial_num = ntohl(eod0->serial_num); /* Same either for version 1 */
 
-    if (pdu->ver == RPKI_VERSION_1)
+    if (pdu->ver >= RPKI_VERSION_1)
     {
       struct pdu_end_of_data_v1 *eod1 = (void *) pdu;
       eod1->expire_interval = ntohl(eod1->expire_interval);
@@ -319,6 +336,19 @@
     break;
   }
 
+  case ASPA_PDU:
+  {
+    struct pdu_aspa *aspa = (void *) pdu;
+    int provider_count = (aspa->len - min_pdu_size[ASPA_PDU]) / sizeof(u32);
+    u32 *provider_asn;
+    aspa->customer_asn = ntohl(aspa->customer_asn);
+    for (int i = 0; i < provider_count; i++) {
+      provider_asn = aspa->provider_asns + i;
+      *provider_asn = ntohl(*provider_asn);
+    }
+    break;
+  }
+
   case ERROR:
   {
     /* Note that a error_code is converted using converting header->reserved */
@@ -387,7 +417,7 @@
   case END_OF_DATA:
   {
     const struct pdu_end_of_data_v1 *eod = (void *) pdu;
-    if (eod->ver == RPKI_VERSION_1)
+    if (eod->ver >= RPKI_VERSION_1)
       SAVE(bsnprintf(detail, sizeof(detail), "(session id: %u, serial number: %u, refresh: %us, retry: %us, expire: %us)", eod->session_id, eod->serial_num, eod->refresh_interval, eod->retry_interval, eod->expire_interval));
     else
       SAVE(bsnprintf(detail, sizeof(detail), "(session id: %u, serial number: %u)", eod->session_id, eod->serial_num));
@@ -412,6 +442,22 @@
     break;
   }
 
+  case ASPA_PDU:
+  {
+    const struct pdu_aspa *aspa = (void *) pdu;
+    int provider_count = (aspa->len - min_pdu_size[ASPA_PDU]) / sizeof(u32);
+    u32 *provider_asn;
+    SAVE(bsnprintf(detail, sizeof(detail), "(aspa customer: AS%u", aspa->customer_asn));
+    if (provider_count > 0)
+      SAVE(bsnprintf(detail, sizeof(detail), " provider%s:", (provider_count > 1)?"s":""));
+    for (int i = 0; i < provider_count; i++) {
+      provider_asn = (u32 *)aspa->provider_asns + i;
+      SAVE(bsnprintf(detail + strlen(detail), sizeof(detail) - strlen(detail), " AS%u", *provider_asn));
+    }
+    SAVE(bsnprintf(detail + strlen(detail), sizeof(detail) - strlen(detail), ")"));
+    break;
+  }
+
   case ROUTER_KEY:
     /* We don't support saving Router Key PDUs yet */
     SAVE(bsnprintf(detail, sizeof(detail), "(ignored)"));
@@ -571,7 +617,7 @@
     }
   }
 
-  if ((pdu->type >= PDU_TYPE_MAX) || (pdu->ver == RPKI_VERSION_0 && pdu->type == ROUTER_KEY))
+  if ((pdu->type >= PDU_TYPE_MAX) || (pdu->ver < RPKI_VERSION_1 && pdu->type == ROUTER_KEY) || (pdu->ver < RPKI_VERSION_2 && pdu->type == ASPA_PDU))
   {
     rpki_send_error_pdu(cache, UNSUPPORTED_PDU_TYPE, pdu_len, pdu, "Unsupported PDU type %u received", pdu->type);
     return RPKI_ERROR;
@@ -595,6 +641,7 @@
   case INTERNAL_ERROR:
   case INVALID_REQUEST:
   case UNSUPPORTED_PDU_TYPE:
+  case ASPA_PROVIDER_LIST_ERROR:
     rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
     break;
 
@@ -664,6 +711,8 @@
 	rt_refresh_begin(cache->p->roa4_channel->table, cache->p->roa4_channel);
       if (cache->p->roa6_channel)
 	rt_refresh_begin(cache->p->roa6_channel->table, cache->p->roa6_channel);
+      if (cache->p->aspa_channel)
+	rt_refresh_begin(cache->p->aspa_channel->table, cache->p->aspa_channel);
 
       cache->p->refresh_channels = 1;
     }
@@ -785,18 +834,163 @@
     return RPKI_ERROR;
   }
 
-  cache->last_rx_prefix = current_time();
+  cache->last_rx_prefix_or_aspa = current_time();
 
   /* A place for 'flags' is same for both data structures pdu_ipv4 or pdu_ipv6  */
   struct pdu_ipv4 *pfx = (void *) pdu;
   if (pfx->flags & RPKI_ADD_FLAG)
-    rpki_table_add_roa(cache, channel, &addr);
+    rpki_table_add_entry(cache, channel, &addr);
   else
-    rpki_table_remove_roa(cache, channel, &addr);
+    rpki_table_remove_entry(cache, channel, &addr);
+
+  return RPKI_SUCCESS;
+}
+
+static net_addr_union *
+rpki_aspa_pair_2_net_addr(const u32 customer_asn, const u32 provider_asn, net_addr_union *n)
+{
+  n->aspa.type = NET_ASPA;
+  n->aspa.length = sizeof(net_addr_aspa);
+  n->aspa.customer_asn = customer_asn;
+  n->aspa.provider_asn = provider_asn;
+
+  return n;
+}
+
+static int
+rpki_aspa_provider_list_contains_asn(const u32 provider_asn, const u32 provider_list[], const int count)
+{
+  for(int i = 0; i < count; i++)
+    if (provider_list[i] == provider_asn)
+      return 1;
+  return 0;
+}
+
+static int
+rpki_handle_aspa_pdu(struct rpki_cache *cache, const struct pdu_header *pdu)
+{
+  const enum pdu_type type = pdu->type;
+  ASSERT(type == ASPA_PDU);
+
+  net_addr_union addr = {};
+
+  struct pdu_aspa *aspa = (void *) pdu;
+  int provider_count = (aspa->len - min_pdu_size[ASPA_PDU]) / sizeof(u32);
+
+  /* If we are withdrawing an ASPA entry there must be no providers listed */
+  if (!(aspa->flags & RPKI_ADD_FLAG) && (provider_count > 0))
+  {
+    RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: invalid provider count");
+    byte *tmp = mb_alloc(cache->pool, pdu->len);
+    const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+    rpki_send_error_pdu(cache, ASPA_PROVIDER_LIST_ERROR, pdu->len, hton_pdu, "ASPA Provider List Error: invalid provider count");
+    mb_free(tmp);
+    rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+    return RPKI_ERROR;
+  }
+
+  /* If we are announcing an ASPA entry there must be providers listed */
+  if ((aspa->flags & RPKI_ADD_FLAG) && (provider_count < 1))
+  {
+    RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: no providers");
+    byte *tmp = mb_alloc(cache->pool, pdu->len);
+    const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+    rpki_send_error_pdu(cache, ASPA_PROVIDER_LIST_ERROR, pdu->len, hton_pdu, "ASPA Provider List Error: no providers");
+    mb_free(tmp);
+    rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+    return RPKI_ERROR;
+  }
+
+  if (provider_count > RPKI_ASPA_MAX_PROVIDERS)
+  {
+    RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: too many providers");
+    byte *tmp = mb_alloc(cache->pool, pdu->len);
+    const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+    rpki_send_error_pdu(cache, ASPA_PROVIDER_LIST_ERROR, pdu->len, hton_pdu, "ASPA Provider List Error: too many providers");
+    mb_free(tmp);
+    rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+    return RPKI_ERROR;
+  }
+
+  struct channel *channel = NULL;
+
+  if (type == ASPA_PDU)
+    channel = cache->p->aspa_channel;
+
+  if (!channel)
+  {
+    CACHE_TRACE(D_ROUTES, cache, "Skip %N, missing %s channel", &addr, "aspa", addr);
+    return RPKI_ERROR;
+  }
+
+  cache->last_rx_prefix_or_aspa = current_time();
+
+  struct net_addr_aspa n = NET_ADDR_ASPA(aspa->customer_asn, 0);
+  struct fib_node *fn;
+  rtable *tab = channel->table;
+
+  u32 skip_list[RPKI_ASPA_MAX_PROVIDERS];
+  int skip_count = 0;
+
+  /* Walk the table */
+
+  for (fn = fib_get_chain(&tab->fib, (net_addr *) &n); fn; fn = fn->next)
+  {
+    net_addr_aspa *a = (void *) fn->addr;
+    net *r = fib_node_to_user(&tab->fib, fn);
+
+    if (net_equal_customer_aspa(a, &n) && rte_is_valid(r->routes))
+    {
+      if (rpki_aspa_provider_list_contains_asn(a->provider_asn, aspa->provider_asns, provider_count))
+      {
+        if (aspa->flags & RPKI_ADD_FLAG)
+        {
+          /* Copy into the skip list. Nothing is changing */
+          if (skip_count >= RPKI_ASPA_MAX_PROVIDERS)
+          {
+            RPKI_WARN(cache->p, "Received corrupt packet from RPKI cache server: too many providers to skip");
+            byte *tmp = mb_alloc(cache->pool, pdu->len);
+            const struct pdu_header *hton_pdu = rpki_pdu_back_to_network_byte_order((void *) tmp, (const void *) pdu);
+            rpki_send_error_pdu(cache, ASPA_PROVIDER_LIST_ERROR, pdu->len, hton_pdu, "ASPA Provider List Error: too many providers to skip");
+            mb_free(tmp);
+            rpki_cache_change_state(cache, RPKI_CS_ERROR_FATAL);
+            return RPKI_ERROR;
+          }
+          skip_list[skip_count] = a->provider_asn;
+          skip_count++;
+        }
+      }
+      else
+      {
+        /* We've been removed */
+        rpki_aspa_pair_2_net_addr(aspa->customer_asn, a->provider_asn, &addr);
+        rpki_table_remove_entry(cache, channel, &addr);
+      }
+    }
+  }
+
+  if (!(aspa->flags & RPKI_ADD_FLAG))
+    return RPKI_SUCCESS;
+
+  u32 *provider_asn;
+
+  /* Walk the provider list */
+
+  for( int i = 0; i < provider_count; i++ )
+  {
+    provider_asn = aspa->provider_asns + i;
+    if (!rpki_aspa_provider_list_contains_asn(*provider_asn, skip_list, skip_count))
+    {
+      /* Add the entries that we dont already have */
+      rpki_aspa_pair_2_net_addr(aspa->customer_asn, *provider_asn, &addr);
+      rpki_table_add_entry(cache, channel, &addr);
+    }
+  }
 
   return RPKI_SUCCESS;
 }
 
+
 static uint
 rpki_check_interval(struct rpki_cache *cache, const char *(check_fn)(uint), uint interval)
 {
@@ -822,7 +1016,7 @@
     return;
   }
 
-  if (pdu->ver == RPKI_VERSION_1)
+  if (pdu->ver >= RPKI_VERSION_1)
   {
     if (!cf->keep_refresh_interval && rpki_check_interval(cache, rpki_check_refresh_interval, pdu->refresh_interval))
       cache->refresh_interval = pdu->refresh_interval;
@@ -849,6 +1043,8 @@
       rt_refresh_end(cache->p->roa4_channel->table, cache->p->roa4_channel);
     if (cache->p->roa6_channel)
       rt_refresh_end(cache->p->roa6_channel->table, cache->p->roa6_channel);
+    if (cache->p->aspa_channel)
+      rt_refresh_end(cache->p->aspa_channel->table, cache->p->aspa_channel);
   }
 
   cache->last_update = current_time();
@@ -913,6 +1109,10 @@
     /* TODO: Implement Router Key PDU handling */
     break;
 
+  case ASPA_PDU:
+    rpki_handle_aspa_pdu(cache, pdu);
+    break;
+
   default:
     CACHE_TRACE(D_PACKETS, cache, "Received unsupported type (%u)", pdu->type);
   };
diff -ruN bird-2.15.1/proto/rpki/packets.h bird-2.15.1-aspa-asn-pairs/proto/rpki/packets.h
--- bird-2.15.1/proto/rpki/packets.h	2022-03-02 01:29:17.000000000 -0800
+++ bird-2.15.1-aspa-asn-pairs/proto/rpki/packets.h	2024-12-09 19:07:44.000000000 -0800
@@ -19,15 +19,20 @@
 /* A Error PDU size is the biggest (has encapsulate PDU inside):
  * 	   +8 bytes (Header size)
  * 	   +4 bytes (Length of Encapsulated PDU)
- * 	  +32 bytes (Encapsulated PDU IPv6 32)
+ *     +40012 bytes (Encapsulated max length ASPA PDU)
  * 	   +4 bytes (Length of inserted text)
  * 	 +800 bytes (UTF-8 text 400*2 bytes)
  * 	------------
- * 	= 848 bytes (Maximal expected PDU size) */
-#define RPKI_PDU_MAX_LEN	848
+ *    = 40828 bytes (Maximal expected PDU size) */
+#define RPKI_PDU_MAX_LEN	40828
+
+#define RPKI_ASPA_MAX_PROVIDERS 10000
+
+/* #define RPKI_ASPA_MAX_LEN	(sizeof(struct pdu_aspa)+(RPKI_ASPA_MAX_PROVIDERS*sizeof(u32))) */
 
 /* RX buffer size has a great impact to scheduler granularity */
-#define RPKI_RX_BUFFER_SIZE	4096
+/* #define RPKI_RX_BUFFER_SIZE	4096 */
+#define RPKI_RX_BUFFER_SIZE	65536
 #define RPKI_TX_BUFFER_SIZE	RPKI_PDU_MAX_LEN
 
 /* Return values */
diff -ruN bird-2.15.1/proto/rpki/rpki.c bird-2.15.1-aspa-asn-pairs/proto/rpki/rpki.c
--- bird-2.15.1/proto/rpki/rpki.c	2024-03-22 01:26:27.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/proto/rpki/rpki.c	2024-12-11 17:55:34.000000000 -0800
@@ -116,7 +116,7 @@
  */
 
 void
-rpki_table_add_roa(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr)
+rpki_table_add_entry(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr)
 {
   struct rpki_proto *p = cache->p;
 
@@ -134,7 +134,7 @@
 }
 
 void
-rpki_table_remove_roa(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr)
+rpki_table_remove_entry(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr)
 {
   struct rpki_proto *p = cache->p;
   rte_update2(channel, &pfxr->n, NULL, p->p.main_source);
@@ -369,7 +369,7 @@
 rpki_sync_is_stuck(struct rpki_cache *cache)
 {
   return !sk_rx_ready(cache->tr_sock->sk) && (
-      !cache->last_rx_prefix || (current_time() - cache->last_rx_prefix > 10 S)
+      !cache->last_rx_prefix_or_aspa || (current_time() - cache->last_rx_prefix_or_aspa > 10 S)
       );
 }
 
@@ -755,7 +755,8 @@
   struct rpki_cache *cache = p->cache;
 
   if (!proto_configure_channel(&p->p, &p->roa4_channel, proto_cf_find_channel(CF, NET_ROA4)) ||
-      !proto_configure_channel(&p->p, &p->roa6_channel, proto_cf_find_channel(CF, NET_ROA6)))
+      !proto_configure_channel(&p->p, &p->roa6_channel, proto_cf_find_channel(CF, NET_ROA6)) ||
+      !proto_configure_channel(&p->p, &p->aspa_channel, proto_cf_find_channel(CF, NET_ASPA)))
     return NEED_RESTART;
 
   if (rpki_reconfigure_cache(p, cache, new, old) != SUCCESSFUL_RECONF)
@@ -777,6 +778,7 @@
 
   proto_configure_channel(&p->p, &p->roa4_channel, proto_cf_find_channel(CF, NET_ROA4));
   proto_configure_channel(&p->p, &p->roa6_channel, proto_cf_find_channel(CF, NET_ROA6));
+  proto_configure_channel(&p->p, &p->aspa_channel, proto_cf_find_channel(CF, NET_ASPA));
 
   return P;
 }
@@ -886,6 +888,11 @@
       channel_show_info(p->roa6_channel);
     else
       cli_msg(-1006, "  No roa6 channel");
+
+    if (p->aspa_channel)
+      channel_show_info(p->aspa_channel);
+    else
+      cli_msg(-1006, "  No aspa channel");
   }
 }
 
@@ -957,7 +964,7 @@
   .init = 		rpki_init,
   .start = 		rpki_start,
   .postconfig = 	rpki_postconfig,
-  .channel_mask =	(NB_ROA4 | NB_ROA6),
+  .channel_mask =	(NB_ROA4 | NB_ROA6 | NB_ASPA),
   .show_proto_info =	rpki_show_proto_info,
   .shutdown = 		rpki_shutdown,
   .copy_config = 	rpki_copy_config,
diff -ruN bird-2.15.1/proto/rpki/rpki.h bird-2.15.1-aspa-asn-pairs/proto/rpki/rpki.h
--- bird-2.15.1/proto/rpki/rpki.h	2024-03-10 13:42:50.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/proto/rpki/rpki.h	2024-12-11 17:54:57.000000000 -0800
@@ -29,7 +29,8 @@
 
 #define RPKI_VERSION_0		0
 #define RPKI_VERSION_1		1
-#define RPKI_MAX_VERSION 	RPKI_VERSION_1
+#define RPKI_VERSION_2		2
+#define RPKI_MAX_VERSION 	RPKI_VERSION_2
 
 
 /*
@@ -61,7 +62,7 @@
   u32 serial_num;			/* Serial number denotes the logical version of data from cache server */
   u8 version;				/* Protocol version */
   btime last_update;			/* Last successful synchronization with cache server */
-  btime last_rx_prefix;			/* Last received prefix PDU */
+  btime last_rx_prefix_or_aspa;		/* Last received prefix or aspa PDU */
 
   /* Intervals can be changed by cache server on the fly */
   u32 refresh_interval;			/* Actual refresh interval (in seconds) */
@@ -80,8 +81,8 @@
  * 	Routes handling
  */
 
-void rpki_table_add_roa(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr);
-void rpki_table_remove_roa(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr);
+void rpki_table_add_entry(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr);
+void rpki_table_remove_entry(struct rpki_cache *cache, struct channel *channel, const net_addr_union *pfxr);
 
 
 /*
@@ -110,6 +111,7 @@
 
   struct channel *roa4_channel;
   struct channel *roa6_channel;
+  struct channel *aspa_channel;
   u8 refresh_channels;			/* For non-incremental updates using rt_refresh_begin(), rt_refresh_end() */
 };
 
diff -ruN bird-2.15.1/sysdep/config.h bird-2.15.1-aspa-asn-pairs/sysdep/config.h
--- bird-2.15.1/sysdep/config.h	2024-03-22 01:26:27.000000000 -0700
+++ bird-2.15.1-aspa-asn-pairs/sysdep/config.h	2024-12-20 14:15:33.000000000 -0800
@@ -13,7 +13,7 @@
 #ifdef GIT_LABEL
 #define BIRD_VERSION XSTR1(GIT_LABEL)
 #else
-#define BIRD_VERSION "2.15.1"
+#define BIRD_VERSION "2.15.1-aspa-asn-pairs"
 #endif
 
 /* Include parameters determined by configure script */