Hello Maria, On Thu, 25 Jun 2026, Maria Matejka wrote:
On Wed, Jun 24, 2026 at 08:42:48PM +0200, Robert Scheck wrote:
just to get whether I understood you correctly: If I have transits (local role customer), such as Arelion, Deutsche Telekom or Vodafone, I need the aspa_check_downstream(), as written by you, in my import filter?
Yes.
okay, thank you for the clarification. I configured it like this, but with a "print" instead of "reject" and had to notice that it prints all prefixes (at least syslog skips logging due to flooding after 10k+ lines in a few less seconds) on the Vodafone transit. Given your clarification I now noticed that this Vodafone transit is some alien/monster/... transit: While it's Vodafone, they still have configured AS6830 on their side. The local ISP was acquired long time ago by Liberty Global, they updated their configuration to AS6830. Some years ago that part was split out and sold to Vodafone, but they kept AS6830 there, even it's AS3209 (and they refused to change it). So my AS_PATH begins always with "AS6830 AS3209" instead of "AS3209". I might not have understood ASPA completely (and I know I'm not the only one), but my understanding so far is that "AS6830 AS3209" instead of just "AS3209" in AS_PATH leads to the wrong result. I thought it would be clever to remove AS6830 from the beginning of the AS_PATH but there doesn't seem to be a function for this in BIRD? Because my if bgp_path.first = 6830 then { bgp_path = delete(bgp_path, 6830); } removed AS6830 from any place in the AS_PATH. This leads to an ASPA result that could be more correct (compared with the other transit), but the ROA check now filters any ROAs with prefixes originating in AS6830, which is indeed wrong (and caused by my delete()). So...is there any solution for this mess - other than cancelling Vodafone transit or not performing ASPA checks?
Note: a situation like this, in a simplified form, happened with the RIPE network and CZ.NIC, which has been affected by Hurricane Electric leaking CZ.NIC routes.
https://ripe92.ripe.net/programme/meeting-plan/sessions/109/ZT9NYU/
I saw this (remotely) and I had the hope to not run into any ASPA fun, but they, here I am now! ;-( Regards, Robert