Hello Ondřej,
On 05/04/2026 21:10, Maria Matejka via Bird-users wrote:
There is the ASPA fix you are waiting for, fixing broken downstream validation. Thanks for reporting and contributing; that was a stupid mistake. More on that hopefully at RIPE 92 in Edinburgh.
Looking forward for that presentation.
I hope that it's gonna be a banger.
The not so good news is that is marks some unknown paths as valid. I peeked into the source code again and thanks to the extensive documentation, it is obvious where the error is and why it manifests on paths like this one:
1.1.1.0/24 unicast [peer_as3333_eqix3_v4 2026-04-07] * (100) [AS13335i] bgp_path: 3333 13335 valid_roa: 1 valid_aspa: 1
I'm very convinced that this is indeed downstream valid. It's upstream unknown for sure if none has ASPA signed, but downstream definitely valid. These two ASNs are the two apexes and it may be just a lateral peering between them. Actually, by definition, all 2-ASN paths should be downstream valid, as both min_down_ramp and min_up_ramp are at least one, which sums to 2. I hope this makes sense. Thank you for checking! Maria -- Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.