unexpected missing enforce-first-as check in ASPA implementation
Martin Tonusoo
martin at tonusoo.ee
Tue May 5 10:15:59 CEST 2026
Hi.
According the current ASPA draft the AS_PATH should be categorized as
invalid if it's empty, contains an AS_SET or most recently added AS in
the AS_PATH does not match the neighbor AS except if the AS performing
the ASPA check is a route-server client. aspa_check() in
nest/rt-table.c returns ASPA_INVALID for empty AS_PATH and for AS_PATH
containing AS_SET. However, the enforce-first-as check is not
performed.
I briefly tried to understand how such check could be added to
aspa_check() in nest/rt-table.c, but there does not seem to be a
simple and clean solution. However, I could be wrong here. It's
trivial to get the leftmost AS number with as_path_get_first(), but
the filter module does not seem to have access to peer AS number and
doesn't know whether it's a route-server client.
As a workaround, one could use a function in filters and pass this
information as function arguments, e.g:
function bgp_in(int peer_as; bool route_server_client) -> bool {
if ! route_server_client && bgp_path.first != peer_as then
reject "Invalid left-most ASN ", bgp_path.first, ". Reject ", net;
...
};
.. but perhaps it's at least worth documenting it in "BIRD User's
Guide" that the aspa_check_downstream(), aspa_check_upstream() and
aspa_check() do not enforce first AS check. Especially as the "enforce
first as" option under BGP configuration is off by default.
I tested on BIRD 3.2.1.
Martin
More information about the Bird-users
mailing list