unexpected missing enforce-first-as check in ASPA implementation
David Petera
david.petera at nic.cz
Thu May 7 17:07:28 CEST 2026
Hi Martin,
thanks for the pointer, however it does not make much sense to implement
this directly in aspa_check() since it should not be performed in all
cases (e.g. on a route server).
Operators do have to perform the check in filters, like you proposed, if
they want full ASPA validation.
You are correct that this should be mentioned in the documentation and
we will do so.
Thanks again and happy routing,
David
David Petera (he/him) | BIRD Tech Support | CZ.NIC, z.s.p.o.
On 5/5/26 10:15, Martin Tonusoo wrote:
> Hi.
>
> According the current ASPA draft the AS_PATH should be categorized as
> invalid if it's empty, contains an AS_SET or most recently added AS in
> the AS_PATH does not match the neighbor AS except if the AS performing
> the ASPA check is a route-server client. aspa_check() in
> nest/rt-table.c returns ASPA_INVALID for empty AS_PATH and for AS_PATH
> containing AS_SET. However, the enforce-first-as check is not
> performed.
>
> I briefly tried to understand how such check could be added to
> aspa_check() in nest/rt-table.c, but there does not seem to be a
> simple and clean solution. However, I could be wrong here. It's
> trivial to get the leftmost AS number with as_path_get_first(), but
> the filter module does not seem to have access to peer AS number and
> doesn't know whether it's a route-server client.
>
> As a workaround, one could use a function in filters and pass this
> information as function arguments, e.g:
>
> function bgp_in(int peer_as; bool route_server_client) -> bool {
>
> if ! route_server_client && bgp_path.first != peer_as then
> reject "Invalid left-most ASN ", bgp_path.first, ". Reject ", net;
>
> ...
>
> };
>
> .. but perhaps it's at least worth documenting it in "BIRD User's
> Guide" that the aspa_check_downstream(), aspa_check_upstream() and
> aspa_check() do not enforce first AS check. Especially as the "enforce
> first as" option under BGP configuration is off by default.
>
> I tested on BIRD 3.2.1.
>
>
> Martin
More information about the Bird-users
mailing list