Hello Robert,

On Wed, Jun 24, 2026 at 08:42:48PM +0200, Robert Scheck wrote:

> On Tue, 08 Apr 2025, Maria Matejka wrote:
> > And with that, exactly as Jelle writes, you do the _downstream_ check
> > for all your transits, i.e.
> > 
> > ```
> > if aspa_check_downstream(ASPAS) = ASPA_INVALID then reject "ASPA INVALID ", 
> > net, " ", bgp_path, " ", proto;
> > ```
> 
> just to get whether I understood you correctly: If I have transits (local
> role customer), such as Arelion, Deutsche Telekom or Vodafone, I need the
> aspa_check_downstream(), as written by you, in my import filter?

Yes.

There is kinda a little catch though, and that is the rejection itself.
While the current draft stipulates to drop downstream invalids, it may
cause connectivity degradation in specific situations.

There is nothing wrong witn dropping Upstream invalids; both customer
and peer routes should be validated and invalids dropped.

But then there are prefixes where all candidates for the best route have
come from your transits. If your transits validate ASPA, they are going
to drop ASPA-invalid routes, and probably won't send trash to you, and
everything is still OK.

But it they do not validate ASPA, they may easily select a leaked best
route, and the only thing you get is trash. And while you could say
whatever, it's still trash, drop it, the problem is that often such a
leak works well, other customers of your transit therefore don't
complain, and there is no easy way to get the leak rectified.

For this reason, I would very much recommend only depreferencing
downstream invalids (i.e. setting `preference = 67;`) or something like
that.

There is a rather long thread on this in the sidrops mailing-list, and
I'm still quite surprised that this operational catch has been quite
actively rejected by the authors of the draft.

https://mailarchive.ietf.org/arch/msg/sidrops/FotQhXB7t-XsRMD2hGAj3VfdS4o/

Note: a situation like this, in a simplified form, happened with the
RIPE network and CZ.NIC, which has been affected by Hurricane Electric
leaking CZ.NIC routes.

https://ripe92.ripe.net/programme/meeting-plan/sessions/109/ZT9NYU/

Note: The connectivity was hotfixed by temporarily adding HE as CZ.NIC
provider in ASPA, and later returned to normal (checked right now).

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.  

Reply via email to