AS-GTT expands to some +90k ASN. Over 65 AS-SET that we use expand to +10k ASN. However 75% expand to 100 or less, which I'm pretty comfortable is not going to be market leading exercise. Luckily in Junos, even AS-GTT actually works, since they've implemented regexless way to do AS_PATH for some cases - https://p.ip.fi/hHia For SROS, IOSXR 90k would be quite a ridiculous attempt, and it's probably cheaper just to expand to a million lines of prefix-list, since prefix-list scale is more tested than AS_PATH scale. In SROS as-path-group can contain only 128 lines, so if you match a single ASN per line, you'd need 700 terms just to check the origin, unless you use regexp OR in the lines to put multiple origins per line. On Tue, 24 Feb 2026 at 20:07, Tom Beecher <beecher@beecher.cc> wrote:
I've always gotten plenty of mileage out of as-path regexes on Junos. Usually don't ever need to be more than 4 long.
On Mon, Feb 23, 2026 at 11:52 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
We've had problems in various NOS in generating large prefix-lists. In absolute configuration size, as well as prefix-set sizes.
I'd like to hear about operational experiences, how long AS-PATH policies people have successfully run and in which NOS.
I am not interested in exact AS_PATH contents, I am only interested that it contains a named set of AS numbers, in any order and any repetition. In Junos speak ^[1 42 500 1212]*$
How many ASN can I iterate, before I become market leading and have to work with vendors to fix bugs?
The interest is because of RPKI we could get rid of prefix-lists, but we might still want to verify AS_PATH. Consider AS-YTTI having AS43792.
a) They advertise google with invalid origin b) They advertise google with valid origin
Maybe these come from some BGP optimization tool they run. A) is dropped by RPKI, B) is passed. But B) can be dropped by prefix-list filter or AS-PATH filter which doesn't allow Google ASN to exist in the AS_PATH.
So I don't really need to check the prefix again, after it passed RPKI. AS_PATH check is equally strong.
-- ++ytti _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/O5XX6BHO...
-- ++ytti