On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
On Tue, Aug 23, 2022 at 05:18:42PM +0000, Compton, Rich A wrote:
I was under the impression that ASPA could prevent route leaks as well as path spoofing. This "BGP Route Security Cycling to the Future!" presentation from NANOG seems to indicate this is the case: https://youtu.be/0Fi2ghCnXi0?t=1093
I'm not sure how ASPA can prevent AS Path spoofing. Perhaps something got lost in translation?
ASPA records are published in the RPKI, from there a RPKI RP transforms the ASN.1/X.509/crypto stuff into something 'plain text'. This 'plain text' data is loaded into EBGP routers via RTR, which then compare the *plain text* AS_PATH attribute to the table of plain-text ASPA records, to determine if it came via an authorized upstream provider or not.
In this sense, ASPA (just by itself) suffers the same challenge as RPKI ROA-based Origin Validation: the input (the BGP AS_PATH) is unsigned and unsecured; thus spoofable.
ASPA enforces that the neighbor AS appears as first element in the ASPATH. It also disallows empty ASPATHs from eBGP sessions. Because of this spoofing becomes harder. The problem is that this only works for paths that are validated by ASPA (all AS hops have been verified). An ASPA-unknown path can still be spoofed. Spoofing will become much harder once a critical mass of infrastructure deployed ASPA. -- :wq Claudio