Hurricane Electric now supports ASPA for route filtering
Hurricane Electric now uses ASPA to do hop by hop checking of AS paths when deciding which routes to accept when building prefix filters. Here is an example of a route failing the ASPA check. 44.31.69.0/24,rejected,AS path 4635 9002 945 7480 38254 38254 38254 38254 38254 ASPA record exists for 7480 and 945 is not listed as a provider. 44.31.73.0/24,rejected,AS path 4635 9002 945 7480 ASPA record exists for 7480 and 945 is not listed as a provider. These were found on the HKIX route servers (this example may be gone by the time you look at it, or it may exist for a while): https://routing.he.net/index.php?cmd=display_filter&as=4635&af=4&which=reasons For Hurricane Electric, the ASPA filtering is part of the prefix filter generation used for all customers and peers, which is responsible for the decision to accept a prefix. The vast majority of the route filtering decisions occur at this stage. We will shortly be adding ASPA reactive filtering which will monitor for prefixes that we have accepted that later become invalid. (Possible gross oversimplification ahead.) ASPA (Autonomous System Provider Authorization) is a relatively easy to understand add-on to RPKI that allow an ASN to create a record that lists which ASNs can be providers for that ASN. The concepts are "customer" (an ASN) and "providers" (a list of ASNs). How did we do this? How can you do something similar? You should already be familiar with RPKI and should set up an RPKI validator, ideally one with ASPA support. Test to see that you can validate origin and prefix pairs so that you know you have the RPKI validator working. Then do research regarding your specific RPKI validator to dump all the ASPA objects currently being published. The following article is an interesting starting point for the concepts involved and to help you play around: https://as51019.com/posts/aspa-bird2/ In the blog post the experimenter was building AS path filters for bird using ASPA records from a dump from routinator. If you wanted a routing daemon with builtin early stage ASPA support, I'm told you can use openbgpd with rpki-client. I'm sure Job will be able to give much better or more accurate guidance regarding ASPA software, protocols, and terminology.
participants (1)
-
Mike Leber