Routinator, our RPKI validation software, now sees more than 1000 Autonomous System Provider Authorization (ASPA) objects in the wild.

@alexband I don't find the support for it in FRRouting, do you have a link ? I tried grepping through the source, I see support for RPKI, but nothing for ASPA...

Routinator, our RPKI validation software, now sees more than 1000 Autonomous System Provider Authorization (ASPA) objects in the wild. These are published by operators to detect and prevent BGP route leaks.

ASPAs can be created in the hosted RPKI services of the RIPE NCC and ARIN, as well as our open-source RPKI Certification Authority software, Krill.

Open-source routing projects such as BIRD, OpenBGPD and FRRouting already offer support for ASPA, while major commercial vendor support is expected later this year.

#OpenSource #OpenStandards #IETF #RPKI #BGP #RoutingSecurity

@alexband ....and updated my lab with the newest #Routinator version and added --enable-aspa to my containerlab config

@alexband I have yet to see how RPKI / ASPA / ROA can actually prevent route leaks.

I absolutely agree that they can help detect and mitigate route leaks AS LONG AS peers are using information published via RPKI / ROA.

Much like SPF can’t prevent spam. While SPF does make it easier to detect and filter spam.

Preventing is proactive and decidedly different than reactively detecting and mitigating (filtering).

@drscriptt @alexband The short form is that some downstream AS can't necessarily detect that routes have passed through inappropriate ASes from a valley-free perspective without some hints about what that relationship is. BGP is quite happy to make sure the routes are loop free without caring what your business relationship is.

If your point is "where's the incentive to register your relationship", that's a different problem.

@jhaas @alexband I absolutely agree that the information needs to be published for recipients to be able to make a decision / filter received prefixes.

My point was that simply publishing information doesn’t prevent anything.

@jhaas @alexband I absolutely agree that the information needs to be published for recipients to be able to make a decision / filter received prefixes.

My point was that simply publishing information doesn’t prevent anything.

@drscriptt @jhaas I remember launching #RPKI in 2011. It took years of publishing ROAs, learning from mistakes and fixing bad quality ROAs before the operator community got to the point where they felt comfortable dropping invalid routes.

ASPA will be the same, although perhaps a bit quicker because of the huge installed base of (ASPA capable) validators: https://rov-measurements.nlnetlabs.net/stats/

@alexband @drscriptt I have fears of subtle bugs in the validation algorithm, but expect that like OV ASPA will be deployed in soft mode for a while. The industry showed how to handle the incremental deployment well.

Shorter term, CPU churn from ASPA updates in RPKI-RTR will be... fun.

@jhaas @drscriptt Meanwhile, as more #RPKI invalid #BGP routes are dropped, we are working on making the invisible visible again with Rotonda. https://ripe91.ripe.net/programme/meeting-plan/sessions/15/CLRNRY/

@drscriptt @jhaas I remember launching #RPKI in 2011. It took years of publishing ROAs, learning from mistakes and fixing bad quality ROAs before the operator community got to the point where they felt comfortable dropping invalid routes.

ASPA will be the same, although perhaps a bit quicker because of the huge installed base of (ASPA capable) validators: https://rov-measurements.nlnetlabs.net/stats/

@jhaas @alexband I absolutely agree that the information needs to be published for recipients to be able to make a decision / filter received prefixes.

My point was that simply publishing information doesn’t prevent anything.

@drscriptt @jhaas @alexband what would stopping a leak look like to you?

We’ve already seen a number of route leaks stopped or majorly suppressed by ROA validation, and ROA validation is far less capable in this regard than ASPA.

@drscriptt @jhaas @alexband what would stopping a leak look like to you?

We’ve already seen a number of route leaks stopped or majorly suppressed by ROA validation, and ROA validation is far less capable in this regard than ASPA.