Hurricane Electric now uses ASPA to do hop by hop checking of AS paths
when deciding which routes to accept when building prefix filters.
Here is an example of a route failing the ASPA check.
44.31.69.0/24,rejected,AS path 4635 9002 945 7480 38254 38254 38254
38254 38254 ASPA record exists for 7480 and 945 is not listed as a provider.
44.31.73.0/24,rejected,AS path 4635 9002 945 7480 ASPA record exists for
7480 and 945 is not listed as a provider.
These were found on the HKIX route servers (this example may be gone by
the time you look at it, or it may exist for a while):
https://routing.he.net/index.php?cmd=display_filter&as=4635&af=4&which=reasons
For Hurricane Electric, the ASPA filtering is part of the prefix filter
generation used for all customers and peers, which is responsible for
the decision to accept a prefix. The vast majority of the route
filtering decisions occur at this stage.
We will shortly be adding ASPA reactive filtering which will monitor for
prefixes that we have accepted that later become invalid.
(Possible gross oversimplification ahead.)
ASPA (Autonomous System Provider Authorization) is a relatively easy to
understand add-on to RPKI that allow an ASN to create a record that
lists which ASNs can be providers for that ASN. The concepts are
"customer" (an ASN) and "providers" (a list of ASNs).
How did we do this? How can you do something similar?
You should already be familiar with RPKI and should set up an RPKI
validator, ideally one with ASPA support.
Test to see that you can validate origin and prefix pairs so that you
know you have the RPKI validator working.
Then do research regarding your specific RPKI validator to dump all the
ASPA objects currently being published.
The following article is an interesting starting point for the concepts
involved and to help you play around:
https://as51019.com/posts/aspa-bird2/
In the blog post the experimenter was building AS path filters for bird
using ASPA records from a dump from routinator.
If you wanted a routing daemon with builtin early stage ASPA support,
I'm told you can use openbgpd with rpki-client.
I'm sure Job will be able to give much better or more accurate guidance
regarding ASPA software, protocols, and terminology.
