Jia (and Maria):
The approach proposed by Maria (which you support) does not function as
intended when the erring remote AS is multi-homed. In such cases, the remote
AS’s alternate route propagates to all ASes in the Internet – whether they
perform ASPA verification or not – resulting in the remote AS remaining unaware
of the error in their ASPA.
As you seem to agree, the network operator at the local AS should not be left
unaware if a customer is effectively cut off (i.e., all their routes are
dropped). The local AS operator must have the ability to manage such situations
proactively.
Considering Maria’s and your inputs, I suggest the following approach:
* During ASPA verification, when the remote (sending) AS is a customer, the
following check if performed:
* The remote AS has an ASPA record, and
* The SPAS obtained from the ASPA does not include the local AS.
* If this check evaluates to True, an alert MUST be generated for the local
AS.
* The local AS operator MUST have an automated procedure to process this
alert and decide whether to terminate the BGP session with the remote AS.
* Regardless of whether the BGP session is terminated, the local AS MUST
notify the remote AS about the error in their ASPA.
* If the BGP session was terminated, it is re-initiated after the error in
the ASPA is fixed.
This approach ensures improved visibility and control for the local AS
operator, helping prevent silent failures and enabling timely corrective
actions.
Apart from the above-described supplementary procedure, the current ASPA path
verification procedure in the draft remains unchanged.
Maria and I agreed earlier that the combination of the existing ASPA-based path
verification at ingress and the OTC procedure [RFC 9234] eliminate the need for
egress verification. Especially, when there is a supplementary procedure (as
described above) to remedy the omission error in the direct customer’s ASPA.
Sriram
_______________________________________________
GROW mailing list -- [email protected]
To unsubscribe send an email to [email protected]
