Jia (and Maria):

The approach proposed by Maria (which you support) does not function as 
intended when the erring remote AS is multi-homed. In such cases, the remote 
AS’s alternate route propagates to all ASes in the Internet – whether they 
perform ASPA verification or not – resulting in the remote AS remaining unaware 
of the error in their ASPA.

As you seem to agree, the network operator at the local AS should not be left 
unaware if a customer is effectively cut off (i.e., all their routes are 
dropped). The local AS operator must have the ability to manage such situations 
proactively.

Considering Maria’s and your inputs, I suggest the following approach:


  *   During ASPA verification, when the remote (sending) AS is a customer, the 
following check if performed:
     *   The remote AS has an ASPA record, and
     *   The SPAS obtained from the ASPA does not include the local AS.
  *   If this check evaluates to True, an alert MUST be generated for the local 
AS.
  *   The local AS operator MUST have an automated procedure to process this 
alert and decide whether to terminate the BGP session with the remote AS.
  *   Regardless of whether the BGP session is terminated, the local AS MUST 
notify the remote AS about the error in their ASPA.
  *   If the BGP session was terminated, it is re-initiated after the error in 
the ASPA is fixed.

This approach ensures improved visibility and control for the local AS 
operator, helping prevent silent failures and enabling timely corrective 
actions.

Apart from the above-described supplementary procedure, the current ASPA path 
verification procedure in the draft remains unchanged.

Maria and I agreed earlier that the combination of the existing ASPA-based path 
verification at ingress and the OTC procedure [RFC 9234] eliminate the need for 
egress verification. Especially, when there is a supplementary procedure (as 
described above) to remedy the omission error in the direct customer’s ASPA.

Sriram

_______________________________________________
GROW mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to