Re: [Sidrops] ASPA: Is this really a leak?

Lukas Tribus <> Thu, 17 December 2020 12:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9CA703A033F for <>; Thu, 17 Dec 2020 04:23:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eE7eDcuV9ep5 for <>; Thu, 17 Dec 2020 04:23:09 -0800 (PST)
Received: from ( [IPv6:2001:67c:2050::465:201]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 712B13A017E for <>; Thu, 17 Dec 2020 04:23:09 -0800 (PST)
Received: from ( [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 4CxWNp65CVzQjkp for <>; Thu, 17 Dec 2020 13:23:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=MBO0001; t=1608207785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kwQdUqX2eG5WWgLDI4Dj+i7dg0qiLnDvq2Jk6MZxUvE=; b=Acp9/1M4ksYSPEkDo10+u78w/CzbkywChxuhZxm44xiij6AuQef8J7iZv0XLKQAFQEpogT +kjZKDRNRtOWXy+WjL9mcZRfOgi6NjhirxOXt5Nfr/lrowsKuttpS/vRRGi12p4wijD3/u QKHwZ1D+YcO8/UegDZ+gYMb8qrxZb2DrxYLc615AYsrxBEgth6KzhoVmdwmMzBO5HfvCrB UaJSbuvZMVLDBw86wBUh3onfeRizqcGS7KpRnZhjFbAiMbpGQE1krV10JiTJAQuUx+70WU TaCCEDD/pAGO/Xqo3os1m/cPUpWhop0Tl8TWTXL42Ijoo8fNYuIAOWciBrMVyA==
Received: from ([]) by ( []) (amavisd-new, port 10030) with ESMTP id ngchkCeqwPsy for <>; Thu, 17 Dec 2020 13:23:01 +0100 (CET)
Received: by with SMTP id q137so27280939iod.9 for <>; Thu, 17 Dec 2020 04:22:59 -0800 (PST)
X-Gm-Message-State: AOAM533KWJh+om4dYrhch7JbpE03JC2Tpvhkceo722h9mMGS/7zv9Ko4 GP9EC4MR4NV44lrka/adVnyXKQ3YBXs4eDQfpaE=
X-Google-Smtp-Source: ABdhPJxhKBWV9sS9XKlYOZLoOVmKeP373QALnLIBsiMkUgk9wu3gOv4q1c/Odbgpb8wPl0CnY5qBMgQF2jQ/1PiF4d8=
X-Received: by 2002:a5e:dc43:: with SMTP id s3mr45977168iop.101.1608207778197; Thu, 17 Dec 2020 04:22:58 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Lukas Tribus <>
Date: Thu, 17 Dec 2020 13:22:46 +0100
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: "Jakob Heitz (jheitz)" <>
Cc: Lukas Tribus <>, "" <>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Score: -2.09 / 15.00 / 15.00
X-Rspamd-Queue-Id: D5D031850
X-Rspamd-UID: e02e71
Archived-At: <>
Subject: Re: [Sidrops] ASPA: Is this really a leak?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Dec 2020 12:23:11 -0000

Hello Jakob,

On Thu, 17 Dec 2020 at 08:49, Jakob Heitz (jheitz) <> wrote:
> Thanks Lukas. Good explanation.
> So, if AS20 were to allow this, would it list AS2 as a provider in its ASPA record?

Yes, I'm saying that AS20 has to authorize AS2 as a provider in the
ASPA record. This would also mean that AS2 would be authorized to be
transit for the entire AS20, not only AS20 -> AS1. This is a drawback
that AS20 has to consider here. You can't have your cake and eat it
too ... However I don't think this is a problem in practice, because
like I wrote in the other email, usually nobody wants this. And more
complex situations can always be authorized with multiple ASPA records
(just like mutual transit relations in section 7).

I would also suggest that ASPA should remain as simple as possible.
Exceptions to the basic rules as per the draft will make it more
difficult for network operators and implementators - in all steps
(implementing the code, training folks, actually deploying it in a
network, troubleshooting live issues). We want as much traction as
possible from both global and regional network operators. ROV and it's
implementations are complex and hard enough.