Re: How long AS-PATH policies have you used

[Saku Ytti via NANOG <nanog () lists nanog org>]

Thank you, very useful. I assume you've previously used. non-EOS
platform, were you running a similar scale there?

And much larger than I expected from a regex based solution, so highly
encouraging that this could work even for pathological AS-SETs.

Is EOS using ASN as atom or character as atom? Your example has some
ambiguity to me.

permit (1|2|3|4|5|6|7|8)$ any

This would work with both atoms. But

permit (11|22|33|44|55|66|77|88)$ any

has a very different meaning depending if character or ASN is an atom.

AFAIK only Junos has ASN as an atom, which is a brilliant idea for regexp.




But this is highly encouraging, it does seem to suggest to me, that we
have path out of prefix-list filtering and greatly reducing
configuration sizes and commit times.

a) Use SLURM to bridge gaps in your customer cone (this is 20-25%
today and decreasing) using route origins
b) Drop all non-valid RPKI (basically this is now your prefix-list check)
c) Us AS filter to drop non-permitted origin
d) Much much faster AS-SET recursion
e) Avoiding having prefix-lists duplication (RPKI + IPv4 + IPv6, both
AFIs can use same AS check)

As far as I can see, this is actually more secure than
RPKI+prefix-list, while being massively shorter in configuration size
and commit time.

Of course AS-SET data is trash and is insecure, but that's a fight for
another day. And the problem remains the same regardless of whether
the prefix-list or ASN is generated.

On Wed, 25 Feb 2026 at 21:10, James Bensley <lists+nanog () bensley me> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Monday, February 23rd, 2026 at 17:52, Saku Ytti via NANOG <nanog () lists nanog org> wrote:
>
> ...
>
> > I'd like to hear about operational experiences, how long AS-PATH
> > policies people have successfully run and in which NOS.
>
> ...
>
> > How many ASN can I iterate, before I become market leading and have to
> > work with vendors to fix bugs?
>
> The largest AS path filter I can find on our network, is for one of our customers. The filter is 9002 permit entries 
> long, each entry matches 8 ASNs, so 72016 ASNs in total.
>
> To clarify, one "entry" is matching 8 possible origin ASNs:
>
> permit (1|2|3|4|5|6|7|8)$ any
>
> ^ 9k of those.
>
> This is on EOS, it works fine.
>
> ...
>
> > So I don't really need to check the prefix again, after it passed
> > RPKI. AS_PATH check is equally strong.
>
> This is exactly why we have AS path filters too. We're looking into dropping prefix filters but keeping AS path 
> filters until such time as ASPA (or some other method) covers that part of the path filtering space, and we're also 
> working on RFC9234 adoption right now. Prefix filters are yucky.
>
>
> Cheers,
> James.
> -----BEGIN PGP SIGNATURE-----
> Version: ProtonMail
>
> wsG5BAEBCgBtBYJpn0j2CRCoEx+igX+A+0UUAAAAAAAcACBzYWx0QG5vdGF0
> aW9ucy5vcGVucGdwanMub3JnN12N5Tp4bXIUul/g6DT/CsmJOwkmWpuXCelO
> 6l0jC8cWIQQ+k2NZBObfK8Tl7sKoEx+igX+A+wAAn0gP/R5eP0EjZMxvlsRn
> WwQTlc1YSk4kxWGmREIfSp6HBp8q0h+onH/7or2lKeihEM09RvmmapOpRPv1
> TH+zZAHKEFhYjwFhYukUbmS0h4qe155WFz90pHoKnv/9n8BjTOlCTl9KzZ2H
> Psnmo5f3vluqv5DbfUCEh9/26SZdDcI4+i8YiFuaXBvI5lv26o2fTtxeNDel
> ysL5wp2DGFNXerhfwPWsHsFftoHn6yJeY9MPD/qhcwBW8P8pVh3dKQtdzCYP
> ZjwfssHmzThzM98LaJZxAqksaIhe/Hv5cT8fefJ4tnvrwa0I+K5mhDZ64tFT
> xiyiO8c1MhbYwARcqLdFJVBCNgkCGGz3dUVApLur7gaudJ+NfWPClNmKPD36
> ZQrPVJ11d1zeKDL3VYq5yr8OQkEe+WtDGAhpcme1t1knYo37K6MAJVRxx7Yz
> By9z2qoy+33EMjb1yyGFFm8665vG6WswDgTAXcxs63DS1oL3vzMnZTSAsfpT
> xK5K7+1wkJRvOBjPDwvZ4wNoWURBDiLTxDanLLOJm+JXrHW98+wbTttSj82h
> gOrMTq2CyPb5dMM36TcvFeGAO8lZy+ll/BhsnJKGRkEoxL3S6sM+R/p6/egC
> LDNFtOsAlgiaJoE6JJjwHh0vGmHZMCxOS5mM+BAJUEhFN5/05zRW1LEQpw4y
> wjW/CN6w
> =3CTS
> -----END PGP SIGNATURE-----



-- 
  ++ytti
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JB26FJAPWGEMGKZHDBTK6U6W22X4QB4T/