On Thu, Dec 04, 2025 at 09:46:13PM +0100, Peter Hessler wrote:
> I started playing with RPKI ASPA on a test ASN, and was confused about
> what role I needed to mark my upstreams as.  Originally, I marked them
> as "role provider", thinking I needed to describe their relationship to
> me.  However, that resulted in the entire internet becoming invalid.  The
> setting expects the other way around, my relationship to them.
> 
> I'm open to wordsmithing, but I do think that this needs to be
> clarified.
> 
> OK?
 
I used 'Set the local role for this eBGP session' to make it clear that
this was the local system role that needs to be set. I agree that this is
to easy to miss and more clarity would help.
What do other people think? How can this be made more obvious?
 
> Index: usr.sbin/bgpd/bgpd.conf.5
> ===================================================================
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.conf.5,v
> diff -u -p -u -p -r1.251 bgpd.conf.5
> --- usr.sbin/bgpd/bgpd.conf.5	7 Jul 2025 20:56:48 -0000	1.251
> +++ usr.sbin/bgpd/bgpd.conf.5	4 Dec 2025 20:40:09 -0000
> @@ -1545,7 +1545,7 @@ Bind the neighbor to the specified RIB.
>  Set the local role for this eBGP session.
>  Setting a role is required for ASPA verification, the open policy role
>  capability and Only-To-Customer (OTC) attribute of RFC 9234.
> -The role can be one of
> +The role is your relationship to this neighbor and can be one of
>  .Ar none ,
>  .Ar provider ,
>  .Ar customer ,
> 
> 
> -- 
> Murphy's Law is recursive.  Washing your car to make it rain doesn't
> work.
> 

-- 
:wq Claudio