From: Claudio Jeker Subject: Re: minor clarity for ASPA role in bgpd.conf To: Peter Hessler Cc: tech@openbsd.org Date: Thu, 4 Dec 2025 22:33:48 +0100 On Thu, Dec 04, 2025 at 09:46:13PM +0100, Peter Hessler wrote: > I started playing with RPKI ASPA on a test ASN, and was confused about > what role I needed to mark my upstreams as. Originally, I marked them > as "role provider", thinking I needed to describe their relationship to > me. However, that resulted in the entire internet becoming invalid. The > setting expects the other way around, my relationship to them. > > I'm open to wordsmithing, but I do think that this needs to be > clarified. > > OK? I used 'Set the local role for this eBGP session' to make it clear that this was the local system role that needs to be set. I agree that this is to easy to miss and more clarity would help. What do other people think? How can this be made more obvious? > Index: usr.sbin/bgpd/bgpd.conf.5 > =================================================================== > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.conf.5,v > diff -u -p -u -p -r1.251 bgpd.conf.5 > --- usr.sbin/bgpd/bgpd.conf.5 7 Jul 2025 20:56:48 -0000 1.251 > +++ usr.sbin/bgpd/bgpd.conf.5 4 Dec 2025 20:40:09 -0000 > @@ -1545,7 +1545,7 @@ Bind the neighbor to the specified RIB. > Set the local role for this eBGP session. > Setting a role is required for ASPA verification, the open policy role > capability and Only-To-Customer (OTC) attribute of RFC 9234. > -The role can be one of > +The role is your relationship to this neighbor and can be one of > .Ar none , > .Ar provider , > .Ar customer , > > > -- > Murphy's Law is recursive. Washing your car to make it rain doesn't > work. > -- :wq Claudio