CONCEPT Cited by 1 source
First AS enforcement¶
First AS enforcement is a BGP security check specified in RFC 4271 §6.3 where a router verifies that the leftmost AS in a received AS_PATH matches the configured peer ASN for that eBGP session. If the First AS doesn't match, the AS_PATH has been manipulated and the route should be rejected.
Specification¶
RFC 4271 uses "MAY" language for this check, but RFC 7606 clarifies error handling: instead of tearing down the entire BGP session (the pre-7606 behavior), routers should apply treat-as-withdraw — silently dropping the offending route while keeping the session alive.
The ASPA verification draft (draft-ietf-sidrops-aspa-verification-25 §5) explicitly states that ASPA cannot compensate for missing First AS enforcement—it's a hard prerequisite.
Why it matters¶
Without First AS enforcement, an attacker can:
- Forge the entire AS_PATH — strip their own ASN and impersonate any origin AS.
- Bypass RPKI ROV — the forged origin can match a valid ROA.
- Bypass ASPA — if the path contains only a valid origin with no intermediate hops, there's no valley for ASPA to invalidate.
(Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)
Vendor defaults (as of 2026)¶
| Vendor | Default enforcement? |
|---|---|
| Cisco IOS-XR | ✅ Yes |
| Nokia SR-OS | ✅ Yes |
| FRRouting | ✅ Yes |
| Juniper Junos | ❌ No |
| OpenBGPD | ❌ No |
| BIRD | ❌ No |
Cloudflare's 2026 measurement found that half of Tier 1 networks do not enforce First AS, and the majority of those run Juniper routers where it's off by default. (Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)
Exception: IX route servers¶
Internet Exchange route servers are transparent — they redistribute routes without inserting their own ASN into the AS_PATH. First AS enforcement must be disabled on sessions facing these route servers. In practice, most networks have far more non-IX sessions than IX sessions, so safe-by-default (enforce everywhere, disable selectively) is the correct posture.
Seen in¶
- sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths — primary treatment with Tier 1 measurement study