PATTERN Cited by 1 source

Peerlock sanity check

Peerlock sanity check is the operator-side BGP-filter pattern of rejecting routes that cannot possibly be legitimate given the observed AS path — specifically, customer- learned routes whose AS path contains a known Tier-1 ASN.

The observation

A Tier-1 network only ever appears in AS paths as:

• The origin's chosen upstream, near the origin-side of the path; or
• A peer of another Tier-1 at the turnaround point of a valid valley-free path.

A Tier-1 ASN appearing in a path learned from a non-Tier-1 neighbor (customer, peer, or small-network route server) is structurally impossible in a well-formed path — so it's almost certainly a leak.

Recipe

1. Maintain a list of well-known Tier-1 ASNs (the peer set).
2. On every customer / small-peer BGP session, install an AS-path regex filter: "reject any route whose AS path contains one of these Tier-1 ASNs."
3. Apply as a standard template across all sessions of that class.

Canonical implementation: github.com/job/peerlock (Junos + IOS-XR templates). Minimal version: Peerlock-lite (NANOG).

Strengths

• Cheap to implement: single policy template, no RPKI deployment, no vendor coordination.
• Immediately effective: catches the most common leak shape (small AS leaks a Tier-1's routes).
• Does not depend on the leaker implementing anything: purely operator-side discipline at the receiver.

Limitations

• Manual list maintenance: the Tier-1 ASN list drifts; operators need a cadence to keep it current.
• Non-Tier-1 leaks slip through: this filter doesn't catch a medium network leaking another medium network's routes.
• No signed attestation: unlike ASPA, it's a local convention, not a global protocol fact.

Relationship to ASPA

Peerlock is the near-term answer; ASPA is the long-term one. Cloudflare frames them as complementary in the Venezuela post:

"In addition to ASPA, we can all implement simpler mechanisms such as Peerlock and Peerlock-lite as operators, which sanity-checks received paths for obvious leaks."

Deploy Peerlock today; deploy ASPA as it matures.

Seen in

• sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — named as the operator-side complement to ASPA and RFC 9234.

Related

• systems/peerlock
• concepts/bgp
• concepts/route-leak
• concepts/bgp-export-policy
• systems/aspa
• patterns/aspa-for-path-validation