ASPA: making Internet routing more secure

The Border Gateway Protocol (BGP), essential for directing Internet traffic, is vulnerable to route leaks caused by configuration errors or malicious actions. To address this, the industry is adopting a new cryptographic standard called Autonomous System Provider Authorization (ASPA), which validates the entire path of network traffic to ensure it travels only through authorized networks, complementing the existing Resource Public Key Infrastructure (RPKI) that secures traffic destinations. ASPA allows networks to publish authorized upstream providers, facilitating the verification of AS paths and preventing unauthorized route propagation. Cloudflare Radar has introduced an ASPA deployment monitoring feature to track its adoption across the five Regional Internet Registries, noting that while ASPA enhances routing security, it does not fully protect against all forms of forged-origin hijacks. Creating ASPA objects is now a straightforward process, and Cloudflare encourages networks to adopt this cryptographic upgrade to improve Internet path validation and security.