ASPA Strengthens Internet Routing Security by Validating Path Plausibility
Routing security is a critical yet often overlooked aspect of the Internet’s infrastructure. Every time users access a website, send a message, or stream content, the Internet’s routing system operates behind the scenes to facilitate data transfer across global networks. When this system functions correctly, the Internet experience is seamless; however, any disruption can have far-reaching consequences.
In recent years, the Internet community has made significant strides in enhancing routing security through technologies such as Resource Public Key Infrastructure (RPKI) and Route Origin Validation (ROV). These innovations enable networks to verify whether an Autonomous System (AS) is authorized to announce a specific IP address range, thereby reducing the risk of accidental or malicious route hijacking.
While RPKI and ROV effectively address the question of “Who is allowed to originate this route?”, they do not tackle another critical concern: “Does the path this route has taken actually make sense?” This gap is where Autonomous System Provider Authorisation (ASPA) comes into play.
The Emergence of ASPA
ASPA is an emerging standard aimed at bolstering routing security by verifying declared customer-to-provider relationships between networks. Building on the existing RPKI framework, ASPA allows networks to specify which upstream providers they legitimately utilize. This capability enables routers to identify suspicious or implausible routing paths before they can cause significant issues on the global Internet.
Currently, ASPA is beginning to be integrated into operational tools and software, including the RIPE NCC RPKI Dashboard. Although still in its early deployment stages, ASPA is viewed by many in the technical community as a vital next step in securing interdomain routing.
The Importance of Routing Security
The Internet comprises thousands of independently operated networks, known as Autonomous Systems, which exchange routing information using the Border Gateway Protocol (BGP). Initially designed for a smaller, more trusting Internet, BGP lacks robust security measures. As a result, networks generally accept routing information from one another based on trust.
This trust model has led to various issues over the years. Misconfigurations and route leaks have repeatedly disrupted global connectivity. In some instances, traffic has been inadvertently redirected through networks not intended to carry it, while in other cases, malicious actors have hijacked routes to intercept or blackhole traffic.
These challenges are exacerbated by BGP’s inherent inability to verify the information it receives. Routers can announce routes they should not be advertising, leading other routers to accept this information as valid.
The Role of RPKI and ROV
RPKI was developed to address some of these challenges. It utilizes cryptographic certificates linked to Internet number resources, enabling the holder of an IP address range to create a Route Origin Authorisation (ROA). A ROA specifies which AS is permitted to originate routes for that address space.
Networks that implement Route Origin Validation can compare incoming BGP announcements against these signed objects. If a route is announced by an AS not authorized in a ROA, it can be marked as invalid and subsequently rejected. This process has significantly improved routing hygiene across the Internet, making it easier to detect and filter accidental origin hijacks. Many large networks now default to rejecting invalid routes.
However, RPKI and ROV only validate the origin AS at the end of the path and do not assess the validity of the entire AS path. A route may originate from the correct AS but still traverse an unexpected or suspicious sequence of providers, leading to potential route leaks.
Enhancements Offered by ASPA
ASPA extends the RPKI system by allowing networks to publish information about their provider relationships. An ASPA object is a signed statement created by the holder of an AS Number, listing the ASNs of its legitimate upstream providers. Routers and validators can then use this information to evaluate whether the AS paths seen in BGP are plausible.
For instance, if AS65000 identifies its authorized providers as AS64496 and AS64497, routers can verify whether routes involving AS65000 appear upstream through one of those providers. If traffic flows through an AS not authorized as a provider, it may indicate a route leak or fabricated routing information.
This advancement extends routing security beyond origin validation to include AS-path plausibility checks. Importantly, ASPA does not aim to map the entire Internet or define every relationship between networks. Instead, it focuses specifically on customer-to-provider relationships, which tend to be more stable and easier to manage operationally.
Mechanism of ASPA Verification
ASPA enables routers to compare segments of a BGP path against published customer-to-provider relationships. When a network publishes an ASPA object, it declares which upstream providers are authorized to appear above it in routing paths. This information allows routers to assess whether a path aligns with typical customer-provider patterns observed on the Internet.
If the published ASPA information contradicts part of a route’s path—such as an AS appearing connected to a provider it has not authorized—the route may be classified as ASPA invalid. If insufficient ASPA information is available for a determination, the route remains in an unknown state.
Current operational guidance suggests rejecting clearly invalid customer paths while continuing to accept valid and unknown routes. This approach allows networks to enhance routing security incrementally as ASPA deployment expands across the Internet.
Leveraging Existing Infrastructure
ASPA builds on the infrastructure that many networks already utilize. The same RPKI validators that process ROAs can also validate ASPA objects, while routers receive validated information through the RPKI-to-router protocol and apply ASPA verification locally. The inclusion of ASPA support in the RIPE NCC’s RPKI Dashboard highlights this operational continuity.
However, like any routing security mechanism, ASPA introduces operational responsibilities. Networks must maintain accurate inventories of their upstream providers and update ASPA objects when relationships change. An accidental omission of a provider could result in legitimate routes appearing invalid to ASPA-aware networks, making ASPA a technology that requires ongoing management.
A Step Forward in Routing Security
ASPA is currently evolving through the Internet Engineering Task Force (IETF) standardization process, with specifications deemed mature enough for operational experimentation and early deployment. Support is already available in BIRD and OpenBGPD, with testing underway in Cisco IOS-XR.
No single technology can fully secure Internet routing. The decentralized structure and vast scale of the Internet make perfect validation unattainable. However, ASPA signifies a crucial evolution in routing security. While RPKI and ROV address who is authorized to announce an IP prefix, ASPA begins to evaluate whether the path used to reach that prefix is credible.
As the Internet continues to support essential infrastructure, commerce, government services, and daily communication, enhancing trust in routing becomes increasingly vital. Incremental improvements can help reduce outages, limit the impact of leaks, and complicate malicious attacks.
For most Internet users, these systems remain invisible. However, for the networks that sustain the Internet, technologies like ASPA are integral to a broader initiative aimed at making global routing more resilient, verifiable, and secure.
Source: securitymiddleeastmag.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
