"When data travels across the Internet, it keeps a running log of every network it passes through. ASPA provides networks with a way to officially publish a list of their authorized upstream providers within the RPKI system. This allows any receiving network to look at the AS_PATH, check the associated ASPA records, and verify that the traffic only traveled through an approved chain of networks."
"The Border Gateway Protocol (BGP) is essential for routing traffic across the Internet but lacks native path validation, leaving it susceptible to route leaks and hijacks. Although RPKI and Route Origin Authorizations (ROAs) strengthen route origin validation, they do not verify the end-to-end path. ASPA provides network operators with a cryptographic method to declare their authorized providers."
Cloudflare announced support for ASPA (Autonomous System Provider Authorization), an RPKI-based security mechanism that enhances Internet routing security. ASPA allows networks to publish authorized upstream providers within the RPKI system, enabling receiving networks to verify that traffic travels only through approved network chains. The Border Gateway Protocol (BGP) lacks native path validation, making it vulnerable to route leaks and hijacks. While existing RPKI and Route Origin Authorizations (ROAs) validate route origins, they cannot verify end-to-end paths. ASPA provides network operators with cryptographic methods to declare authorized providers and detect route detours by validating the expected hierarchical structure of Internet routing.
#internet-routing-security #aspa-autonomous-system-provider-authorization #bgp-security #rpki #route-validation
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]