ASPA: making Internet routing more secure

Summary

The article introduces ASPA (Autonomous System Provider Authorization), a new cryptographic standard aimed at enhancing the security of Internet routing by validating the paths that network traffic takes. It builds upon the existing RPKI (Resource Public Key Infrastructure) framework, which secures traffic destinations through Route Origin Authorizations (ROAs). ASPA allows networks to publish lists of authorized upstream providers, enabling receiving networks to verify that traffic follows an approved path. The validation process involves checking the 'Up-Ramp' and 'Down-Ramp' of traffic paths to ensure they align, thus preventing route leaks and enhancing overall routing security. The article also discusses the implementation of ASPA in Cloudflare Radar and its implications for network operators.

Key Learnings

• 1ASPA enhances Internet routing security by validating the entire path of network traffic, preventing route leaks.
• 2The validation process involves checking both the upstream and downstream paths to ensure they conform to authorized relationships.
• 3ASPA builds on RPKI's foundation, which secures traffic origins through ROAs, thus addressing both origin hijacks and path validation.
• 4The implementation of ASPA requires careful management of authorized providers to avoid legitimate traffic being dropped.
• 5ASPA can expose forged-origin hijacks by allowing networks to cryptographically declare their authorized providers.

Who Should Read This

Senior Network Engineers implementing routing security protocols and seeking to understand the implications of ASPA on BGP configurations.

Test Your Knowledge

Topics