Cloudflare recently announced support for ASPA (Autonomous System Provider Authorization). The new cryptographic standard helps make Internet routing safer by verifying the path data takes across networks to reach its destination and preventing traffic from traversing unreliable or untrusted networks.
ASPA is an RPKI-based security mechanism designed to make Internet routing (BGP) more secure by validating the AS_PATH (the chain of networks a route announcement traverses), thereby reducing route leaks and some classes of hijacks. The goal of the emerging standard is to improve Internet reliability and reduce accidental or malicious traffic detours. Mingwei Zhang, principal systems engineer at Cloudflare, and Bryton Herdes, principal network engineer at Cloudflare, explain:
When data travels across the Internet, it keeps a running log of every network it passes through (…) ASPA provides networks with a way to officially publish a list of their authorized upstream providers within the RPKI system. This allows any receiving network to look at the AS_PATH, check the associated ASPA records, and verify that the traffic only traveled through an approved chain of networks.
The Border Gateway Protocol (BGP) is essential for routing traffic across the Internet but lacks native path validation, leaving it susceptible to route leaks and hijacks. Although RPKI and Route Origin Authorizations (ROAs) strengthen route origin validation, they do not verify the end-to-end path. ASPA provides network operators with a cryptographic method to declare their authorized providers, allowing receiving networks to verify that an AS path conforms to this expected structure.
ASPA detects route detours by validating the expected hierarchical structure of Internet routing. In a normal, “valley-free” topology, traffic moves up from a customer to one or more upstream providers, may traverse a single peer link at the top tier, and then moves down through providers to the destination customer. This customer-to-provider ascent, optional peer crossing, and provider-to-customer descent form the standard policy-compliant path.
Source: Cloudflare blog
Last year, NIST released open-source test tools and datasets to facilitate testing and experimentation with emerging BGP security and resilience mechanisms, including the ability to evaluate router implementations of ASPA specifications.
Cloudflare also added tools to Cloudflare Radar to track how widely ASPA is being adopted, so network operators can see who’s using it and how paths are validated. Zhang and Herdes warn:
With ASPA finally becoming a reality, we have our cryptographic upgrade for Internet path validation. However, those who have been around since the start of RPKI for route origin validation know this will be a long road to actually providing significant value on the Internet. Changes are needed to RPKI Relaying Party (RP) packages, signer implementations, RTR (RPKI-to-Router protocol) software, and BGP implementations to actually use ASPA objects and validate paths with them.
Source: Cloudflare blog
In the recent Venezuela BGP route leak incident, Cloudflare notes that ASPA would have helped networks detect and reject the abnormal path announcements by verifying whether the observed AS path matched the expected provider-authorization relationships, something that origin validation alone could not do.
Cloudflare is not the only provider committed to the new cryptographic standard. In the “AWS secures internet routing with RPKI plus security checks” article published last year, the team at AWS writes:
Although ASPA is still being standardized, we are committed to using it and all tools at our disposal to continue to make the internet a safe and reliable place for everyone.
While the specific IETF standard remains in draft, Cloudflare notes that ARIN and RIPE NCC already support ASPA object creation, and routing software such as OpenBGPD and BIRD includes ASPA validation.
