Remix.run Logo
greyface- an hour ago

RPKI addresses both.

Route Origin Authorizations (ROAs) enforce which ASes are allowed to originate a prefix. ROAs address origin hijacks, and have been around for longer.

Autonomous System Provider Authorizations (ASPAs) enforce which ASes are allowed to be adjacent to each other in an AS_PATH. ASPAs address path hijacks, and were introduced more recently. It used to be that you had to self-host (as in the article) in order to publish ASPAs, but RIRs are now starting to support them on their hosted RPKI offerings. I'm surprised the article didn't mention this as a reason to run your own RPKI.

If the first hop publishes a ROA, and all subsequent hops publish an ASPA, then the full path can be validated.

jcgl 32 minutes ago | parent [-]

What's the history and status of ASPA? As far as I can see, it's a fairly active draft with the IETF: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-ver...

It says it's on the standards track, but it's clearly quite new. How well has it been proven out? This page from Hurricane Electric shows <3% adoption: https://bgp.he.net/report/rpki_and_aspa

greyface- 8 minutes ago | parent [-]

It's still very early. RIPE and ARIN have only supported publishing them for a few months. ARIN made very little noise about it during the rollout, and many networks are probably still unaware. Give it a couple years, and I expect we'll see fairly good adoption among those already publishing ROAs. There will still be the never-RPKI holdouts, however.

HE publishes their full ASPA table here, if you're interested in digging in: https://routing.he.net/?cmd=display_aspa_table