| ▲ | greyface- an hour ago | |||||||
RPKI addresses both. Route Origin Authorizations (ROAs) enforce which ASes are allowed to originate a prefix. ROAs address origin hijacks, and have been around for longer. Autonomous System Provider Authorizations (ASPAs) enforce which ASes are allowed to be adjacent to each other in an AS_PATH. ASPAs address path hijacks, and were introduced more recently. It used to be that you had to self-host (as in the article) in order to publish ASPAs, but RIRs are now starting to support them on their hosted RPKI offerings. I'm surprised the article didn't mention this as a reason to run your own RPKI. If the first hop publishes a ROA, and all subsequent hops publish an ASPA, then the full path can be validated. | ||||||||
| ▲ | jcgl 32 minutes ago | parent [-] | |||||||
What's the history and status of ASPA? As far as I can see, it's a fairly active draft with the IETF: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-ver... It says it's on the standards track, but it's clearly quite new. How well has it been proven out? This page from Hurricane Electric shows <3% adoption: https://bgp.he.net/report/rpki_and_aspa | ||||||||
| ||||||||