This post introduces ASPA (Autonomous System Provider Authorization), a new cryptographic standard built on RPKI to validate BGP routing paths and prevent route leaks.
- •ASPA extends RPKI by allowing networks to publish signed records of their authorized upstream providers, enabling path-level verification beyond origin-only ROA checks
- •Validation works by checking the "up-ramp" from the origin and the "down-ramp" from the destination; if both paths fail to connect, the route is flagged as ASPA Invalid
- •ASPA can detect classic route leaks caused by customers inadvertently acting as transit bridges between providers (down-and-up valley patterns)
- •ASPA provides defense against forged-origin hijacks by cryptographically rejecting paths that include unauthorized intermediaries, though provider-forged peering links remain a blind spot
- •Creating ASPA objects is straightforward via RIPE and ARIN RPKI dashboards by listing provider AS numbers; Cloudflare Radar has added an ASPA deployment
The Cloudflare Blog 