Cloudflare has announced support for ASPA (Autonomous System Provider Authorization), an RPKI-based cryptographic standard designed to improve BGP routing security. ASPA validates the full AS_PATH that route announcements traverse, going beyond existing ROA-based origin validation to detect route leaks and hijacks by verifying that traffic only passes through authorized upstream providers. The standard enforces 'valley-free' routing topology, where traffic ascends through customer-to-provider links, optionally crosses a peer link, then descends to the destination. Cloudflare has also added ASPA adoption tracking to Cloudflare Radar. While ARIN and RIPE NCC already support ASPA object creation and some routing software includes validation, widespread adoption will require updates across RPKI relying party packages, signer implementations, RTR software, and BGP implementations. AWS has also expressed commitment to the standard, which remains an IETF draft.
Sort: