ASPA:インターネットルーティングのセキュリティ向上
Cloudflareは、BGPルートリークを防ぎインターネットルーティングの完全な経路を検証する新暗号規格ASPA(Autonomous System Provider Authorization)の導入と、その展開状況を監視するCloudflare Radarの新機能を発表した。
キーポイント
ASPAの基本概念と目的
ASPAは既存のRPKI/ROA(宛先の検証)を補完し、データが通過するネットワークの連鎖(AS_PATH)が認可された経路であることを検証することで、ルートリークを防ぐ暗号規格である。
技術的な動作原理
ネットワークはRPKIシステム内に認可された上位プロバイダーのリストを公開し、受信側はこのASPAレコードとBGPのAS_PATHログを照合することで、不正な迂回経路を検出する。
Cloudflare Radarによる可視化
CloudflareはASPAの展開状況を追跡する新ツールをCloudflare Radarに追加し、5つの地域インターネット登録局(RIR)および各ASレベルでの採用トレンドとレコード変更を監視可能にした。
ASPAの役割と検証メカニズム
ASPAはネットワーク演算子が認可されたプロバイダーを暗号的に宣言する仕組みを提供し、受信側がASパスが期待される構造(バレーフリー)に従っているか検証可能にする。
アップランプとダウンランプの双方向チェック
検証は、オリジンから先へ向かう「アップランプ」と、BGP更新の宛先から後方へ戻る「ダウンランプ」の両方向で行われ、両者が頂点で一致すれば有効とみなす。
ルートリークの検出と「バレー」の概念
有効なパスが一致しない場合、中間に認可の欠如や無効なギャップが生じ、これが「バレー」すなわちルートリークとしてASP Aにより問題のあるパスと報告される。
ASPAによる偽造オリジンハイジャックの防御
攻撃者が正当なオリジンASを騙ってBGP経路を宣伝する偽造オリジンハイジャックに対し、ASPAは被害者ネットワークの認可されたプロバイダリストを暗号学的に宣言することで、不正な経路を無効として拒否する効果的な防御手段となる。
影響分析・編集コメントを表示
影響分析
ASPAの普及は、インターネット基盤セキュリティにおいて「宛先不正(ハッキング)」から「経路不正(リーク/中継)」への防御焦点をシフトさせる重要な転換点となる。Cloudflareのような主要ISPによる可視化ツールの提供は、業界全体の採用加速を促し、より堅牢なルーティングインフラの実現に寄与する。
編集コメント
インターネットの根幹であるルーティングプロトコルのセキュリティ強化は長年の課題だったが、ASPAという具体的な技術標準と可視化ツールの組み合わせにより、実装可能な段階に入ったことを示唆している。

手順は非常に簡単です。わずかな待機時間の後、グローバルなRPKI (Resource Public Key Infrastructure) エコシステムに問い合わせ、私たちが定義したプロバイダー情報を持つAS203898用のASPA (Autonomous System Provider Authorization) オブジェクトを確認できます。

現在ASPAオブジェクトの作成をサポートしているもう一つの地域インターネットレジストリ (Regional Internet Registry, RIR) であるARIN (American Registry for Internet Numbers) でも、手順は同様です。ARINオンラインにログインし、「Routing Security」に移動して「Manage RPKI」をクリックします。

そこから「Create ASPA」をクリックできます。この例では、私たちの別の自律システム番号 (Autonomous System Number, ASN) であるAS400095用のオブジェクトを作成します。

これで完了です。プロバイダーとしてAS0を持つAS400095用のASPAオブジェクトが作成されました。


「AS0」プロバイダーエントリは特別な意味を持ち、自律システム (Autonomous System, AS) の所有者が自身のネットワークに対して有効なアップストリームプロバイダーが存在しないことを宣言することを意味します。定義上、これはすべてのトランジットフリーのTier-1ネットワークが、真にピアおよびカスタマー関係しか持たない場合、最終的には「AS0」のみを含むASPAを作成すべきであることを意味します。
Cloudflare Radarにおける新しいASPA機能
私たちは、Cloudflare Radarに新しいASPA導入状況監視機能を追加しました。新しいASPA導入状況ビューでは、ユーザーは5つの地域インターネットレジストリ (RIR) 全体でのASPA採用の成長を経時的に調べ、傾向を可視化することができます。

また、ASPAデータを国/地域およびASNルーティングページに直接統合しました。ユーザーは現在、ローカルに登録されたカスタマーASNに関連付けられたASPAレコードに基づいて、異なる地域が自らのインフラストラクチャのセキュリティ確保をどのように進めているかを追跡できるようになりました。

また、特定の自律システム (AS) 、例えばAS203898にズームインした際の新機能もあります。

ネットワークで観測されたBGP (Border Gateway Protocol) アップストリームプロバイダーがASPAによって認可されているかどうか、ASPAオブジェクト内のプロバイダーの完全なリスト、およびそのASに関わるASPA変更のタイムラインを確認することができます。
より良いルーティングセキュリティへの道
ASPAがついに現実のものとなったことで、インターネット経路検証のための暗号化アップグレードを手に入れました。しかし、ルートオリジン検証のためのRPKIの開始時から関わってきた人々は、これがインターネット上で実際に大きな価値を提供するまでには長い道のりになることを知っています。ASPAオブジェクトを実際に使用し、それらで経路を検証するためには、RPKIリレーイングパーティ (Relying Party, RP) パッケージ、署名者実装、RTR (RPKI-to-Router) プロトコルソフトウェア、およびBGP実装への変更が必要です。
ASPAの採用に加えて、オペレーターはRFC9234で説明されているようにBGPロールを設定すべきです。BGPセッションで設定されたBGPロールは、ルーター上の将来のASPA実装がどのアルゴリズム(アップストリームまたはダウンストリーム)を適用するかを決定するのに役立ちます。言い換えれば、BGPロールは、オペレーターとして、別のASとの意図したBGP関係を、そのネイバーとのセッションに直接結びつける力を与えてくれます。ルーティングベンダーに確認し、RFC9234 BGPロールとOTC (Only-to-Customer) 属性の実装をサポートしていることを確認してください。
ASPAを最大限に活用するために、私たちは皆さんが自身のAS用のASPAオブジェクトを作成することをお勧めします。これらのASPAオブジェクトの作成と維持には注意深い配慮が必要です。将来、ネットワークがこれらのレコードを使用して無効な経路を積極的にブロックするようになると、正当なプロバイダーを省略するとトラフィックがドロップされる可能性があります。しかし、このリスクの管理は、ネットワークが現在すでにルートオリジン認可 (Route Origin Authorization, ROA) をどのように扱っているかと変わりません。ASPAはインターネット経路検証に必要な暗号化アップグレードであり、それが実現したことを嬉しく思います!
原文を表示
Internet traffic relies on the Border Gateway Protocol (BGP) to find its way between networks. However, this traffic can sometimes be misdirected due to configuration errors or malicious actions. When traffic is routed through networks it was not intended to pass through, it is known as a route leak. We have written on our blog multiple times about BGP route leaks and the impact they have on Internet routing, and a few times we have even alluded to a future of path verification in BGP.
While the network community has made significant progress in verifying the final destination of Internet traffic, securing the actual path it takes to get there remains a key challenge for maintaining a reliable Internet. To address this, the industry is adopting a new cryptographic standard called ASPA (Autonomous System Provider Authorization), which is designed to validate the entire path of network traffic and prevent route leaks.
To help the community track the rollout of this standard, Cloudflare Radar has introduced a new ASPA deployment monitoring feature. This view allows users to observe ASPA adoption trends over time across the five Regional Internet Registries (RIRs), and view ASPA records and changes over time at the Autonomous System (AS) level.
What is ASPA?
To understand how ASPA works, it is helpful to look at how the Internet currently secures traffic destinations.
Today, networks use a secure infrastructure system called RPKI (Resource Public Key Infrastructure), which has seen significant deployment growth over the past few years. Within RPKI, networks publish specific cryptographic records called ROAs (Route Origin Authorizations). A ROA acts as a verifiable digital ID card, confirming that an Autonomous System (AS) is officially authorized to announce specific IP addresses. This addresses the "origin hijacks" issue, where one network attempts to impersonate another.
ASPA (Autonomous System Provider Authorization) builds directly on this foundation. While a ROA verifies the destination, an ASPA record verifies the journey.
When data travels across the Internet, it keeps a running log of every network it passes through. In BGP, this log is known as the AS_PATH (Autonomous System Path). ASPA provides networks with a way to officially publish a list of their authorized upstream providers within the RPKI system. This allows any receiving network to look at the AS_PATH, check the associated ASPA records, and verify that the traffic only traveled through an approved chain of networks.
A ROA helps ensure the traffic arrives at the correct destination, ASPA ensures the traffic takes an intended, authorized route to get there. Let’s take a look at how path evaluation actually works in practice.
Route leak detection with ASPA
How does ASPA know if a route is a detour? It relies on the hierarchy of the Internet.
In a healthy Internet routing topology (e.g. “valley-free” routing), traffic generally follows a specific path: it travels "up" from a customer to a large provider (like a major ISP), optionally crosses over to another big provider, and then flows "down" to the destination. You can visualize this as a “mountain” shape:
The Up-Ramp: Traffic starts at a Customer and travels "up" through larger and larger Providers (ISPs), where ISPs pay other ISPs to transit traffic for them.
The Apex: It reaches the top tier of the Internet backbone and may cross a single peering link.
The Down-Ramp: It travels "down" through providers to reach the destination Customer.
image
A visualization of "valley-free" routing. Routes propagate up to a provider, optionally across one peering link, and down to a customer.
In this model, a route leak is like a valley, or dip. One type of such leak happens when traffic goes down to a customer and then unexpectedly tries to go back up to another provider.
image
This "down-and-up" movement is undesirable as customers aren't intended nor equipped to transit traffic between two larger network providers.
How ASPA validation works
ASPA gives network operators a cryptographic way to declare their authorized providers, enabling receiving networks to verify that an AS path follows this expected structure.
ASPA validates AS paths by checking the “chain of relationships” from both ends of the routes propagation:
Checking the Up-Ramp: The check starts at the origin and moves forward. At every hop, it asks: "Did this network authorize the next network as a Provider?" It keeps going until the chain stops.
Checking the Down-Ramp: It does the same thing from the destination of a BGP update, moving backward.
If the "Up" path and the "Down" path overlap or meet at the top, the route is Valid. The mountain shape is intact.
However, if the two valid paths do not meet, i.e. there is a gap in the middle where authorization is missing or invalid, ASPA reports such paths as problematic. That gap represents the "valley" or the leak.
Validation process example
Let’s look at a scenario where a network (AS65539) receives a bad route from a customer (AS65538).
image
The customer (AS65538) is trying to send traffic received from one provider (AS65537) "up" to another provider (AS65538), acting like a bridge between providers. This is a classic route leak. Now let’s walk the ASPA validation process.
We check the Up-Ramp: The original source (AS65536) authorizes its provider. (Check passes).
We check the Down-Ramp: We start from the destination and look back. We see the customer (AS65538).
The Mismatch: The up-ramp ends at AS65537, while the down-ramp ends at 65538. The two ramps do not connect.
Because the "Up" path and "Down" path fail to connect, the system flags this as ASPA Invalid. ASPA is required to do this path validation, as without signed ASPA objects in RPKI, we cannot find which networks are authorized to advertise which prefixes to whom. By signing a list of provider networks for each AS, we know which networks should be able to propagate prefixes laterally or upstream.
ASPA against forged-origin hijacks
ASPA can serve as an effective defense against forged-origin hijacks, where an attacker bypasses Route Origin Validation (ROV) by pretending and advertising a BGP path to a real origin prefix. Although the origin AS remains correct, the relationship between the hijacker and the victim is fabricated.
image
ASPA exposes this deception by allowing the victim network to cryptographically declare its actual authorized providers; because the hijacker is not on that authorized list, the path is rejected as invalid, effectively preventing the malicious redirection.
image
ASPA cannot fully protect against forged-origin hijacks, however. There is still at least one case where not even ASPA validation can fully prevent this type of attack on a network. An example of a forged-origin hijack that ASPA cannot account for is when a provider forges a path advertisement to their customer.
image
Essentially, a provider could “fake” a peering link with another AS to attract traffic from a customer with a short AS_PATH length, even when no such peering link exists. ASPA does not prevent this path forgery by the provider, because ASPA only works off of provider information and knows nothing specific about peering relationships.
So while ASPA can be an effective means of rejecting forged-origin hijack routes, there are still some rare cases where it will be ineffective, and those are worth noting.
Creating ASPA objects: just a few clicks away
Creating an ASPA object for your network (or Autonomous System) is now a simple process in registries like RIPE and ARIN. All you need is your AS number and the AS numbers of the providers you purchase Internet transit service from. These are the authorized upstream networks you trust to announce your IP addresses to the wider Internet. In the opposite direction, these are also the networks you authorize to send you a full routing table, which acts as the complete map of how to reach the rest of the Internet.
We’d like to show you just how easy creating an ASPA object is with a quick example.
Say we need to create the ASPA object for AS203898, an AS we use for our Cloudflare London office Internet. At the time of writing we have three Internet providers for the office: AS8220, AS2860, and AS1273. This means we will create an ASPA object for AS203898 with those three provider members in a list.
First, we log into the RIPE RPKI dashboard and navigate to the ASPA section:
image
Then, we click on “Create ASPA” for the object we want to create an ASPA object for. From there, we just fill in the providers for that AS.
image
It’s as simple as that. After just a short period of waiting, we can query the global RPKI ecosystem and find our ASPA object for AS203898 with the providers we defined.
image
It’s a similar story with ARIN, the only other Regional Internet Registries (RIRs) that currently supports the creation of ASPA objects. Log in to ARIN online, then navigate to Routing Security, and click “Manage RPKI”.
image
From there, you’ll be able to click on “Create ASPA”. In this example, we will create an object for another one of our ASNs, AS400095.
image
And that’s it – now we have created our ASPA object for AS40095 with provider AS0.
image
image
The “AS0” provider entry is special when used, and means the AS owner attests there are no valid upstream providers for their network. By definition this means every transit-free Tier-1 network should eventually sign an ASPA with only “AS0” in their object, if they truly only have peer and customer relationships.
New ASPA features in Cloudflare Radar
We have added a new ASPA deployment monitoring feature to Cloudflare Radar. The new ASPA deployment view allows users to examine the growth of ASPA adoption over time, with the ability to visualize trends across the five Regional Internet Registries (RIRs) based on AS registration.
image
We have also integrated ASPA data directly into the country/region and ASN routing pages. Users can now track how different locations are progressing in securing their infrastructure, based on the associated ASPA records from the customer ASNs registered locally.
image
There are also new features when you zoom into a particular Autonomous System (AS), for example AS203898.
image
We can see whether a network’s observed BGP upstream providers are ASPA authorized, their full list of providers in their ASPA object, and the timeline of ASPA changes that involve their AS.
The road to better routing security
With ASPA finally becoming a reality, we have our cryptographic upgrade for Internet path validation. However, those who have been around since the start of RPKI for route origin validation know this will be a long road to actually providing significant value on the Internet. Changes are needed to RPKI Relaying Party (RP) packages, signer implementations, RTR (RPKI-to-Router protocol) software, and BGP implementations to actually use ASPA objects and validate paths with them.
In addition to ASPA adoption, operators should also configure BGP roles as described within RFC9234. The BGP roles configured on BGP sessions will help future ASPA implementations on routers decide which algorithm to apply: upstream or downstream. In other words, BGP roles give us the power as operators to directly tie our intended BGP relationships with another AS to sessions with those neighbors. Check with your routing vendors and make sure they support RFC9234 BGP roles and OTC (Only-to-Customer) attribute implementation.
To get the most out of ASPA, we encourage everyone to create their ASPA objects for their AS. Creating and maintaining these ASPA objects requires careful attention. In the future, as networks use these records to actively block invalid paths, omitting a legitimate provider could cause traffic to be dropped. However, managing this risk is no different from how networks already handle Route Origin Authorizations (ROAs) today. ASPA is the necessary cryptographic upgrade for Internet path validation, and we’re happy it’s here!
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み