• ASPA is now available in the RIPE NCC RPKI Dashboard, adding a way to express and validate your upstream relationships on top of ROA-based origin validation. • Building on its introduction at RIPE 91, this article explains what ASPA does, why it matters, and how to start thinking about deployment. • Over the past decade, RPKI and Route Origin Validation (ROV) have made it much harder to accidentally hijack prefixes, but they don’t say anything about who’s allowed to sit upstream of whom on a BGP path. • Autonomous System Provider Authorisation (ASPA) is an emerging IETF standard that fills exactly that gap, using RPKI objects to describe customer-to-provider AS relationships and to detect route leaks and implausible paths before they cause trouble on the global Internet. • With ASPA support now appearing in the RIPE NCC RPKI Dashboard, many operators in our service region will first encounter the mechanism there. • This article is meant to give you enough background to understand what ASPA is doing, why we’re exposing it in the Dashboard, and how to think about adopting it.
Article Summaries:
- The RIPE NCC has added Autonomous System Provider Authorization (ASPA) support to its RPKI Dashboard, giving operators a new way to publish and validate upstream relationships alongside existing Route Origin Authorizations (ROAs). ASPA, an IETF‑standardised RPKI object, allows an AS to list legitimate upstream providers, enabling routers to check BGP paths against declared customer‑provider links. The dashboard now lets users create and manage ASPA objects in the same interface used for ROAs, though it does not infer provider sets from BGP. Validation is already supported by major RPKI validators and routers such as Bird, OpenBGPD, and Cisco IOS‑XR.
Sources: