alt.hn

7/15/2026 at 6:38:56 AM

Who's running all those tiny RPKI servers?

https://blog.apnic.net/2026/07/15/whos-running-all-those-tiny-rpki-servers/

by enz

7/15/2026 at 10:52:06 AM

Cool stuff. Though I've never quite understood how RPKI solves route hijacks. The article says it validates that you're allowed to announce a given prefix outright, but I thought the idea behind a BGP hijack was that you just say you have a good route towards a given prefix, and traffic flows through you as a result?

by ipdashc

7/15/2026 at 11:40:52 AM

There's two kinds of route hijacks. Origin or path based.

RPKI addresses who is allowed to originate a prefix. There are other technical changes that need to be implemented to get path validation, this cloud flare blog has a good write up on the issues/solutions.

https://blog.cloudflare.com/bgp-route-leak-venezuela/

by patmorgan23

7/15/2026 at 12:26:51 PM

RPKI addresses both.

Route Origin Authorizations (ROAs) enforce which ASes are allowed to originate a prefix. ROAs address origin hijacks, and have been around for longer.

Autonomous System Provider Authorizations (ASPAs) enforce which ASes are allowed to be adjacent to each other in an AS_PATH. ASPAs address path hijacks, and were introduced more recently. It used to be that you had to self-host (as in the article) in order to publish ASPAs, but RIRs are now starting to support them on their hosted RPKI offerings. I'm surprised the article didn't mention this as a reason to run your own RPKI.

If the first hop publishes a ROA, and all subsequent hops publish an ASPA, then the full path can be validated.

by greyface-

7/15/2026 at 1:08:28 PM

What's the history and status of ASPA? As far as I can see, it's a fairly active draft with the IETF: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-ver...

It says it's on the standards track, but it's clearly quite new. How well has it been proven out? This page from Hurricane Electric shows <3% adoption: https://bgp.he.net/report/rpki_and_aspa

by jcgl

7/15/2026 at 1:32:18 PM

It's still very early. RIPE and ARIN have only supported publishing them for a few months. ARIN made very little noise about it during the rollout, and many networks are probably still unaware. Give it a couple years, and I expect we'll see fairly good adoption among those already publishing ROAs. There will still be the never-RPKI holdouts, however.

HE publishes their full ASPA table here, if you're interested in digging in: https://routing.he.net/?cmd=display_aspa_table

by greyface-

7/15/2026 at 2:14:24 PM

Also note that ASPA validation prevents only hijack by peers and customers, not by providers. Due to way how ASPA validation works, providers could always announce to their customers routes with valid-looking AS PATH with hijacked ASN appended at its end.

by zajio1am

7/15/2026 at 2:26:10 PM

Trust infrastructures are always like this, it's one reason PGP's "Web of trust" doesn't work at scale.

If you trust Alice then it's not astonishing that Alice can stab you in the back. Most of us can probably manage to pick trustworthy direct friends. But then, what if we're to trust that Alice's friends won't betray us ? That's a lot stickier.

PGP tries to distinguish "Do you trust that Alice is who she says she is?" from "Do you trust that Alice is a good judge of character?" but the latter is largely unknowable and PGP treats it as recursive. You trust Alice, Alice trusted Bob, Bob trusted Caroline and now Caroline's friend Dave stabbed you in the back. How is this Alice's fault somehow?

by tialaramex

7/15/2026 at 2:50:56 PM

How is that better or worse than the "I trust everyone my authority trusts" mechanism the authority system uses?

by somat

7/15/2026 at 5:35:41 PM

Having a handful of authorities means we can direct our limited resources at scrutinizing those authorities. Which we do, to great effect. It's not perfect, such a system will never be perfect, but it keeps improving. It's a lot better in 2026 than it was in 2016, and it was a lot better in 2016 than in 2006. In 1996 this is all new and the CAs have basically no idea what they're doing, what's a domain name? Their employees aren't using Tim's toy hypermedia service, it's for nerds.

The resources available to check that Edith's friend Frank's cousin Gerald is trustworthy are zero and when trusting Gerald goes badly, what do we do? "Oh, huh, be more careful"? It's not actionable at all.

by tialaramex

7/15/2026 at 2:04:53 PM

Note that the first hop has to publish both ROA and ASPA records, as ASPA records describes a set of valid providers.

by zajio1am

7/15/2026 at 3:00:24 PM

That makes sense, thanks!

by ipdashc

7/15/2026 at 11:33:52 AM

RPKI mainly makes the administrative side of the route database more formal and rigorous than previous internet routing registry implementations. The processes for using them to improve network security are discussed at https://manrs.org/

They have a neat dashboard at https://observatory.manrs.org/

by hnuser123456

7/15/2026 at 11:36:44 AM

The RPKI fix is that any node in a rpki tree is signed by the certificate from the authority above it, all the way up until some root certificate that you trust. So you cannot have some party hijacking a prefix, it would not be signed by its parent authority.

by misja111

7/15/2026 at 4:36:49 PM

17.6% of assigned BGP-able IP address space are assigned but not actively broadcasting BGP packets???

(Deep-breath in, warning: rant)

This makes for a very problematic of continual hijacking AS link pathways between two hosts, notably between two countries.

BGPsec is well designed but remains largely unused (due to high-speed carrier-grade router's unwillingness to update firmware for new packet datagrams within BGP, not to mention requiring the addition of expensive de-crypt/re-crypte chipsets.

Interim SW-based solutions like BGP-ROA and BGP-ASPA are like HTTPS CAs, need to do PGP-style "trusting your friends' trusting other friends', ad naseum.

Alice trust Bob who trust Charles who trust Dave but Dave stabs Alice in the back. Um, no.

27 years of hosting my websites and DNSSec, but I can't prevent an island of Antigua to hijack my very own AS ... without all engaging in BGPSec. Unless all participate in BGPSec.

Crappy workaround such as the self-hosting of a RPKI API server is the HTTPS CA for that BGP AS hijack problem and it's still a wild, wild Internet.

Even then, that boondoggle infrastructure (Google/CloudFlare/DigiCert/LetsEncrypt) of mass Certificate Transparency (CT) monitoring station is trying to do fingerprint imprints of all the CAs' hash values for all websites; that design approach is time-sensitive and is a glaring weakness for not using dTLS/mTLS (where web servers ALSO authenticates its clients as well as the standard TLS client also authenticates web servers.

It is a lame brain scheme to ensure expansion of CT.

The correct architectual security stance is to prevent expensive audit scenario and ensure that the complexity moves from after-the-fact detection (CT) into stronger identity enrollment and authorization (DNSSEC, policy records, key continuity, CA constraints, possibly multi-CA approval).

People making more useless work, yet profit massively.

By doing individual CA with each websites, browser can then ditch the cookie tracking. And privacy restored (it leaks only to that website what you say)

But the $710B data collection industry will have questions.

I absolutely love the idea of auto-creating mTLS/dTLS for each client-website pairing at account creation time.

Ancillary infrastructure crumbles. Backends simplified. Things are faster and simpler for all parties involved (except those evil 3rd party scrapers/sniffer/email-reading scourges.

AI responded as: Benefits:

* eliminates password reuse

* reduces phishing surface

* eliminates many cookie-tracking mechanisms

* allows per-site identity isolation

* improves API/service authentication

the endpoints own the trust relationship; intermediaries provide transport, not identity.

Exactly how a well-designed military or critical-industrial equipment in the field should behave (to prevent inadvert usage of captured/hijacked endpoints)

/end-of-rant

by egberts1

7/15/2026 at 4:44:38 PM

27 years of DNSSEC, you say!

by tptacek

7/15/2026 at 2:49:29 PM

[flagged]

by samso26