APNIC Routing Security SIG at APRICOT 2026: Social engineering, RPKI, ASPA, & TA constraints

During the APNIC Routing Security SIG session, held at APRICOT 2026 in Jakarta, the community heard about six applications of Resource Public Key Infrastructure (RPKI) to the problem of secure Internet routing. Terry Sweetser is the current Chair of the Special Interest Group (SIG), supported by Co-Chair Taiji Kimura. It continues its charter role of information gathering, capacity building, and feedback.

RPKI in Indonesia

Presenter: Syarif Lumintarjo

IDNIC Chair Syarif Lumintarjo presented on the five-year RPKI adoption journey of the Indonesian ISP community. From under 1% adoption of RPKI in 2021, to over 90% coverage in 2026, this coordinated deployment took place over an amazingly fast timeline.

A variety of approaches led to an explosion of uptake, from workshops, to social media campaigns, and direct one-on-one approaches to IDNIC membership. User experience changes, website badges, and status flags on reports and presentations increased visibility of secured announcements. Emails to members highlighted the relative insecurity of their BGP announcements, prompting Route Origin Authorization (ROA) creation.

A major 'forcing function' that drove RPKI adoption was the decision by the Indonesian Internet Exchange (IIX) to adopt 'drop invalid' as a policy within the IX route reflector logic. Operators of the nearly 800 participating Autonomous System Numbers (ASNs), and 15 points of interconnection throughout the economy had to take action to make sure their traffic was delivered.

As Syarif's slides say:

We are moving from 'Connect First, Fix Later' to 'Secure First, Connect Later.' Valid ROAs are now the baseline trust metric for new peers.

It made sense to stop accepting invalids when ROA coverage reached 89% to 90%. The vast majority of domestically asserted routes had RPKI protection, and the risk equation had moved significantly from loss of route for valids, to inclusion of risky invalid announcements.

The strong supportive model IDNIC and IIX took has had direct impact on the integrity of Indonesian domestic routing and peering.

Slides: RPKI in Indonesia

ASPA in the RPKI dashboard

Speaker: Tim Bruijnzeels

Tim Bruijnzeels, the Principal RPKI Software Engineer at the RIPE NCC, delivered a presentation on the new Autonomous System Provider Authorization (ASPA) object, highlighting, in particular, the new ASPA features of the RIPE Dashboard. Tim is active in IETF standardization of RPKI, with authorship in six RFCs, and eight active drafts in the Secure Inter-Domain Routing Operations (Sidrops) working group.

An ASPA is a path-protecting statement from a customer ASN about their chosen provider ASN, designed to provide cryptographically signed proof that a given AS wants a specific upstream AS to appear on their path. This means decisions around AS-PATHS seen inside Border Gateway Protocol (BGP) can now be checked, pair by pair, for the existence of a signed proof to justify that path, and so exclude path elements that have no signed adjacency.

The process is only about probable - not absolute - assertions to path validity. ASPAs are assertions by customers that have to be checked against what is seen live in BGP. The complete path is not completely covered by signatures innately. But, they help detect forged routes, valleys in routing and route leaks. They don't depend on cryptography being embedded inside the router.

ASPAs are intentionally similar to ROAs in how they are made and deployed. However compared to ROA, adoption of validation logic inside routing software and hardware is still in early stages. BGP speakers must be upgraded to perform validation against ASPA for the routes to be seen.

Tim shared statistics on object creation overall, and by economy. He showed how the special AS0 ASPA is being deployed, and some risks regarding the use of AS0 that need to be understood when constructing ASPAs. Tim also discussed the benefits of using route analysis tools like the RIPE NCC Routing Information Service (RIS) to help guide ASPA creation, decisions regarding your BGP peers, and what is signed over.

Slides: ASPA in the RPKI dashboard

RPKI APAC UPDATE

Speaker: Sheryl (Shane) Hermoso

Sheryl (Shane) Hermoso, the APNIC Development Manager gave an update on RPKI deployment in the Asia Pacific region. Her talk is a graphic-rich overview of the state of ROA coverage, validation, and the effective outcomes of validated, invalid and 'problem avoided' results. It's a great summary with a spotlight on East and South East Asia, the adjacent communities to the APRICOT 2026 event.

Routing security in the Asia Pacific region is a complicated story, with differing levels of adoption of authorization (ROA) and validation (ROV). There is even more variation across IPv4 and IPv6 routes. The statistics that Shane shared had East Asia at 31% IPv4 ROA coverage, with South Asia at 89.9% and South East Asia on around 92.4%. Compare that to the world average of around 60.3%.

Uptake of validation varies even more, from as low as 5% or lower in much of Asia, to 50% or higher in Australia and Myanmar, set against the worldwide average of 26.6%.

This variance across ROA and ROV adoption isn't unusual. In many respects, large parts of the APNIC community are doing very well compared to the world average. Shane gave the audience a sense of deployment in the Indonesian local context, and guidance for their choices back home in their own networks.

Slides: RPKI APAC Update

SIDR Operations (Sidrops) IETF update

Speaker: Tom Harrison

Tom Harrison, Registry Product and Delivery Manager at APNIC, is another frequent participant in IETF document production, with five RFCs and six active drafts across multiple working groups. His presentation highlighted the work of the sidrops working group that is responsible for documents and specifications that relate to RPKI.

Tom gave a summary of the group's current focus areas, including Trust Anchor (TA) constraints, the Erik synchronization protocol, and best current practices for operating RPKI publication servers and repositories.

Key dependencies fetching RPKI content from publishing points (PPs) using rsync and RPKI Repository Delta Protocol (RRDP) have prompted exploration of structural improvements. A new synchronization protocol called Erik (in memory of Erik Bais, a beloved member of the RIPE internet community who died unexpectedly in 2024) is being designed to address some problems with fetch serialization, encoding overheads, and expensive re-initializations.

Tom also discussed an NRO initiative to explore better constraints on the current set of TAs, aligning them to other publicly visible statements of per-registry holdings. Introducing two new signed objects - state objects (what each TA has currently) and transfer objects (issued when resources are moved between TAs) - will limit the resources that any TA can claim.

Tom also spoke about the work that the group is doing to create a best practice document about how systems should be configured and problems handled for people running an RPKI publication server and associated PPs. He expects this work to be completed within the next few months.

Slides: Sidrops IETF UPDATE

Can RPKI help mitigate social engineering attacks?

Speaker: Carlos Martinez Cagnazzo and Sanjaya

Carlos Martinez Cagnazzo, Chief Technology Strategist at LACNIC, and Sanjaya, Senior Advisor and Information Analyst at APNIC, presented jointly on the impact of RPKI mitigating an attack seen across Latin America, from an Asian BGP origin.

The recent routing hijack incident, involving IP addresses in the Americas and an ASN from Asia, demonstrated how social engineering can undermine Internet routing security. Three attacks of short duration took place between the 9 and 12 July 2025. The attacks used social engineering, in that the attacker hijacked an ASN, and used that ASN to convince a multinational transit provider to propagate the hijacked prefixes. Coordination among three Regional Internet Registries (RIRs) resolved the issue.

The presentation examined whether the RPKI could mitigate such attacks, through use of both ROA records to assert origination, and ASPA records to flag unexpected ASN adjacencies and inappropriate customer-provider paths.

Slides: Can RPKI help mitigate social engineering attacks?

MESec: Minimal-exposure AS-PATH verification against BGP post-ROV attacks

Speaker: Jiangou Zhan

Jiangou Zhan, a masters student at Tsinghua University presented MESec, a framework designed for minimal-exposure AS-PATH verification.

Unlike existing approaches that need global visibility of local adjacencies exposed in BGP, MESec decouples the validation of path correctness from the disclosure of network topology. As a signed declaration of customer-provider relationship made by the customer, ASPA may represent a disclosure of intent that some BGP speakers aren't yet ready to announce outside of BGP.

By confining the visibility of relationship attestations strictly to the relevant verifying entities, and using trusted intermediaries, MESec enables networks to detect and discard anomalous paths without broadcasting their peering strategies.

The evaluation Jiangou presented demonstrates that MESec can achieve a security posture comparable to standard ASPA in mitigating post-ROV threats, while strictly adhering to the principle of minimal exposure. It provides a pragmatic path toward secure inter-domain routing that aligns with the economic incentives of network operators.

Slides: MESec, a framework designed for Minimal-Exposure AS-PATH Verification.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.