What is ASPA?

ASPA (Autonomous System Provider Authorization) is a new cryptographic standard designed to secure the path Internet traffic takes across networks. While existing RPKI (Resource Public Key Infrastructure) technology verifies that traffic arrives at the correct destination through Route Origin Authorizations (ROAs), ASPA validates the entire journey by allowing networks to publish a list of their authorized upstream providers.

When data crosses the Internet, it maintains a running log of every network it passes through—called the AS_PATH in BGP (Border Gateway Protocol). ASPA enables receiving networks to cryptographically verify that traffic only traveled through an approved chain of providers, preventing route leaks where traffic gets misdirected through unintended networks.

How ASPA Detection Works

ASPA relies on the hierarchical structure of Internet routing, often visualized as a "valley-free" model:

• Up-Ramp: Traffic travels from a customer "up" through increasingly larger providers
• Apex: Traffic may cross a single peering link between major providers
• Down-Ramp: Traffic flows "down" through providers to the destination

Route leaks typically manifest as "valleys"—when traffic unexpectedly goes down to a customer and then back up to another provider. ASPA validation checks both the up and down paths to ensure they meet at the apex with continuous authorization. If the paths don't connect, ASPA flags the route as invalid.

Cloudflare Radar Integration

Cloudflare has integrated ASPA monitoring into Cloudflare Radar, providing visibility into:

• ASPA adoption trends across the five Regional Internet Registries (RIRs)
• ASPA records at the Autonomous System (AS) level
• Historical changes to ASPA deployments over time

This tooling helps the network community track ASPA rollout and adoption as the industry transitions to more secure routing practices.