RE: https://mastodon.social/@next_hopself/116687933953241790
My hands are sadly not clean here. Updating defaults in widely deployed implementations is painful.
That said, even though it takes a knob for some implementations, best practice is worth following.
Let’s talk malformed AS_PATHs. Unless you’re enforcing the “First AS” of received routes, you’re vulnerable to hijacks that not even ASPA validation can prevent.
Read more here, and enforce the First AS in BGP.
https://blog.cloudflare.com/enforce-first-as-bgp/
RE: https://infosec.exchange/@dougmadory/116409858961819464
IMO the main take away from Doug's post is many leaks are short-lived and a result of path-hunting (more on path hunting in https://blog.cloudflare.com/going-bgp-zombie-hunting/#path-hunting)
However even short-lived leaks are an indication of a routing policy issue, while not necessarily impactful to traffic forwarding.
Fun fact - I really wanted to start the title of this as "ASPA ASAP", but @mingwei talked me out of it due to poor readability.
Anyway, ASPA is going to make a big difference in preventing route leaks and most forged origin hijacks.
https://manrs.org/2026/03/aspa-making-internet-routing-more-secure-via-cloudflare/
@mingwei and I wrote about how ASPA is going to make routing security better, and some new Cloudflare Radar features that'll help track adoption.
Taking a closer look at a BGP anomaly in Venezuela
Jeffrey Haas
New ASPA Signers