By Barbara Capasso · LevelAct
The internet’s invisible architecture—the routing layer—remains both a marvel and a minefield. Despite years of attention, routing security remains a global weak point. While promising initiatives like RPKI have gained traction, we now face new challenges: adoption plateaus, policy bloat, and a lack of sustained momentum. In this article, we examine where we stand today, what’s holding us back, and how the industry can move forward.
RPKI Route Origin Validation (ROV): Progress, but Are We Plateauing?
Resource Public Key Infrastructure (RPKI) adoption has accelerated over the past three years. Major cloud providers, regional IXPs, and Tier 1 networks have implemented Route Origin Validation (ROV) to reject invalid BGP route announcements. According to recent MANRS metrics, RPKI usage now covers over 50% of global routing paths.
But growth is slowing.
- Many large players have adopted ROV, but smaller ASNs and regional ISPs have yet to follow.
- A lack of technical expertise and operational automation tools prevents mass adoption.
- There is still no universal enforcement mechanism or incentive model to mandate ROV implementation.
The plateau suggests that voluntary adoption may have reached its limit—pushing us toward a new question: What will it take to make RPKI universal?
The Problem with Bloated AS-SETs: Risk Hiding in Plain Sight
Autonomous System Sets (AS-SETs) in Internet Routing Registries (IRRs) are designed to define which ASNs a provider should accept routes from. But over time, these AS-SETs grow uncontrollably.
- Some AS-SETs contain thousands of entries—many of which are stale, defunct, or misconfigured.
- Poorly maintained AS-SETs make route filtering unreliable, opening doors to route leaks and route hijacks.
- Attackers can exploit these outdated entries to inject malicious prefixes into otherwise trusted routing paths.
Cleaning up AS-SETs is a low-effort, high-impact fix—but it’s often overlooked in favor of larger architectural discussions. This issue underscores a broader truth: routing security isn’t just about crypto—it’s about hygiene.
Sustaining Momentum: Measurement, Pressure, and Transparency
A handful of technical communities are actively pushing routing security forward:
- MANRS (Mutually Agreed Norms for Routing Security) now includes over 1,000 participants.
- CAIDA’s BGPStream and NLNOG RING provide public data on BGP anomalies.
- Regional NOGs (Network Operator Groups) host workshops to train engineers on RPKI and IRR filtering.
Yet the majority of networks still don’t monitor their own routing behavior—let alone secure it. The key to progress lies in:
- Measurement frameworks: to benchmark adoption and validate claims
- Community pressure: from peers, IXPs, and upstream providers
- Regulatory influence: particularly for critical infrastructure and national backbones
Until routing security becomes a business risk discussed at the board level, it will remain an underfunded engineering task.
Conclusion: A Turning Point, or a Treading Point?
Routing security is no longer a “nice to have.” It’s a foundational part of internet resilience in an era of rising attacks, state-sponsored interference, and supply chain vulnerabilities. We’ve come far—but we haven’t yet secured the routing layer.
To push forward, we must:
- Incentivize universal RPKI adoption
- Reduce the technical debt hidden in AS-SETs
- Build a culture of accountability around routing decisions
We know what to do. The question is—will the internet community do it before the next big breach reminds us why we should have?
