Routing security needs mentorship, not just tools

Blog 14 min read

Terry Sweetser, elected Chair at APNIC 60, brings over 30 years of infrastructure experience to fix BGP trust issues. The Routing Security SIG faces a stark reality: technical solutions like RPKI exist, yet organizational inertia prevents universal adoption. Border Gateway Protocol vulnerabilities persist because early internet architecture relied entirely on implicit trust between peers. We are shifting from pure engineering to policy governance, a transition Sweetser credits to his MBA training. Network Operator Groups struggle when a small cohort holds most operational history, creating a single point of failure for community durability.

The path forward requires structured mentorship rather than just improved tools. Data from the APNIC training delivery team shows they conducted 188 total training events, surpassing their annual goal of 100 events to address this skills gap training. By operationalizing trust through these expanded educational efforts, the community can finally validate route announcements effectively. The era of betting your company's connectivity on the good behavior of strangers must end through deliberate human collaboration.

The Critical Role of Routing Security in Modern Internet Infrastructure

BGP Trust Gaps and the RPKI Validation Framework

Border Gateway Protocol lacks intrinsic validation, forcing operators to rely entirely on implicit trust for route announcements. This architectural gap meant companies effectively bet their ability to route packets on the rest of the Internet behaving properly. The Resource Public Key Infrastructure addresses this by providing a cryptographic framework to verify route origins before acceptance. The top 100 networks largely perform Route Origin Validation, covering approximately 85% of global Internet traffic, significant progress that leaves vulnerabilities. Globally, only about a third of routes are actually signed, leaving the majority of the routing table exposed to hijacking.

Deployment tools are mature; adoption lags because of organizational inertia. Community-driven initiatives like the Routing Security SIG work to overcome these hurdles through education and advocacy. Even networks implementing validation cannot fully protect their customers from misdirection without widespread signature of routes. InterLIR emphasizes that optimizing IPv4 resources requires securing the underlying routing infrastructure against such threats. Operators must move beyond passive trust to active verification to ensure stable network availability. More networks must sign their routes to achieve thorough protection.

Global ROV Deployment Across Top Internet Networks

Substantial transit providers now execute Route Origin Validation to filter invalid BGP announcements before propagation. Largest networks largely perform ROV, yet roughly two-thirds of global routes remain unsigned, exposing the AS path to origin errors. Cryptographic signing requires active operator intervention beyond simple router configuration, causing this persistence. Partial deployment creates measurable vulnerability; without universal signing, RPKI cannot fully prevent route hijacks despite high validation capacity. ASPA validates the entire path, whereas ROV only checks the origin, meaning a signed prefix can still be leaked by an authorized peer. Organizational barriers, not technical ones, define the challenge. Indonesian exchanges achieved near-total adoption in one year through coordinated governance efforts.

Validation Type Scope Adoption Status
ROV Origin Only High in Top 100
ASPA Full Path Emerging Standard

Optimizing these existing resources ensures continued reachability in a trust-minimized internet.

The Unsigned Route Risk in Global Routing Tables

Route origin gaps persist because globally, only about a third of routes are actually signed. Substantial transit networks filter invalid announcements, yet the global routing table remains vulnerable where data lacks explicit authorization. Operators effectively trust unverified path information, creating a systemic risk where legitimate traffic can be misdirected without immediate detection. This validation gap means that even with high ROV coverage at the edge, the core infrastructure cannot distinguish between authorized and hijacked prefixes without universal signing. Validation capability exists, yet the majority of routes remain effectively invisible to security checks. Networks face potential outages not from a lack of tools, but from incomplete data publication across the system. Prioritizing the signing of unused or legacy blocks reduces the attack surface available to malicious actors. The Internet operates on partial trust rather than verified certainty without full participation.

Mechanics of Route Validation and the Shift from Technical to Organizational Barriers

Mechanics: From Trust-Based BGP to Cryptographic RPKI Validation

Border Gateway Protocol accepts all route announcements by default, creating a systemic vulnerability where invalid paths propagate without verification. This trust-based model forces networks to rely on implicit agreements rather than mathematical proof of ownership. Practical validation tools like the Resource Public Key Infrastructure (RPKI) emerged in the 1990s to address these core security gaps by binding IP address blocks to specific Autonomous System numbers through cryptographic certificates. Unlike the blind acceptance inherent in legacy BGP, RPKI enables routers to validate the origin of every prefix before installing it in the forwarding table.

Feature Traditional BGP RPKI-Validated BGP
Validation Method None (Trust-based) Cryptographic Signatures
Origin Check Manual filtering only Automated ROA match
Security Posture Vulnerable to hijack Resilient to spoofing

Operators must generate Route Origin Authorizations to define legitimate sources for their address space. Without these signed objects, the global routing table remains exposed to misconfiguration and malicious redirection. High validation coverage at substantial transit providers does not eliminate risk if the origin networks fail to sign their routes. Globally, only about a third of routes are actually signed, leaving a significant portion of the system unprotected. Technology allows for strong defense. The deployment bottleneck remains organizational inertia rather than technical complexity. Networks in regions like Indonesia demonstrated that coordinated community pressure can drive adoption from near-zero to dominant levels rapidly. With the top 100 networks largely performing Route Origin Validation (ROV), the campaign message is simple: sign your routes. Effective IP management now requires treating cryptographic signing as a mandatory operational step alongside address allocation.

Embedding RPKI Requirements in Connectivity Agreements

Embedding RPKI mandates directly into connectivity contracts transforms routing security from an optional best practice into a binding service requirement. Large providers require route origin confirmation as part of their agreements to secure their own networks as effectively as those of their customers. This top-down approach shifts the barrier from technical complexity to organizational policy, forcing rapid alignment across the supply chain. Indonesia serves as a definitive proof-of-concept for this coordinated action, where the system moved from almost nothing to around 90% adoption in about a year. Such dramatic improvement suggests that community-centered connectivity initiatives are necessary for overcoming inertia in regions with fragmented infrastructure. Contractual obligations create a unified standard that peer pressure alone cannot achieve. Industry leaders look to models where exchanges and operator groups coordinate pushes for security to bridge gaps in adoption. Formalizing these requirements allows the industry to replicate Indonesia's success globally and close the remaining gaps in the global routing table.

Organizational Inertia as the Primary Barrier to Route Signing

Organizational inertia, not technical complexity, now prevents the remaining unsigned routes from achieving cryptographic validation. The largest networks largely perform ROV. Roughly two-thirds of global routes remain unsigned, exposing the AS path to origin errors. This gap persists because cryptographic signing requires active operator intervention beyond simple router configuration. Partial deployment creates measurable vulnerability. RPKI cannot fully prevent route hijacks despite high validation capacity without universal signing. Few networks publish the necessary data, meaning validation tools cannot function effectively for unsigned prefixes. The solution requires shifting from purely technical workshops to broader stakeholder engagement where leadership highlights the importance of securing the system. This structural shift addresses the confidence gap that often stops new engineers from implementing security protocols, ensuring new people are coming through to hold institutional knowledge.

Barrier Type Technical Constraint Organizational Constraint
Primary Hurdle Legacy Hardware Policy Approval Cycles
Solution Speed Immediate Patch Multi-quarter Review
Adoption Driver Vendor Support Contractual Mandates

Embedding routing security requirements into service contracts provides the necessary top-down pressure to overcome internal delays. Providers secure their networks as effectively as their customers' by requiring route origin authentication in connectivity agreements. Technology alone cannot fix a process problem.

Operationalizing Trust Through NOGs and Strategic SIG Leadership

NOGs as Vehicles for Ecosystem Information Transfer

Network Operator Groups function as necessary conduits for distributing institutional knowledge rather than serving merely as technical discussion forums. Terry Sweetser, the Routing Durability SIG Chair, identifies these gatherings as primary vehicles for broadcasting critical updates to the wider system. Historically, a small cohort of senior engineers held most operational expertise, creating a single point of failure for community durability. This concentration of knowledge risks stagnation if new voices do not emerge to challenge established norms. The strategic pivot involves using social proof within these groups to demonstrate that security deployments like RPKI are viable and effective. By showcasing successful implementations, NOGs lower the psychological barrier for operators hesitant to modify production BGP policies. The inclusion of youth in fellowship criteria signals a deliberate move toward intergenerational knowledge transfer to sustain this momentum.

Executing Local NOG Startups and Practical Workshop Formats

Launching a local Network Operator Group begins by addressing the structural challenge where experienced operators hold much of the community's institutional knowledge. Terry Sweetser advises aspiring leaders to start locally, noting that working with Internet exchanges highlighted the collaborative nature of Internet operations. Successful formats prioritize social proof, demonstrating working RPKI deployments to prove viability before attendees attempt their own implementations. The APNIC training delivery team exceeded 2023 targets by conducting 188 total training events, surpassing the annual goal of 100 events. Of the 188 training events delivered in 2023, 114 were led directly by APNIC staff, while 74 were led by Community Trainers. Participant satisfaction with APNIC's training initiatives reached a rating of 4.3 out of 5.0 in 2023, exceeding the organization's internal target of 4.0. This volunteer-driven approach mirrors the targeted support seen in the Phoenix Summit Fellowship Program, which empowers security enthusiasts to attend technical workshops.

Phase Activity Focus Outcome
Initiation Vendor-neutral meetups Trust building
Education ASPA workflow demos Skill acquisition
Deployment Live route signing Operational security

Operators must recognize that barriers to routing security are now organizational rather than technical. The focus is shifting from abstract discussion to implementation, moving the conversation toward tangible results. Consequently, this disciplined focus ensures that local groups contribute directly to the global routing table's integrity rather than serving solely as social clubs.

Overcoming Confidence Barriers in Community Leadership

Aspiring leaders should join a SIG immediately to access institutional knowledge normally held by a small cohort. Terry Sweetser advises candidates to "Start locally" via Network Operator Groups, noting that confidence remains the primary obstacle despite technical competence. He recalled his own intimidation facing senior officials in his twenties, yet emphasized that everyone seeks identical operational outcomes. The strategic shift requires moving focus from bits and bytes toward policy governance and system coordination. Technical skills form the foundation, but the real barrier is often the fear of engaging with established community leaders.

  1. Identify local NOG chapters or initiate a new regional group.
  2. Attend meetings to observe governance dynamics before speaking.
  3. Use equity and participation initiatives that subsidize entry for diverse professionals.

InterLIR recognizes that routing security depends on this next-generation of volunteers. Without fresh voices, the system risks stagnation as experienced operators retire. The 2026 APNIC Policy Fellowship requires a committed duration of eighteen months, indicating that deep engagement and trust-building within the community represent a significant long-term investment of time. However, local engagement provides the social proof necessary to eventual regional influence.

Executing RPKI Deployment and Resolving Validation Errors in Production

Defining the RPKI Validator and Route Signing Workflow

Installing validator software initiates RPKI deployment by fetching and verifying ROA records from regional registries. This mechanism cryptographically confirms that an Autonomous System holds authority to announce specific IP prefixes before any BGP advertisement occurs. Routers accept origin claims based purely on trust without this signed attestation, leaving the AS path vulnerable to hijack attempts. Top networks largely perform validation, yet globally only about a third of routes are actually signed, creating a fragmented security posture. Operators must configure border routers to reject invalid routes while simultaneously publishing their own authorizations.

  1. Install a local validator to synchronize with the global trust anchor.
  2. Generate a key pair within the registry portal to sign ROA records.
  3. Configure the router to fetch validation states from the local validator IP.
  4. Apply import policies to drop routes marked as Invalid by the validator.

Strict key management becomes necessary because losing private keys prevents updates to authorization records. InterLIR helps operators optimize these IPv4 resources by facilitating secure lease arrangements that include full RPKI support. New deployments inherit valid signatures immediately, bypassing the organizational delays that often stall security projects. Structured guidance accelerates technical adoption notably across the 56 distinct economies. This approach transformed a fragmented environment where BGP trust models previously allowed invalid routes to propagate unchecked. The mechanism relies on Internet exchanges acting as enforcement points rather than passive interconnection facilities. Operators configure border routers to query local validators before accepting peer announcements, effectively filtering invalid prefixes at the edge.

  1. Establish a regional working group comprising substantial ISPs and exchange points.
  2. Define a strict timeline for RPKI signing of all originated prefixes.
  3. Enable ROV policies on peering sessions to reject invalid routes immediately.

Sustaining momentum beyond initial deployment phases requires significant volunteer leadership. The deployment of 30 active Community Trainers across 15 locations demonstrates a scalable method for regional capacity building. Smaller networks often lack the internal expertise to manage certificate lifecycles effectively without such structured support. InterLIR recommends using these community frameworks to optimize existing IPv4 resources while securing the routing plane. Operational overhead of maintaining valid Route Origin Authorizations remains lower than the cost of inaction. Networks ignoring this shift risk losing connectivity as upstream providers increasingly filter unsigned announcements by default.

Implementation: Checklist for Embedding RPKI Requirements in Connectivity Agreements

Embedding RPKI clauses into connectivity contracts transforms voluntary best practices into binding service obligations. Operators must modify standard terms to mandate Route Origin Verification for all peering sessions, eliminating reliance on informal trust. This contractual shift addresses the reality that technical barriers have yielded to organizational inertia.

  1. Define ROA publication timelines within the Service Level Agreement.
  2. Mandate rejection of invalid BGP announcements at border routers.
  3. Require quarterly compliance reports from upstream transit providers.
  4. Establish termination rights for persistent routing hygiene failures.
Clause Type Technical Requirement Enforcement Mechanism
Origin Auth Publish ROA records Automated daily checks
Filtering Drop invalid routes Log-based audits
Reporting Share validation stats Quarterly review

Neglecting these stipulations leaves networks vulnerable to hijack events despite available tools. Community initiatives like MANRS provide the normative framework for such agreements. ErLIR enables access to verified IPv4 blocks with full RPKI readiness to ensure imme Contractual use remains the most underutilized vector for accelerating global routing security.

About

Alexei Krylov, Head of Sales at InterLIR, brings critical market perspective to the discussion on the Routing Safeguards SIG. While the article highlights Terry Sweetser's volunteer leadership within APNIC, Krylov's daily work managing IPv4 resources and BGP security at a global marketplace directly complements these technical governance efforts. At InterLIR, Krylov oversees transactions requiring rigorous route object verification and IP reputation checks, making him acutely aware of the real-world consequences of routing vulnerabilities. His experience navigating Regional Internet Registry (RIR) policies ensures that the strategic goals of the Routing Defense SIG align with practical industry needs for stable, secure address transfers. By connecting high-level policy discussions with the operational realities of IPv4 leasing and brokerage, Krylov bridges the gap between community-led security initiatives and the commercial imperative for a trustworthy Internet infrastructure.

Conclusion

Scaling route security reveals that technical deployment alone fails without contractual enforcement. While RPKI coverage nears ubiquity, the operational cost shifts from configuration to continuous legal verification of upstream behavior. Networks relying on informal trust rather than binding Service Level Agreements face increasing connectivity fragmentation as global filters tighten. The window for voluntary compliance has closed; providers must now treat routing hygiene as a mandatory service metric comparable to uptime or latency.

Operators should immediately amend procurement playbooks to mandate ROA publication timelines and explicit termination rights for persistent validation failures. This approach transforms routing security from an optional engineering task into a fundamental business requirement. Do not wait for a substantial incident to justify these changes, as the industry trajectory clearly favors strict filtering of unsigned announcements.

Start this week by reviewing your current transit contracts for specific invalid route rejection clauses. If your agreement lacks language requiring upstream providers to drop unvalidated announcements or share quarterly compliance stats, draft an addendum today. This single administrative step secures your network perimeter more effectively than any standalone hardware upgrade.

Frequently Asked Questions

Technical solutions exist, but organizational inertia blocks universal adoption. Although validation covers 85% of traffic, most routes remain unsigned, leaving networks vulnerable to hijacks despite available tools.

Top networks validate origins, yet significant exposure remains globally. While 85% of traffic flows through validating networks, only a third of routes are signed, creating a critical security gap.

Validation filters invalid announcements, but unsigned paths remain risky.

Operators must actively sign their route announcements immediately.

Institutional knowledge sits with a small, aging cohort of operators. Without transferring this expertise to new generations, the community cannot sustain the momentum needed to sign more routes.