| Internet-Draft | OOB BGP PATH VALIDATION | June 2026 |
| Voet | Expires 20 December 2026 | [Page] |
This document describes a mechanism for mitigating Inter-AS routing exploits and path tampering without introducing real-time cryptographic processing overhead on core routing engines. By utilizing Out-of-Band (OOB) Cryptographic Validation combined with localized caches via the RPKI-to-Router (RTR) protocol and Autonomous System Provider Authorization (ASPA), networks can asynchronously verify path plausibility. This architecture supports incremental, partial deployment to protect infrastructure against malicious traffic redirection and unauthorized path propagation at major internet exchange points.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The global routing system relies on the Border Gateway Protocol (BGP), which is inherently vulnerable to route hijacking and path manipulation. While Resource Public Key Infrastructure (RPKI) provides Route Origin Validation (ROV), it lacks the ability to validate path integrity. Malicious actors can bypass origin filters by forging an unauthorized transit path (AS_PATH) while retaining a legitimate origin AS at the end of the chain. These manipulated paths propagate through large interconnection hubs, such as the Amsterdam Internet Exchange (AMS-IX), enabling cross-border infrastructure manipulation and digital harassment.¶
Previous attempts to secure the path layer (e.g., S-BGP) failed due to the massive CPU overhead required for real-time cryptographic signing on core routers. This document outlines an upgradable, backward-compatible solution utilizing localized, asynchronous validation to achieve path security with zero additional router CPU cycles.¶
To eliminate processing overhead on live forwarding planes, validation is decoupled from standard routing updates using an asynchronous model:¶
Instead of forcing core routers to execute real-time cryptographic signature checks on every incoming route advertisement, routers connect locally to an out-of-band validator using the RTR protocol. The validator pre-computes and signs the valid cryptographic ledger.¶
Validation occurs out-of-band using specialized RPKI validating caches (e.g., Routinator). Routers download verified public key ledgers asynchronously in the background. This allows routers to instantly filter or block unauthenticated, spoofed paths using a local memory lookup table without degrading traffic throughput.¶
This architecture allows for seamless partial deployment. Individual networks can implement these validation caches independently to protect their users immediately, without requiring a coordinated, simultaneous upgrade across all global transit networks.¶
Alongside local cache validation, networks deploy ASPA to combat path spoofing. ASPA utilizes cryptographically signed objects in the RPKI to define authorized provider lists for an AS. Routers use these lightweight, pre-computed profiles to verify path plausibility and automatically flag unauthorized route leaks before they propagate.¶
This document addresses the exploitation of standard BGP implicit trust. By shifting cryptographic computation to an out-of-band local cache, this mechanism prevents denial-of-service conditions on core routers caused by high-volume malicious routing updates. It specifically blocks unauthorized transit path injection used for traffic interception.¶
This document has no actions for IANA.¶