Event: APNIC 61 / APRICOT 2026
Location: Jakarta, Indonesia
Date: Tuesday, 10 February 2026
Chairs: Terry Sweetser, Taiji Kimura
The Routing Security SIG at APNIC 61 highlighted a maturing landscape in APAC’s routing hygiene. The standout theme of the session was the "Indonesia Success Story," demonstrating how a coordinated national effort between an NIR (IDNIC) and an IXP (IIX) can achieve >90% ROA coverage and enforce "Drop Invalid" policies at scale.
While RPKI ROA adoption is high in Southeast Asia, the session shifted focus toward the next frontier: Autonomous System Provider Authorization (ASPA). The presentations struck a balance between operational realities, real-world hijack incidents, academic research, and the standardization required to future-proof the RPKI transport layer.
Speaker: Syarif Lumintarjo (IDNIC/APJII)
This was the operational highlight of the SIG, showcasing Indonesia as a global leader in RPKI deployment.
The Data: Valid ROA coverage in Indonesia skyrocketed from 1% in Nov 2020 to 86% in Feb 2025, with a projection of 90% by this month.
Operational Enforcement: The Indonesia Internet Exchange (IIX) began strictly dropping RPKI Invalids in 2023. They currently filter invalids for over 790 peers.
Strategy: IDNIC achieved this through a "carrot and stick" approach: developing "myIDNIC" for easy ROA creation, implementing "RPKI Badges" for gamification, and taking direct action by emailing members with unsecured BGP advertisements.
Speaker: Tim Bruijnzeels (RIPE NCC)
As ROA adoption saturates, the focus is moving to Autonomous System Provider Authorization (ASPA). Tim provided the technical "rulebook" for deployment based on the IETF profile draft-ietf-sidrops-aspa-profile.
The "All Upstreams" Rule: Operators must include ALL IP Transit Providers (upstreams) in their ASPA records.
The "No Peers" Rule: Do NOT include lateral peers or transparent route servers. If you include a peer, you are authorizing them to act as your upstream, which breaks the valley-free routing logic and security model.
The "AS 0" Rule: For Tier-1 networks or those with no upstream providers, an ASPA record should be created authorizing AS 0. This explicitly signals that the network has no providers, preventing malicious actors from claiming to be their upstream.
Speakers: Sanjaya (APNIC) & Carlos Martinez (LACNIC)
This session provided the "security justification" for ASPA, moving beyond simple fat-finger error correction.
The Incident: A bad actor successfully hijacked LACNIC address space not by hacking a router, but by socially engineering a multinational transit provider (using fake letterheads) into accepting the announcement.
The Gap: A ROA existed, but because the attacker convinced a legitimate upstream to propagate the route, the path looked "plausible" to the outside world until manual intervention occurred.
The ASPA Solution: The speakers emphasized that ASPA is the necessary defense against this specific attack vector. If the victim ASN had an ASPA record, the rest of the internet would have seen that the multinational transit provider was not an authorized upstream for that prefix, and the hijack would have been automatically dampened.
Speaker: Shane Hermoso (APNIC)
Shane provided the regional "report card," revealing a sharp divide in the APAC region.
Southeast Asia is Leading: SE Asia has reached 92.4% IPv4 Valid coverage. Vietnam (98.5%) and the Philippines (96.1%) are top performers.
East Asia Lagging: East Asia sits at only 31.0% valid coverage. This low percentage is primarily driven by the ongoing low adoption rates in China, which stands in stark contrast to the near-universal adoption seen in Southeast Asian economies.
Speaker: Tom Harrison (APNIC)
Technical updates on the standards track aimed at addressing scalability issues in the RPKI ecosystem.
Erik Synchronization Protocol: This protocol was highlighted as a significant optimization for scaling RPKI. By introducing "Erik Relays" and Merkle tree-based repair, it promises to make the propagation of records highly resilient, solving the fragility issues of the current rsync/RRDP dependency.
Trust Anchor (TA) Constraints: New mechanisms to prevent a Trust Anchor (like an RIR) from claiming resources it doesn't own.
Speaker: Zhan Jiangou (Tsinghua University)
The Proposal: A framework to verify AS-Paths without globally exposing business relationships.
Mechanism: Uses a "Validator-assisted" architecture where ASes share encrypted relationship data with trusted validators rather than the whole world.
Synthesized ASPA Deployment Advice: Combining the insights from Tim, Sanjaya, and Carlos, the SIG offers the following best practice advice for ASPA deployment:
Authorization: Create ASPA records authorizing only your transit providers (upstreams).
Exclusion: Explicitly exclude lateral peers to prevent route leaks.
Defense: View ASPA not just as a leak-prevention tool, but as a defense against social engineering attacks where unauthorized upstreams are tricked into propagating your space.
Resilience via the Erik Protocol: The introduction of the Erik Synchronization Protocol is timely. As RPKI becomes mission-critical infrastructure, the fragility of current transport mechanisms is a liability. The Erik protocol represents a significant optimization for scaling and high resilience that the industry must track closely.
ASPA Vendor "Catch Up": With the Autonomous System Provider Authorization profile nearing RFC status, the pressure shifts from standards bodies to vendors. There is now an urgent need for significant "catch up" by hardware vendors to bring ASPA support from "experimental" to "production-grade" in router firmware.
The China Gap: While we celebrate the success in Southeast Asia, the low adoption rate in China remains a critical gap in the regional routing security posture. Targeted outreach to Chinese operators may be required to improve the overall health of the APAC routing table.
Report prepared by:
Terry Sweetser
Chair, APNIC Routing Security SIG
Transparency Note: This report was drafted with the assistance of Artificial Intelligence tools for transcript ingestion and summarization.