BGP Hijacking Remains a Structural Flaw in Internet Routing — RPKI Adoption Is the Fix

The Protocol That Runs the Internet Has No Built-In Authentication

Every time you load a website, your traffic crosses dozens of autonomous systems — the independently managed networks operated by ISPs, cloud providers, and enterprises. These networks exchange routing information using the Border Gateway Protocol (BGP), a system designed in 1989 by engineers sketching ideas on a napkin at an IETF meeting. The protocol operates on trust: when a network announces that it owns a block of IP addresses, every other network believes it. There is no cryptographic proof required.

That structural deficit has produced decades of incidents. In April 2010, China Telecom briefly hijacked routes for 15% of global internet traffic, redirecting it through Chinese networks for 18 minutes. In 2018, attackers hijacked BGP routes for Amazon Route 53's DNS resolvers to steal $152,000 in Ethereum cryptocurrency. In 2022, a misconfiguration at Vodafone Germany caused a BGP leak that disrupted connectivity for millions of users across Europe. These are not edge cases — researchers at CAIDA logged over 1,700 confirmed BGP hijacking events in 2023 alone.

RPKI: The Cryptographic Fix That's Been Available Since 2012

Resource Public Key Infrastructure (RPKI) is a framework standardized by the IETF in RFC 6480 (2012) that ties IP address ownership to cryptographic certificates. Network operators create Route Origin Authorizations (ROAs) — signed attestations that say "Autonomous System X is the legitimate origin for prefix Y." Routers configured to validate these signatures can detect and reject invalid route announcements before they propagate.

RPKI does not encrypt traffic. It does not hide routing tables. It specifically solves the origin validation problem: verifying that the network claiming to originate a route actually has the right to do so. This catches the majority of real-world BGP hijacks, which are either accidental misconfiguration or deliberate prefix hijacking by malicious actors impersonating legitimate networks.

The math on RPKI effectiveness is strong. A 2023 study by NIST and University of Maryland found that networks with RPKI Route Origin Validation (ROV) enforcement rejected 95% of tested hijack attempts. Without ROV, those same networks accepted 94% of the malicious announcements.

Adoption Numbers: Where the Internet Actually Stands in 2026

RPKI adoption has accelerated since 2020, but the internet is far from protected. As of May 2026, the RIPE NCC's routing security dashboard shows approximately 47% of globally routed IPv4 prefixes are covered by valid ROAs. For IPv6, coverage is around 52%. But ROA creation is only half the equation — networks must also enforce route origin validation, rejecting routes that fail RPKI checks.

Enforcement (ROV) adoption lags further behind. Measurements by the Internet Society's MANRS (Mutually Agreed Norms for Routing Security) observatory suggest roughly 35% of Autonomous Systems actively enforce RPKI validation as of early 2026. The gap between "has ROAs created" and "actually enforces them" is where hijacks continue to succeed.

The major cloud providers are leading adopters. Amazon Web Services, Google Cloud, Microsoft Azure, and Cloudflare all enforce RPKI ROV on their networks. Cloudflare in particular has published its enforcement statistics publicly, showing it rejects millions of invalid route announcements monthly. The laggards are primarily regional ISPs in Southeast Asia, Latin America, and parts of Africa, where routing security investment has historically been lower.

Why Full Adoption Stalls: The Operator Reality

The technical case for RPKI is unambiguous. The operational barriers are real. Configuring RPKI requires network engineers to maintain an accurate, up-to-date ROA database — a discipline that existing teams often lack. Stale or incorrect ROAs are themselves a reliability risk: if a legitimate network's ROA expires and it doesn't update it, RPKI-enforcing routers will reject its routes as invalid, causing an outage. This "ROA rot" has caused real disruptions and makes cautious operators reluctant to enable strict enforcement.

The certification authority hierarchy also adds complexity. IP address space is delegated through five Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC), each of which operates its own Trust Anchor for RPKI. Operators must interact with their RIR to create ROAs, a process that ranges from straightforward self-service portals (RIPE NCC's interface is considered best-in-class) to cumbersome ticketing workflows.

There is also a collective action problem. A network that enforces RPKI gains only partial protection — an invalid route can still reach it via a non-enforcing neighbor. Broad security benefits require broad adoption, yet individual operators bear the operational costs while the positive externalities accrue to everyone. This is why mandates and regulatory pressure matter: the EU's NIS2 directive, which went into effect in October 2024, explicitly lists BGP security measures including RPKI as expected technical controls for essential network operators.

Beyond RPKI: Path Validation and BGPsec

RPKI with ROV validates that a route's origin AS is legitimate. It does not validate the path — the sequence of ASes a route announcement traversed to reach your router. An attacker who has legitimate routing rights to some prefixes can still perform "route leak" attacks by advertising routes with manipulated AS paths.

BGPsec (RFC 8205), an extension that adds cryptographic signatures to every hop in the AS path, is the theoretical answer. In practice, BGPsec has near-zero deployment because it requires all networks in a path to support it before any path-level security benefits materialize. The IETF's SIDROPS working group is actively developing lighter-weight alternatives, including Autonomous System Provider Authorization (ASPA), which verifies provider-customer relationships without full per-hop signatures.

ASPA is gaining traction faster than BGPsec. As of 2025, RIPE NCC has integrated ASPA object creation into its portal, and several major European ISPs have begun deploying it. ASPA can catch a category of route leaks that pure RPKI ROV cannot, specifically scenarios where a customer re-advertises routes received from a provider to a different provider — a common vector in major outages like the 2019 Cloudflare outage triggered by a small Pennsylvania ISP.

Actionable Takeaways for Network Operators

If you operate any network infrastructure:

• Create ROAs now via your RIR portal (ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC). RIPE NCC's RPKI portal is the most intuitive. This is low-risk and immediately protects other networks from accidental hijacks originating from your prefixes.
• Enable ROV enforcement on your border routers. Most modern routers (Juniper, Cisco, Nokia, Arista) support RPKI validation natively. Test in logging mode first to identify false positives before switching to enforcement. Tools like Routinator, Cloudflare's OctoRPKI, and NLnet Labs' Routinator can serve as your local RPKI validator.
• Join MANRS (manrs.org). The Mutually Agreed Norms for Routing Security program provides implementation guidance and public accountability. As of May 2026, MANRS has 900+ participating networks and is increasingly referenced in procurement and peering decisions.
• Audit your ROA expiry dates. ROA rot is a real operational risk. Automate expiry monitoring — most RIR portals support email alerts, and third-party tools like RIPE NCC's RPKI Dashboard provide independent validation.
• Watch ASPA development. If your organization has complex peering relationships, ASPA objects will eventually be worth deploying alongside RPKI ROAs. Follow RIPE NCC's blog and the IETF SIDROPS mailing list for readiness signals.