The Internet Routing System Is Finally Getting Secure — Here's What Took So Long

In 1989, Border Gateway Protocol (BGP) was designed for a cooperative internet between trusted parties, with no authentication and no ownership verification. That design caused forty years of intermittent chaos.

In 2008, Pakistan Telecom accidentally announced it owned YouTube's IP addresses, knocking the site offline globally for two hours. In 2018, Google traffic was rerouted through Russia and Nigeria due to BGP misconfiguration. None of these required sophisticated hacking — they exploited the fact that BGP takes routing announcements at face value.

What RPKI Actually Does

Resource Public Key Infrastructure (RPKI) is the cryptographic fix the internet has deployed since 2011. The Regional Internet Registries issue Route Origin Authorizations (ROAs) proving that a given Autonomous System is allowed to announce a given IP prefix. If a route announcement claims addresses the AS does not own, it is marked invalid and dropped by enforcing networks.

Why Adoption Took a Decade

Creating and maintaining ROAs requires operational work from busy network operators. Dropping invalid routes requires confidence in your own ROA configuration. The turning point came when large networks enforced strict RPKI. AT&T, Comcast, AWS, Google, and Cloudflare now drop invalid routes outright. As of mid-2026, roughly 45% of announced BGP prefixes have valid ROAs — and the proportion that cannot be successfully hijacked is far higher because most major transit providers enforce.

What RPKI Does Not Solve

RPKI validates only the origin AS, not the path. Sophisticated AS path manipulation attacks are not stopped by RPKI alone. BGPsec would fix this but requires every AS in a path to deploy it, making universal adoption far harder. MANRS (Mutually Agreed Norms for Routing Security) fills operational gaps; over 1,000 networks have joined.

What Operators Should Do Now

If you operate a network with registered IP space, creating ROAs in your Regional Internet Registry portal is the most impactful step. Deploying an RPKI validator and dropping invalid routes is next. In 2026, RPKI deployment is basic routing hygiene. After four decades of trusting BGP, cryptographic verification is finally becoming the default.