ADHD Diary #004 — ASPA, a Bad Doctor's Day, and Why PeerCortex Has Had This for a While
Today was not a good day.
Since my spinal disc surgery, nothing has been working the way it should. Today was the full doctors' marathon — from practice to practice, hour after hour, and at the end the same message in different variations: things are not good. I know that myself. I live with it. But having it confirmed again and again while spending half the day in waiting rooms takes something out of you.
Still — or maybe precisely because of that — the rest of the day was productive. Sometimes the brain just needs something to chew on.
Cloudflare Launched ASPA on Radar Today
While sitting between appointments and looking at my phone, the Q1 update from Cloudflare Radar came in. And there was a headline that immediately woke me up: ASPA deployment tracking is now live on Cloudflare Radar.
Let me try to explain why this matters, because I think it gets too little attention in the broader tech community.
The Internet routes traffic using BGP — the Border Gateway Protocol. BGP has a fundamental flaw: it just trusts everything. Any network can claim it knows how to reach a given IP prefix. That's how route hijacks happen — someone announces a path that isn't theirs, and suddenly foreign traffic is flowing through their infrastructure.
RPKI was the first real fix: networks can cryptographically sign which AS is authorized to originate a given IP prefix. That prevents origin hijacks. But it says nothing about the path a route is allowed to take.
ASPA — Autonomous System Provider Authorization — closes exactly that gap. An AS publishes a signed object saying: "My legitimate upstream providers are X and Y." Any path claiming otherwise can be marked Invalid and rejected. That's the step from origin authentication to path authentication.
RFC 9582 was finalized in 2024. What Cloudflare shipped today is the public dashboard that makes adoption measurable and visible. Not through mandates, but because suddenly everyone can see how their network compares. That's exactly how RPKI gained momentum too.
Where This All Started for Me
ASPA is not a new topic for me — and the origin is very concrete.
It was the Advanced BGP Security Workshop at nzNOG 2026, organized by NSRC and delivered by Dr. Philip Smith and Warren Finch. The workshop goes deep into BGP security — RPKI, route filtering, and ASPA as the next logical step beyond RPKI. It's where I first truly understood why origin authentication alone isn't enough and why path authentication is the missing layer.
Philip and Warren explained it in a way that makes it tangible — not just as RFC text, but as a concrete operational problem that real networks have today. Out of that workshop came the foundation for PeerCortex. The question was: why is there no tool that makes these concepts accessible to everyone — no account, no enterprise contract, just open source?
PeerCortex Has Had This Since Day One — and Is Already Further Along Than Planned
PeerCortex went live on March 26, 2026 — and ASPA was there from the first commit. That was the whole point.
When you analyze an AS on peercortex.org today, you already see the ASPA status of upstreams, RFC 9582-compliant path verification, and an ASPA readiness score from 0–100. Over 1,567 ASPA objects loaded live from the Cloudflare RPKI feed, refreshed every 4 hours, no middleware.
The ASPA analysis already shows a three-tab view — Status, Path Verification, and Provider Graph — everything on one card. The Status tab shows at a glance whether an ASPA object exists for a given AS, which upstream providers were detected via BGP path analysis, and a ready-to-copy ASPA template. The Path Verification tab makes the interesting part visible: a readiness score, ROA coverage, and how many analyzed paths are valid, invalid, or unknown under ASPA rules. The Provider Graph shows detected upstream relationships classified by Tier 1, Transit, and IX/Peer.
What's coming next: a Visual Hop Chain — instead of a table column with "PP / NPP / NoAttestation", a directly readable chain:
[AS174] ──●── [AS3356] ──✗── [AS24940]
Cogent PP Lumen NPP HetznerGreen arrow = verified. Red arrow = not verified. Grey = no attestation. Readable at a glance, no table to decode.
And a Global ASPA Adoption Widget directly on the front page — from our own RPKI feed: how many ASPA objects exist globally, how many were added in the last week.
All of it free, open source, no account needed. Just peercortex.org.
What Else Happened Today
Between the doctor appointments and the ASPA rabbit hole, a few more things happened on the blog today:
The Read Aloud button is live — every post now has a "Read aloud" button directly above the content. With a progress bar, speed control, and automatic voice selection depending on the browser.
Also, my server crashed twice today. I now know why: too little free RAM, too many concurrent processes, a scraper daemon launching Playwright browsers without the right memory flags on Linux. That gets fixed tomorrow.
Long day. Bad medical news. But ASPA is deployed, PeerCortex is getting better, and the blog can now be read aloud.
That's enough for today.#BGP #RoutingSecurity #ASPA #RPKI #InternetInfrastructure #NetworkSecurity #OpenSource #Cloudflare #NetworkEngineering #NOG #ADHD #BuildingInPublic