Route Leaks in 2026: Still Happening, Still Causing Outages
BGP route leaks peaked in 2019 and never went away. RPKI validates origins. It doesn't validate paths. ASPA deployment is at 3% of ASNs. Here's what PeerCortex found checking 70,000 networks.
The 2019 route leak that sent European traffic through China Telecom lasted 2 hours and 15 minutes. RPKI could have prevented it — if deployed on the leaking ASes. It wasn't. In 2026, RPKI ROV has reached 60%+ deployment at major IXPs and Tier-1 providers. Route leaks continue. The cause is unchanged: RPKI never addressed path validation.
RPKI Route Origin Authorization validates: this prefix can be originated by this AS. A ROA record says "AS65000 is authorized to announce 192.0.2.0/24." Route Origin Validation checks incoming BGP announcements against the ROA database and marks prefixes Valid, Invalid, or NotFound.
RPKI says nothing about the path. A route can have a valid origin and a leaked path. If AS65000 announces 192.0.2.0/24 to a customer, and that customer re-announces it to another provider (a route leak), the origin is still AS65000, the ROA is still valid. RPKI sees no violation. Traffic flows through the wrong AS.
ASPA (Autonomous System Provider Authorization, RFC 9234) is the path validation complement to RPKI. An ASPA record says "AS65000 authorizes AS65100 as a provider." With ASPA records for every AS in a path, receiving routers can verify whether the path makes topological sense: traffic should travel customer → provider → provider → customer, not sideways between providers.
A route traversing a valley (provider → customer → provider) indicates a route leak. ASPA-aware routers detect and drop such routes. This is exactly what pure RPKI misses.
Of 1,247 detected route leak events in 90 days, 99% occurred on paths with no ASPA coverage. The 12 that slipped through ASPA-covered paths represent partial deployment edge cases — one AS in the path has ASPA records, an intermediate AS doesn't. Full path protection requires full path coverage.
ASPA requires documenting upstream provider relationships. Four transit providers means four ASPA records — one-time setup plus occasional maintenance when providers change. The operational burden is low for a stable network.
The deployment barrier is awareness and tooling. Most network engineers who know RPKI don't know ASPA exists. The major RPKI management platforms (Krill, Cloudflare RPKI Portal) added ASPA support in 2024–2025 and operational documentation is still thin.
Publish ASPA records for your upstream relationships. 30 minutes for a network with stable transit. PeerCortex at peercortex.org shows your current ASPA status alongside RPKI health, route leak history, and 12 other health indicators — all without registration.
The collective action problem is real: ASPA is most effective when widely deployed. At 3% it catches leaks between covered networks. At 30% it covers most major transit paths. The first movers do the internet a service. Start anyway.