ASPA Lookup
Check which upstream transit providers an Autonomous System has authorized via BGP ASPA objects. Enter an ASN to see its provider authorization records.
How ASPA Works
An AS publishes an ASPA object listing its authorized upstream transit providers in RPKI.
Receiving networks verify that each provider-customer hop in the AS path is authorized by an ASPA record.
Routes with unauthorized provider relationships are flagged as potential route leaks or path manipulation.
ASPA Adoption
Most-Referenced Upstream Providers
Popular ASPA Lookups
ASPA vs ROA: The BGP Security Stack
ROA (Route Origin Authorization)
- Secures the origin — who can announce a prefix
- Prevents prefix hijacking
- Widely deployed (~50% of routes)
- Check ROA validation →
ASPA (Provider Authorization)
- Secures the path — who can be an upstream provider
- Prevents route leaks and path manipulation
- Early adoption (growing rapidly)
- Complements ROA for full path security
Frequently Asked Questions
What is ASPA?
ASPA (Autonomous System Provider Authorization) is a new RPKI object defined by the IETF (draft-ietf-sidrops-aspa-profile). It lets an Autonomous System declare which other ASNs are its authorized upstream transit providers. This creates a cryptographically signed record of the provider-customer relationship, making it possible to detect and reject route leaks and path manipulation attacks in BGP.
How is ASPA different from ROA?
ROAs (Route Origin Authorizations) validate the first hop — which ASN is allowed to originate a prefix. ASPA validates the intermediate hops — which ASNs are authorized upstream providers along the AS path. Together, ROA secures the origin and ASPA secures the path. An attacker who forges the AS path (route leak or path manipulation) can be detected by ASPA even if the origin ASN is correct.
What does an ASPA record contain?
An ASPA record contains a customer ASN and a set of provider ASNs. For example, if AS64500 has transit from AS174 (Cogent) and AS6939 (Hurricane Electric), the ASPA record states: 'AS64500 authorizes AS174 and AS6939 as upstream providers.' If a route claims AS64500 reaches the internet via AS3356 (Lumen), but AS3356 is not in the ASPA, that path is suspicious.
What does AS0 mean in an ASPA?
An ASPA record that lists AS0 as the only provider declares the customer ASN as 'transit-free' — it has no upstream transit providers and peers directly at the top of the routing hierarchy. This is typical for Tier 1 networks. It means any route showing this ASN as a customer of another ASN is invalid.
How widely is ASPA deployed?
ASPA is still in early adoption (the IETF draft is not yet an RFC). However, several RIRs already support publishing ASPA objects, and major transit providers are beginning to create records. Use the stats on this page to see current adoption numbers.
Can I query ASPA data via API?
Yes. The GET /v1/asn/{asn} endpoint returns ASPA data showing upstream providers and downstream customers for any ASN. The response includes the provider list, whether the ASN is transit-free, and the total ASPA object count. Free tier includes 1,000 requests/day.
Programmatic Access
Query ASPA data via the REST API. Get provider authorization records for any ASN.
Related tools
- RPKI & ROA Lookup — validate BGP route origins against published ROAs.
- Global BGP Statistics — RPKI deployment, ASPA adoption, and routing table trends.
- BGP Route Lookup — check how a prefix is routed across the internet.
Track ASPA adoption, RPKI deployment, and routing table growth over time.