BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects

The Border Gateway Protocol (BGP) as originally designed is known to be vulnerable to prefix (or route) hijacks and BGP route leaks . Some existing BGP extensions can partially solve these problems. For example, Resource Public Key Infrastructure (RPKI) based route origin validation (RPKI-ROV) can be used to detect and filter accidental mis-originations. or can be used to detect and mitigate accidental route leaks. While RPKI-ROV can prevent accidental prefix hijacks, malicious forged-origin prefix hijacks can still occur . RFC9319 includes some recommendations for reducing the attack surface for forged-origin prefix hijacks. This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the RPKI to verify properties of the BGP AS_PATH attribute of advertised routes. ASPA-based AS_PATH verification provides detection and mitigation of route leaks. It also provides protection, to some degree, against prefix hijacks with forged-origin or forged-path-segment (). These new ASPA-based procedures automatically detect such anomalous AS_PATHs in BGP Updates that are advertised between ASes. Both route leaks and hijacks have similar effects on ISP operations. They redirect traffic and can result in denial of service (DoS), eavesdropping, increased latency, and packet loss. The level of risk, however, depends significantly on the extent of propagation of the anomalies. For example, a route leak or hijack that is propagated only to customers may cause bottlenecking within an ISP's customer cone, but if the anomaly propagates through lateral (i.e., non-transit) peers or transit providers, then the ill effects will likely be amplified and may be experienced worldwide. The ability to constrain the propagation of BGP anomalies to transit providers and lateral peers -- without requiring support from the source of the anomaly (which is critical if the source has malicious intent) -- should significantly improve the robustness of the global inter-domain routing system.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The following terms are used with special meanings. The term has the same meaning as in , i.e., "route is ineligible to be installed in Loc-RIB and will be excluded from the next phase of route selection." Customer AS (). Provider AS (). Set of Provider ASes (). For path verification purposes in this document, the peering relationships an AS can have in relation to a neighbor AS are Customer, Provider, Peer, Route Server (RS), RS-client, and Complex. These peering relationships are defined in . All peering relationships are defined locally.

An AS SHOULD register an ASPA. An AS MUST list in its SPAS the union of all its Provider AS(es) and non-transparent RS AS(es) at which it is an RS-client. An AS MUST include a Provider AS in its SPAS regardless of whether it provides connectivity for only IPv4 or only IPv6 or both. In the Complex relationship case ( and ), an AS MUST include the neighbor AS in its SPAS if the neighbor plays Provider role for all or a subset of received or sent prefixes. Thus, if two ASes are exporting both customer and non-customer routes to each other, each AS registers its ASPA including the other AS in its SPAS. The ASes on the boundary of an AS Confederation MUST register ASPAs using the Confederation's global AS number (ASN) as the CAS. An ASPA object showing only AS 0 as a provider AS is referred to as an AS0 ASPA. A non-transparent Route Server AS (RS AS) is one that includes its AS number in the AS_PATH. Registering as AS0 ASPA is a statement by the registering AS that it has no transit providers, and it is also not an RS-client at a non-transparent RS AS. If that statement is true, then the AS MUST register an AS0 ASPA. Normally, a SPAS (see ) is not expected to contain both an AS 0 and other Provider ASes, but an unexpected presence of AS 0 has no influence on the AS_PATH verification procedures (see , ). An AS SHOULD register a single ASPA object. A single ASPA record for an AS ought to prevent race conditions during ASPA updates that might affect prefix propagation. The CA software that provides hosting for ASPA records SHOULD support enforcement of this practice. An AS may have providers that may be used on certain occasions, for an example in case of a DDoS attack. It is RECOMMENDED to add such providers in ASPA in advance, so there will be no race conditions between ASPA distribution and route propagation. During a transition process between different certificate authority (CA) registries, the ASPA records SHOULD be kept identical in all relevant registries.

A CAS is expected to register a single ASPA listing all its Provider ASes (see ). If a CAS has a single cryptographically valid ASPA, then the Union SPAS (U-SPAS) for the CAS equals to SPAS. In case a CAS has multiple cryptographically valid ASPAs, then the U-SPAS for the CAS is the union of AS listed in all SPAS of these ASPAs. Let AS x and AS y represent two unique ASes. A provider authorization function, authorized(AS x, AS y), checks if the ordered pair of ASNs, (AS x, AS y), has the property that AS y is an attested provider of AS x per U-SPAS of AS x. By the term "Provider+", the function signals that AS y plays the role of Provider or non-transparent RS. This function is specified as follows:

Provider authorization function. The "No Attestation" result is returned only when no ASPA is retrieved for the CAS or none of its ASPAs are cryptographically valid. The provider authorization function is used in the ASPA-based AS_PATH verification algorithms described in and .

The procedures described in this document are applicable only to four-octet AS number compatible BGP speakers . If such a BGP speaker receives both AS_PATH and AS4_PATH attributes in an UPDATE, then the procedures are applied on the reconstructed AS_PATH (Section 4.2.3 of ). So, the term AS_PATH is used in this document to refer to the usual AS_PATH as well as the reconstructed AS_PATH. If an attacker creates a route leak intentionally, they may try to strip their AS from the AS_PATH. To partly guard against that, a check is necessary to match the most recently added AS in the AS_PATH to the BGP neighbor's ASN. This check SHOULD be performed as specified in Section 6.3 of with the exception when a route is received from a transparent IX. If the check fails, then the AS_PATH is considered a Malformed AS_PATH and the UPDATE SHALL be handled using the approach of "treat-as-withdraw" . specifies that "treat-as-withdraw" error handling MUST be applied to routes with AS_SET in the AS_PATH. In the current document, routes with AS_SET are given Invalid evaluation in the AS_PATH verification procedures ( and ). See for how routes with Invalid AS_PATH are handled.

Let the sequence {AS(N), AS(N-1),..., AS(2), AS(1)} represent the AS_PATH in terms of unique ASNs, where AS(1) is the origin AS and AS(N) is the most recently added AS and neighbor of the receiving/verifying AS. N is the length of the received AS_PATH in unique ASes. AS(N+1) represents the local (receiving/verifying) AS; it does not explicitly appear in the description of the AS_PATH verification procedures.

Illustration of up-ramp and down-ramp. The AS_PATH may in general have both an up-ramp (on the right starting at AS(1)) and a down-ramp (on the left starting at AS(N)). The up-ramp runs from AS(1) to AS(K). In this ramp, each hop AS(i) to AS(i+1) represents a customer-to-provider peering relationship. The down-ramp runs backward from AS(N) to AS(L). In the down-ramp, each pair AS(j) to AS(j-1) represents a customer-to-provider peering relationship. AS(K) is the apex of the up-ramp, and AS(L) is the apex of the down-ramp. If the AS_PATH has no up-ramp, it results in that K = 1. If the AS_PATH has no down-ramp, it results in that L = N. The up-ramp and down-ramp lengths (measured in the number of ASes) are K and N-L+1, respectively. If the combined length of the up-ramp and down-ramp is equal to N or greater, the AS_PATH is valid (route leak free). If the combined length is less than N, the prefix was leaked or the AS_PATH was malformed (i.e., the AS_PATH is invalid). In other words, the AS_PATH is invalid if apexes of the up-ramp and down-ramp (AS(K) and AS(L), respectively) are apart by more than one hop (i.e., L is K+2 or greater); else, it is valid. ASPA can be used to check if AS y is an attested provider of AS x, and thus the provider authorization function can be used to measure the bounds on up-ramp and down-ramp lengths. The "Not Provider+" outcome of the provider authorization function can be used to calculate the upper boundary of ramp length and the 'No Attestation' outcome can be used to calculate its lower boundary. Below are the formal definitions. Determine the maximum up-ramp length as I, where I is the minimum index for which authorized(A(I), A(I+1)) returns "Not Provider+". If there is no such I, the maximum up-ramp length is set equal to the AS_PATH length N. This parameter is abbreviated as max_up_ramp. The minimum up-ramp length can be determined as I, where I is the minimum index for which authorized(A(I), A(I+1)) returns "No Attestation" or "Not Provider+". If there is no such I, the AS_PATH consists of only "Provider+" pairs; so the minimum up-ramp length is set equal to the AS_PATH length N. This parameter is abbreviated as min_up_ramp. Similarly, the maximum down-ramp length can be determined as N - J + 1 where J is the maximum index for which authorized(A(J), A(J-1)) returns "Not Provider+". If there is no such J, the maximum down-ramp length is set equal to the AS_PATH length N. This parameter is abbreviated as max_down_ramp. The minimum down-ramp length can be determined as N - J + 1 where J is the maximum index for which authorized(A(J), A(J-1)) returns "No Attestation" or "Not Provider+". If there is no such J, the minimum down-ramp length is set equal to the AS_PATH length N. This parameter is abbreviated as min_down_ramp. If the sum of max_up_ramp and max_down_ramp is less than N, the AS_PATH is Invalid. Else, if the sum of min_up_ramp and min_down_ramp is less than N, enough information is not available to perform full AS_PATH verification, and the outcome is set to Unknown. Else, the AS_PATH is Valid. Below are formal procedures for path verification depending on the peering relationship between the receiving AS and its neighbor. These procedures use the compressed sequence representation of AS_PATH {AS(N), AS(N-1),..., AS(2), AS(1)} and the above-defined parameters max_up_ramp, min_up_ramp, max_down_ramp, and min_up_ramp

The upstream verification algorithm described here is applied when a route is received from a Customer or Peer, or is received by an RS from an RS-client, or is received by an RS-client from an RS. In all these cases, the receiving/validating eBGP router expects the AS_PATH to have only an up-ramp (no down-ramp) for it to be Valid. Therefore, max_down_ramp and min_down_ramp are set to 0. The upstream path verification procedure is specified as follows: If the AS_PATH is empty, then the procedure halts with the outcome "Invalid". If the receiving AS is not an RS-client and the most recently added AS in the AS_PATH does not match the neighbor AS, then the procedure halts with the outcome "Invalid". If the AS_PATH has an AS_SET, then the procedure halts with the outcome "Invalid". If max_up_ramp < N, the procedure halts with the outcome "Invalid". If min_up_ramp < N, the procedure halts with the outcome "Unknown". Else, the procedure halts with the outcome "Valid".

The downstream verification algorithm described here is applied when a route is received from a Provider. If the AS_PATH is empty, then the procedure halts with the outcome "Invalid". If the most recently added AS in the AS_PATH does not match the neighbor AS, then the procedure halts with the outcome "Invalid". If the AS_PATH has an AS_SET, then the procedure halts with the outcome "Invalid". If max_up_ramp + max_down_ramp < N, the procedure halts with the outcome "Invalid". If min_up_ramp + min_down_ramp < N, the procedure halts with the outcome "Unknown". Else, the procedure halts with the outcome "Valid".

The specific configuration of a mitigation policy based on AS_PATH verification using ASPA is at the discretion of the network operator. However, the following mitigation policy is RECOMMENDED. Invalid: If the AS_PATH is determined to be Invalid, then the route SHOULD be considered ineligible for route selection (see ) and MUST be kept in the Adj-RIB-In for potential future re-evaluation (see ). Valid or Unknown: When a route is evaluated as Unknown (using ASPA-based AS_PATH verification), it SHOULD be treated at the same preference level as a route evaluated as Valid.

This section describes practical deployment recommendations for applying verification procedures.

A set of examples of AS_PATH verification using the above procedures (, , and ) for illustrative network topologies are provided online (see ).

The verification procedures described in this document MUST be applied to BGP routes with {AFI, SAFI} combinations {AFI 1 (IPv4), SAFI 1} and {AFI 2 (IPv6), SAFI 1} . The procedures MUST NOT be applied to other address families by default. The procedures for ASPA-based AS_PATH verification are intended for implementation on edge routers on the ingress side. This includes edge routers on the boundary of an AS Confederation facing external ASes. However, the procedures are NOT RECOMMENDED for use on internal BGP (iBGP) sessions or eBGP sessions internal to an AS Confederation.

The BGP Role configuration parameter and its cross-check in BGP OPEN message as specified in are RECOMMENDED. The configured BGP Roles SHOULD be used to automate the use of the above-described AS_PATH verification procedures helping to distinguish whether upstream or downstream procedures should be applied. The automatic BGP Role cross-check should facilitate more accurate and effective deployment of ASPA.

If multiple eBGP sessions can segregate the Complex peering relationship into eBGP sessions with normal peering relationships the receiving/verifying AS SHOULD select the algorithm (per or ) for each of the normal sessions based on its peering relation type. If a Complex peering relation cannot be segregated (i.e., when a Complex BGP relationship occurs within one single BGP session), an operator may want to achieve an equivalent outcome by applying an appropriate algorithm ( or ) on a per-prefix basis corresponding to the peering relation for the prefix. If this option is not feasible, then an operator MAY apply the algorithm for downstream paths () to avoid false positive outcomes.

During AS migration, an AS is in a transition phase when it may be configured at eBGP neighbor ASes with its globally configured ASN (i.e., migrated ASN) or a legacy ASN . So, both globally configured ASN and legacy ASN are in use. During this time, the AS MUST register ASPAs having customer AS (CAS) value equal to the globally configured ASN and register separate ASPAs (as appropriate) with CAS value equal to the legacy ASN. The AS MUST communicate with its customer ASes that know only the legacy ASN to inform them about the globally configured ASN. The communication MUST include advice to register ASPAs including both the globally configured ASN and the legacy ASN in the SPAS. The communication may be in any form (e.g., email) mutually preferred by the concerned parties.

For any route with an Invalid AS_PATH, the cause of the Invalid state SHOULD be logged for monitoring and diagnostic purposes. The cause of the Invalid state can be recorded in the form of listing the AS hops which were evaluated by the provider authorization function to be "Not Provider+". The logging router, however, cannot necessarily determine the AS that caused the route leak.

The U-SPAS contains the union of Providers for a CAS for both IPv4 and IPv6 unicast connectivity. This design choice consequently means that if a customer-provider relationship exists for one address family but doesn't exist for the other address family, AS_PATH verification outcomes for the latter AFI will be as permissive as verification outcomes for the former AFI. That is believed to be a reasonable compromise as both the ASPA registration and verification processes are simplified, and no false positive outcomes are yielded (e.g. inadvertent Invalid evaluation).

Network operators must keep their ASPA objects correct and up to date (). If a provider is included erroneously in the ASPA, route leak detection capabilities are reduced. If a provider is missing from the ASPA, routes may become falsely ASPA Invalid later on. Similar problems may arise from BGP Role misconfiguration when used to determine the ASPA verification algorithm (). Therefore, an AS SHOULD deploy one or both proactive measures described below in and to prevent mismatch between BGP session configuration and ASPA. Further, provides recommendations for the broader community of participants in routing security.

The local AS periodically monitors all ASPAs in global RPKI repositories and checks that: All their Provider ASes are included in their own ASPA. Their AS number is included in the SPAS of their Customer ASes. Their own ASPA and their Customer ASPAs are consistent with their BGP Role configurations.

Implementation can optionally make available a tool to detect mismatch between BGP session configuration and ASPA as follows: For customer interfaces, it forms a test path that is {local AS, customer AS} and does an upstream path verification on this path. If Invalid, that alerts about a mismatch. For provider interfaces, it forms a test path that is {provider AS, local AS} and does an upstream path verification on this path. If Invalid, that alerts about a mismatch.

The following is recommended: Develop and use of features in ASPA creation systems (e.g., RIR hosted systems, delegated CAs) that would preview and warn the user that the ASPA they are about to create would render some existing routes invalid. Also encouraged are tools that provide continuous monitoring of ASPA invalid routes from global BGP trace data.

A Provider may hijack prefixes of its direct or indirect customers by using forged-origin/forged-segment AS_PATH. It may also manipulate the AS_PATH of routes that are sent to its customers. Such attacks may not be detectable with ASPA. While such attacks may happen in theory, it does not seem to be a realistic scenario. Normally a customer and their transit provider would have a signed agreement, and a policy violation (of the above kind) should have legal consequences or the customer can just drop the relationship with such a provider and remove the corresponding ASPA record.

The ASPA verification procedures cannot detect the removal (or addition) of repeats of AS numbers in the AS_PATH. However, this attack by itself does not affect ASPA's route leak detection capability.

A ROA is a digitally signed object that binds an IP prefix to an AS number and is signed by the prefix holder. The RPKI-ROV procedure uses ROAs to verify that an AS is authorized to originate a specific prefix. The joint use of ROA and ASPA records and their corresponding verification procedures can establish a security trusted chain capable of detecting not only accidental route leaks but also malicious AS_PATH manipulations .

The BGPsec protocol was designed to solve the problem of AS_PATH verification by including cryptographic signatures in BGP Update messages. It offers protection against unauthorized path modifications and assures that the BGPsec Update traveled the path shown in the BGPsec_PATH Attribute. However, it does not detect route leaks (valley-free violations). Thus, BGPsec and ASPA are complementary technologies.

The Peerlock mechanism has a similar objective as the ASPA-based route leak protection mechanism described in this document. It is commonly deployed by large Internet carriers to protect each other from route leaks. Peerlock depends on a laborious manual process in which operators coordinate the distribution of unstructured Provider Authorizations through out-of-band means in a many-to-many fashion. On the other hand, ASPA's use of the RPKI allows for automated, scalable, and ubiquitous deployment, making the protection mechanism available to a wider range of network operators. The ASPA mechanism implemented in router code (in contrast to Peerlock's AS_PATH regular expressions) also provides a way to detect anomalies propagated from transit providers and IX route servers. ASPA is intended to be a complete solution and replacement for existing Peerlock deployments.

While the ASPA-based AS_PATH verification method (, ) detects and mitigates route leaks that were created by preceding ASes listed in the AS_PATH, it lacks the ability to prevent the local AS from initiating a route leak towards its neighbor. ASPA verification may also fail to detect route leaks in case of presence of Complex relations in the AS_PATH. The use of the Only to Customer (OTC) Attribute fills in that gap (see Section 5, ). The implementation of the procedures utilizing the OTC Attribute is RECOMMENDED to complement the ASPA-based AS_PATH verification.

This document includes no request to IANA.

Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft. The inclusion of this section here follows the process described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to independently verify the information presented here that was supplied by IETF contributors. Most contributors have reported that they verified their implementations using the test cases provided in . This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

In 2025, Cisco has reported an Early Field Trial implementation of ASPA based on their IOS-XR.
A BGP implementation OpenBGPD (version 7.8 and higher), written in C, was provided by Claudio Jeker, Theo Buehler, and Job Snijders.
Implementation of ASPA-based AS_PATH verification in the BIRD Internet Routing Daemon is provided in a side branch (branch mq-aspa) by Katerina Kubecova and Maria Matejka. Its release is expected after RTR v2 is finalized.
RTRLib provides an implementation of version 22 in C. The implementation was created by Tassilo Tanneberger, Carl Seifer, Moritz Schulz, Matthias Braeuer supervised by Thomas Schmidt and Matthias Waehlisch and reviewed by Fabian Holler.
The implementation NIST-BGP-SRx is a software suite that provides a validation engine (BGP-SRx) and a Quagga-based BGP router (Quagga-SRx). It includes unit test cases for testing the ASPA-based path verification. It was provided by Oliver Borchert, Kyehwan Lee, and their colleagues at US NIST. The current implementation does not support IXP/RS enhancements to the algorithm.
Implementation of ASPA-based AS_PATH verification in the FreeRTR is provided by Csaba Mate.

Peerlock NTT Communications Flexsealing BGP Against Route Leaks: Peerlock Active Measurement and Analysis University of Tennesse University of Tennesse University of Tennesse BGP Route Security Cycling to the Future! RTRlib - The RPKI RTR Client C Library. ASPA-based BGP AS_PATH Verification and Route Leaks Solution ASPA-based AS Path Verification Examples Address Family Numbers IANA Subsequent Address Family Identifiers (SAFI) Parameters IANA OpenBGPD OpenBSD BGP Secure Routing Extension (BGP-SRx) Software Suite BIRD Internet Routing Daemon; branch mq-aspa FreeRTR

The authors wish to thank Maria Matejka, Claudio Jeker, Jakob Heitz, Amir Herzberg, Igor Lubashev, Ben Maddison, Russ Housley, Jeff Haas, Nan Geng, Mingqing Huang, Jia Zhang, Nick Hilliard, Shunwan Zhuang, Yangyang Wang, Martin Hoffmann, Jay Borkenhagen, Amreesh Phokeer, Aftab Siddiqui, Dai Zhibin, Doug Montgomery, Padma Krishnaswamy, Rich Compton, Andrei Robachevsky, Rudiger Volk, Iljitsch van Beijnum, Tassilo Tanneberger, Matthias Waehlisch, Moritz Schulz, and Carl Seifert for comments, suggestions, and discussion on the path verification procedures or the text in the document. For the implementation and testing of the procedures in the document, the authors wish to thank Claudio Jeker and Theo Buehler ; Kyehwan Lee and Oliver Borchert ; Katerina Kubecova and Maria Matejka ; Tassilo Tanneberger, Carl Seifer, Moritz Schulz, and Matthias Braeuerand ; and Csaba Mate .

The ASPA method has the properties (i.e., anomaly detection capabilities) listed below. Partial deployment scenarios and early adoption benefits are considered. In the case of Property 1, it is assumed that the attacks involve route leaks but not malicious removal of ASes with ASPA records from the AS_PATH. Property 1 (Route Leak Detection): Let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification) and no assumption is made about the ASPA deployment status of other ASes. Consider a route propagated from AS A to a customer or lateral peer. The route is subsequently leaked by an offending AS in the AS path before being received at AS B on a customer or lateral peer interface. The ASPA-based path verification at AS B always detects such a route leak though it may not be able to identify the AS that caused the leak. Corollary of Property 1: An observation that follows from Property #1 above is that if any two ISP ASes register ASPAs and implement the detection and mitigation procedures, then any route received from one of them and leaked to the other by an AS in their overlapping customer cones (ASPA compliant or not) will be automatically detected and mitigated. In effect, if most major ISPs are compliant, the propagation of route leaks in the Internet will be severely limited. Property 2 (Detection of Forged-Origin Prefix Hijack): Again, let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification) and no assumption is made about the ASPA deployment status of other ASes. Consider a route received at AS B on a customer or lateral peer interface that is a forged-origin prefix hijack involving AS A as the forged-origin. Assume that the offending AS X is not included in the ASPA of AS A. The ASPA-based path verification at AS B always detects such a forged-origin prefix hijack. Property 3 (Detection of Forged-Path-Segment Prefix Hijack): This is an extension of Property 2 above to the case of prefix hijacking with a forged-path-segment. Such hijacking refers to the forging of multiple contiguous ASes in an AS path beginning with the origin AS. Again, let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification). Assume that AS A's providers, AS P and AS Q, also register ASPA. No assumption is made about the ASPA deployment status of any other ASes in the Internet. Consider a route received at AS B on a customer or lateral peer interface that is a prefix hijack with a forged-path-segment {AS P, AS A} or {AS Q, AS A}. That is, the offending AS X attaches this path-segment at the beginning of its (AS X's) route announcement. Assume that AS X is not included in the ASPA of AS P or AS Q. The ASPA-based path verification at AS B always detects such a forged-path-segment prefix hijack. For a chance to be successful (remain undetected by AS B), the hijacker may resort to a forged-path-segment with three ASes including a provider AS of AS P (or AS Q). But even that can be foiled (detected) if the providers of AS P and AS Q also register ASPA. The forged-path-segment hijack in consideration is entirely prevented (for any forged-path-segment length) if all ASes in the contiguous customer-to-provider (C2P) hops from AS A up to and including the topmost tier AS have ASPA registrations. The above properties show that ASPA-based path verification offers significant benefits to early adopters (also see ). Limitations of the method regarding some forms of malicious AS path manipulations are discussed in .