The stability of the Internet depends on something most people never see — the quiet, constant work operators do to keep routing secure. Prefixes must be announced correctly, filtered appropriately, and monitored carefully. When this goes well, no one notices. When it goes wrong, the effects can ripple across continents.
Over the past few years, the APNIC community has increasingly recognized that routing security isn’t a single task, it’s an evolving practice. At APNIC, this has meant not only supporting operators with familiar tools like the Internet Routing Registry (IRR), but also developing clearer pathways toward modern, cryptographically robust approaches such as RPKI Route Origin Authorizations (ROAs) and, soon, Autonomous System Provider Authorizations (ASPAs). Alongside this, new services like APNIC DASH are helping Members turn complex routing data into something more accessible, actionable, and timely.
The webinar Strengthen your network security with APNIC products and tools in late March 2026 brought those threads together for 211 participants, discussed what routing security looks like in 2026, how it’s changing, and the role APNIC’s tools can play in helping operators strengthen the resilience of the global Internet.
This post will summarize the webinar for those who missed out, including the questions asked throughout the session.
IRR and the early architecture of routing security
Before RPKI existed, the Internet Routing Registry (IRR) was the primary way operators communicated their routing intentions. For many networks, it still plays that role today. Publishing route objects and maintaining AS-SETs became a kind of shared language among operators, a way to understand who should be announcing what, and which customers were downstream.
IRR data, however, relies heavily on manual upkeep. When it’s current, it can be incredibly useful; when it drifts out of date, it can cause as many problems as it prevents. It remains a crucial piece of Internet infrastructure precisely because it has been around long enough to embed itself deeply into operational tooling and workflows.
In a sense, IRR represents the Internet’s institutional memory, powerful but limited, and in need of complementary systems designed for the scale and threat landscape of today.
The shift to RPKI
RPKI emerged from a need to verify routing information in a way that IRR alone couldn’t. Instead of relying on trust and manual documentation, RPKI introduced ROAs, signed objects that bind prefixes to origin Autonomous System Numbers (ASNs) in a cryptographically-verifiable way.
The move towards ROA-based filtering has been transformative. When a ROA changes, routers learn about it automatically through the rpki-rtr protocol. When a route is invalid, they can drop it instantly. The burden of maintaining static prefix lists and worrying about their size or freshness is dramatically reduced.
This automated flow of validated routing data gives operators something they’ve wanted for years: A more predictable, more reliable foundation for rejecting incorrect or malicious announcements. And as global adoption continues to rise, its impact can be seen not just in individual networks, but in the health of the global routing system itself.
ASPA and path validation
Just as ROAs solved the ‘who should originate this prefix?’ question, ASPA aims to answer a harder one: ‘Does this AS-PATH even make sense?’
ASPA objects let networks declare their upstream providers, allowing routers to detect path anomalies that indicate route leaks or manipulation. ‘Valleys’, where an AS-PATH dips from provider to customer and then back up again, are often unintentional, but they can also be used in attacks.
With RIPE and ARIN already supporting ASPA, and other Regional Internet Registries (RIRs) preparing to follow, ASPA is poised to bring a form of path validation into mainstream operations, complementing ROA-based origin validation in the same way ROAs once complemented IRR.
Making all this practical: MyAPNIC
Having the right routing security mechanisms is only half the story, using them effectively is the other half. This is where MyAPNIC plays an important role.
Inside the portal, Members can manage IRR objects, create ROAs, review routing information, and keep Internet number resource data aligned with what is visible to the rest of the Internet. The interfaces guide users step-by-step, ensuring that even those newer to routing security can maintain accurate information without digging through esoteric syntax or external tools.
MyAPNIC effectively becomes the operator’s control panel for their part of the routing ecosystem.
Bringing it all together: DASH
If MyAPNIC is where routing intentions are defined, APNIC’s Network Health Dashboard (DASH) is where operators can see the consequences of those intentions play out in the real world.
DASH has become a central place for Members to understand their network’s health at a glance. Instead of scrolling through multiple data sources or writing custom scripts, operators get a consolidated view of routing status, misalignments between Border Gateway Protocol (BGP) and RPKI or IRR, suspicious traffic flagged by APNIC’s Honeynet, potential security vulnerabilities detected through Shodan, bogon propagation, and MANRS readiness.
Perhaps the most empowering feature of DASH is its alerting system. When something goes wrong, a prefix suddenly originates from the wrong ASN, a ROA doesn’t match the announcement, a route disappears from BGP, operators hear about it immediately, through whatever channel they prefer: Email, SMS, Slack, WhatsApp, Discord, or webhooks.
For many networks, that kind of real-time visibility turns reactive troubleshooting into proactive mitigation.
Q&A highlights from the webinar
The session closed with a lively Q&A, where participants raised a wide range of practical, operational questions about routing security, RPKI, IRR, and APNIC tools. Below is a narrative summary of the key themes discussed.
ROAs during network transitions
Several attendees sought clarity on how to manage ROAs during network transitions. A common scenario involved migrating a prefix from one origin ASN to another, and the answer was reassuring — creating overlapping ROAs during the transition is perfectly acceptable. Operators can publish a new ROA for the incoming ASN, make the cutover, and then safely remove the old one. The only point to watch is ensuring the new ROA is fully created: MyAPNIC provides logs and notifications for this.
How maxLength works in ROAs
There were also questions about how maxLength works in ROAs. An important consideration here is that maxLength should generally be avoided outside of specific scenarios. For broader guidance, attendees were directed to RFC 9319.
IRR and routing decisions
On IRR and routing decisions, participants discussed how to handle cases where a /23 is announced from one ASN and a more specific /24 needs to originate from another. The advice was simple: If the /23 will remain, just add a new /24 object or ROA. Only if the /23 is being retired does the operator need an additional object for the remaining portion.
ASPA
ASPA-related questions reflected growing curiosity about the future of path validation. While ASPA information won’t be visible via whois, it will integrate into the RPKI ecosystem once deployed. Some attendees asked about GUI tools for ASPA visibility, and APNIC sought clarification on whether interest was in MyAPNIC or DASH visualization.
DASH
DASH generated significant interest. Many wanted to know whether it is free (it is, for APNIC Members), whether it needs to be installed (it doesn’t), and whether data is real-time (routing and suspicious traffic feeds are typically near real-time, with small delays depending on source). Non-Members asked about access and were directed to APNIC’s Resource Explorer (REx), which provides public routing and bogon data even without DASH’s full features.
Some participants asked whether network traffic must be sent to APNIC for monitoring. It does not. DASH uses publicly available data, supplemented by the APNIC Honeynet Project, which supplies suspicious traffic insights. Related questions about integrating alerts into Network Operations Centre (NOC) systems were addressed by explaining DASH’s webhook support, useful for operators able to ingest JSON notifications.
RPKI
RPKI deployment questions also surfaced, including whether APNIC provides RPKI servers (yes, via the RPKI and RRDP repositories) and whether local validators are supported (operators can run their own; several common open source validators were mentioned). Attendees also asked about route leaks and hijacks, and were reminded that a mix of cryptographic validation, filtering, and monitoring remains the strongest defence.
Logistics
Finally, many questions related to logistics, access to recordings, slide availability, and MANRS measurement gaps. The webinar recording is published on the APNIC Academy, and MANRS measurement gaps can be investigated directly if operators provide their AS details.
The Q&A made clear that routing security continues to be an area of active learning and collaboration across the region. The exchange of operational experiences and practical questions reflects the strength of the APNIC community and the shared effort to improve the resilience of the Internet.
Knowledge exchange community
As we learned during the webinar, technology alone can’t solve routing security. Operators learn best when they have access not just to tools, but to shared knowledge.
APNIC Academy continues to fine-tune its courses, virtual labs, and webinars on topics like RPKI deployment, routing security best practices, and network operations. Meanwhile, the APNIC Blog, mailing lists, and the PING podcast give operators space to reflect on emerging trends, share experiences, and discuss what’s working and what isn’t in their part of the world.
This combination of technical development and community learning is one of the things that makes routing security progress sustainable. The choices any operator makes ultimately help protect everyone else as well.
Together, IRR and RPKI form a stronger architecture for secure routing than any one mechanism could on its own. And with MyAPNIC and DASH simplifying how operators interact with those systems, the pathway to a more resilient Internet is becoming clearer.
More opportunities and topics in 2026
This webinar was part of a broader program of activities planned throughout 2026, spanning all APNIC product themes, from Internet security and network health to Member experience, resource management, training, and data transparency.
Across the year, APNIC will introduce more opportunities for Members to learn about products, explore upcoming improvements, and build capability in areas such as routing security, network health monitoring, Internet number resource management, and policy. These activities aim to help operators deepen their understanding of APNIC tools while strengthening their operational practices.
Ultimately, the goal for 2026 is to make APNIC products and services easier to use and more valuable for Members, not only to support the stability and security of their own networks, but also to contribute to a more robust and secure global Internet.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.