Back to blog

My Next Hop Blog

BGP Route Hijacking Is Back on the Interview Table — RPKI, ROV, and ASPA for Network Security Engineers

CISA now requires RPKI deployment across federal BGP-announced prefixes by December 2026, global ROA coverage has climbed well past where it stood a few years ago, and ASPA is closing the route-leak gap that origin validation alone cannot. Here is what security-focused network interviews are asking in 2026.

5 July 20265 min readMy Next Hop Editorial
BGP hijacking interviewRPKI route origin validationnetwork security engineer interviewASPA BGP route leak

CISA's Secure Internet Routing guidance requires all U.S. federal civilian executive branch agencies to complete RPKI deployment across their BGP-announced prefixes by December 2026. That deadline has turned what used to be a best-practice recommendation into a compliance requirement with a real date attached — and it has pulled BGP route security back into network security engineering interviews at a depth it has not occupied in years. If you are interviewing for a network security role in the second half of 2026, expect this topic to come up as more than a definitional question.

Two real incidents make the stakes concrete. In June 2024, Cloudflare's 1.1.1.1 resolver became unreachable or degraded for users across roughly 300 networks in 70 countries after a Brazilian network, Eletronet S.A., began announcing the 1.1.1.1/32 prefix to its peers and upstream providers — a textbook origin hijack, resolved roughly two hours after detection. More recently, in January 2026, Cloudflare experienced a 25-minute IPv6 route leak that dropped around 12 gigabits per second of traffic — not from an external attacker, but from an internal policy change that removed a prefix list and inadvertently made an export policy far more permissive than intended. Interviewers use pairs of incidents like these deliberately: one is an attack, one is a misconfiguration, and the controls that catch one do not automatically catch the other.

Route Origin Validation, backed by RPKI, is the mechanism most candidates can describe at a basic level: an autonomous system publishes a signed Route Origin Authorization tying a prefix to the AS authorized to originate it, and ROV checks incoming BGP announcements against that authorization, flagging or rejecting routes that do not match. This is exactly what would have caught the Eletronet-style origin hijack. What most candidates cannot articulate — and what senior interviewers specifically probe for — is what ROV does not cover.

ROV validates who is allowed to originate a prefix. It says nothing about the AS path the announcement travels through afterward. That gap is precisely how route leaks happen: a prefix is announced by its legitimate origin, propagates correctly for a hop or two, and then gets redistributed by a transit AS into a peering relationship it was never supposed to reach — the same structural failure behind some of the internet's most disruptive routing incidents, and the same class of failure exemplified by Cloudflare's January 2026 leak, where the origin was never in question and the problem was entirely about which peers received which routes. A candidate who says 'we deployed RPKI so we're protected against hijacks and leaks' is making exactly the conflation a senior panel is listening for.

ASPA — Autonomous System Provider Authorization — is the newer standard built to close that specific gap. It lets an AS cryptographically declare its legitimate upstream providers, so a receiving router can detect when an announced path implies a provider relationship that was never authorized, catching the leak pattern that origin validation structurally cannot. ASPA is genuinely recent: ARIN and RIPE NCC only enabled ASPA object creation in late 2025 and early 2026, with APNIC and LACNIC rollouts planned for later in 2026 — recent enough that candidates who last studied BGP security a year or two ago are likely to have never encountered it, which is exactly why it is starting to appear in senior interview loops now.

Adoption is real but incomplete. Global ROA coverage of the routing table has grown substantially from under 40 percent just a few years ago, though recent measurements vary in the mid-40s to low-60s percent range depending on methodology and what portion of the table is measured. That gap matters operationally: even organizations with fully RPKI-compliant infrastructure of their own still route traffic through large stretches of the internet that remain unvalidated. This is why the strongest interview answers frame RPKI as one layer of defense-in-depth — combined with prefix filtering, IRR-based checks, and monitoring — rather than a single control that, once deployed, resolves the problem.

The interview question pattern here clusters around three areas. The first is mechanism precision: what exactly ROV validates, what ASPA adds on top of it, and why the two are not interchangeable. The second is rollout design: given that a meaningful share of legitimate routes may still lack ROAs entirely, how do you move an organization from monitor-only, to log-invalid-but-permit, to a hard reject-on-invalid policy without breaking connectivity to under-covered parts of the internet along the way. The third is incident response: given a scenario resembling Cloudflare's January 2026 leak — no attacker, just an overly permissive export policy following a routine change — how do you detect it quickly, roll it back, and redesign the change-review process so it does not recur.

The most common weakness among otherwise strong candidates is treating RPKI as a finished project rather than a layer with a known, specific boundary. The stronger answer draws that boundary precisely: ROV protects origin, ASPA protects path, and neither one is a substitute for the operational discipline of reviewing routing policy changes before they ship. Practise explaining all three — origin validation, path validation, and change-review discipline — as distinct layers with distinct failure modes, and be ready to reason through a live incident rather than just define the acronyms. Betty, My Next Hop's AI mock interviewer, runs exactly this kind of routing-incident scenario on the Network Security Engineer track, including follow-ups that test whether you actually know where ROV's protection stops and ASPA's begins.

With a hard federal compliance deadline now attached to RPKI deployment and ASPA rolling out across the major regional registries in real time, BGP route security has moved from 'good depth to have' to a question you should expect by default in senior network security interviews for the rest of 2026.

Practice with My Next Hop

Reading is only the start. Reps close the gap.

Answer real interview questions by voice or text, get a scored breakdown, and drill your weak spots — free to start.

Start practising free