1. The Sad Clown of Routing Security
Look at that image for a moment. It didn't take me long to craft a prompt to generate it because it genuinely captures how I felt for a long time after realizing, day after day, that most operators and ISPs couldn't care less about routing security. I’ve felt like a clown. A really sad one.
BGP as a tired clown on a bench, clutching balloons labeled IPv6 and RPKI, sitting under a dim streetlight with MANRS and PeeringDB posters peeling off the wall behind him. In the other frame, the same clown is at a wooden table, trying to stitch together a patchwork coat labeled RPSL, IRR, RPKI, BGPsec, Routing Security, with a piece of fragile thread. That was the prompt.
And that’s the Internet in 2026.
On paper, we have an impressive arsenal: IRR and RPSL for declared intent, RPKI and Route Origin Validation to stop origin hijacks, emerging tools like ASPA to catch leaks, heavyweight proposals like BGPsec, and architectural responses like FC-BGP. We have communities, “Down-Only” semantics, MANRS, PeeringDB, and half a dozen best-practice documents.
In practice, we’re still running a 1980s trust model at a global scale and hoping people behave.
This article isn’t just a tour of acronyms; it's a reality check. We’ll walk through what each of these mechanisms actually does, where they fall short, why adoption is so stubbornly slow, and what a realistic path forward looks like for operators who genuinely care about routing security.
And along the way, we’ll ask a blunt question:
If the industry has struggled for decades to deploy something as straightforward as IPv6, what are the odds that far more complex BGP security mechanisms will suddenly succeed by magic?