Securing Your AS-SET: Practical Tips for Routing Security

Border Gateway Protocol (BGP) is the backbone of the Internet, and with it comes the responsibility of keeping routing secure. One key element in this puzzle is the AS-SET, a tool widely used in the Internet Routing Registry (IRR) to document upstream announcements and build route filters. At BalticNOG 2025, Lasse Jarlskov, Peering Manager at Telia Company and Chairman of DKNOG, explored how operators can secure and manage AS-SETs to reduce the risks of route leaks and hijacks.

Understanding the Role of AS-SETs

AS-SETs are collections of Autonomous System Numbers (ASNs) that define which networks a particular AS should announce. Upstream providers rely on these sets to generate route filters, but misuse or overextension can create confusion and introduce vulnerabilities. For example, including too many peers or IXP members in a customer AS-SET can unintentionally broaden the scope of announcements, opening the door to security risks.

Three Essential Tips for Security

Lasse distilled years of operational experience into three guiding principles for managing AS-SETs effectively:

1. Understand Your AS-SET’s Purpose — Clearly define what you’re documenting. Is it for customers, peers, or IXP members? Mixing categories only adds confusion.
2. Be Careful What You Include — Include only prefixes you would actually advertise. Oversized or recursively referenced AS-SETs increase the risk of accidental leaks. A lean AS-SET is a secure AS-SET.
3. Know Who Includes You — If your AS-SET is included in another operator’s policy, their upstreams may accept your routes, even without your consent. Use tools like BGP.tools reverse to check inclusions and clean up regularly.

The golden rule throughout: Would you re-advertise this in BGP? If the answer is no, it shouldn’t be in your AS-SET.

Strengthening Global Routing Security

Lasse emphasized that AS-SET hygiene is not just about protecting your network — it’s about contributing to the collective resilience of the global internet. Excessive or sloppy AS-SETs have been linked to past hijacks and leaks, and operators are responsible for keeping them clean, accurate, and relevant. By following best practices, network operators can reduce the attack surface and improve routing trust for everyone.

🚀 Join Us at BalticNOG 2025

Don’t just read about it — experience it live! BalticNOG brings together 40+ speakers, 400+ participants, and attendees from nearly 30 countries for two days of networking, knowledge-sharing, and hands-on learning.

👉 [Get your ticket now] – secure your place before seats run out.
👉 [Check the agenda] – explore the sessions, panels, and workshops that matter most to you.
👉 [Plan your trip] – find travel details, accommodation tips, and everything you need to maximize your time in Vilnius.

Be part of the community shaping the future of the internet. See you at BalticNOG 2025!