CURRENT | Echoes

The Napkin Protocol

Why the Internet Still Trusts Strangers

By Rina Takahashi— April 8, 2026

Feature image for article: Why the Internet Still Trusts Strangers

In June 2024, a Brazilian ISP announced Cloudflare's IP address as its own, and the internet believed it. DNS resolution dropped across 300 networks in 70 countries. The routes were cryptographically signed. A major carrier accepted the bogus announcement anyway.

The routing protocol that failed was sketched on two napkins in 1989 as a temporary fix. Thirty-seven years and multiple security layers later, it still assumes every participant can be trusted. The patches are real, the progress measurable. Somewhere, a working replacement already carries production traffic. The distance between that fact and the rest of the internet is wider than you'd expect, and not for technical reasons.

The Napkin Protocol

Why the Internet Still Trusts Strangers

By Rina Takahashi— April 8, 2026

In June 2024, a Brazilian ISP announced Cloudflare's IP address as its own, and the internet believed it. DNS resolution dropped across 300 networks in 70 countries. The routes were cryptographically signed. A major carrier accepted the bogus announcement anyway.

The routing protocol that failed was sketched on two napkins in 1989 as a temporary fix. Thirty-seven years and multiple security layers later, it still assumes every participant can be trusted. The patches are real, the progress measurable. Somewhere, a working replacement already carries production traffic. The distance between that fact and the rest of the internet is wider than you'd expect, and not for technical reasons.

The Patch Paradox

The Fix That Needs What the Problem Needed

BGP's vulnerability was never really technical. It was a coordination problem dressed in protocol clothing. The system assumed honest peers. No verification. Just trust.

RPKI, the cryptographic patch meant to solve this, works through an entirely different mechanism. But it runs on the same fuel. Signing your routes only matters if others validate them. Validating only pays off if others sign. The single best predictor of adoption turns out to be adoption itself.

So the fix doesn't just address the coordination failure. It inherits it whole.

The Patch Paradox

The Fix That Needs What the Problem Needed

BGP's vulnerability was never really technical. It was a coordination problem dressed in protocol clothing. The system assumed honest peers. No verification. Just trust.

RPKI, the cryptographic patch meant to solve this, works through an entirely different mechanism. But it runs on the same fuel. Signing your routes only matters if others validate them. Validating only pays off if others sign. The single best predictor of adoption turns out to be adoption itself.

So the fix doesn't just address the coordination failure. It inherits it whole.

IN SUMMARY

Protection gap:

Over half of BGP routes now carry RPKI signatures, yet only about 6.5% of end users sit behind networks that actually enforce validation

Familiar asymmetry:

Smaller networks and government institutions lag furthest, lacking the resources and incentives to adopt, echoing BGP's original trust imbalances

Stacking layers:

ASPA and BGPsec build atop RPKI but carry their own, sometimes stricter, collective adoption thresholds before they deliver real protection

Trust migration:

RPKI's certificate hierarchy concentrates authority in a handful of root entities, swapping one trust dependency for a structurally different one

Wider pattern:

DNSSEC and IPv6 exhibit the same circular dependency, suggesting protocol patches structurally inherit the adoption dynamics of what they're patching

Career Suicide

A Routing Researcher on Why Being Right Was Never the Hard Part

Career Suicide

A Routing Researcher on Why Being Right Was Never the Hard Part

Chokepoints and Consequences

The HTTPS Exception

The entire web upgraded its security posture in about five years. For foundational internet infrastructure, that kind of change almost never happens. The conditions that made HTTPS possible turn out to be so specific they raise an uncomfortable question: a free certificate authority, a dominant browser willing to punish holdouts, and a search engine rewarding compliance, all arriving within a narrow window. What about the parts of the internet where no single actor holds that kind of leverage?

Chokepoints and Consequences

Trust by Design

In April 2018, a small hosting company in Ohio told the internet's core routers it was Amazon Web Services. The routers believed it. They had no mechanism to do otherwise. The protocol that directs traffic between networks was designed for a world of cooperating institutions that trusted each other. That world disappeared decades ago. The protocol kept running. Patches keep accumulating on top. And unlike the web, no chokepoint exists to force a real upgrade.

Chokepoints and Consequences

The HTTPS Exception

The entire web upgraded its security posture in about five years. For foundational internet infrastructure, that kind of change almost never happens. The conditions that made HTTPS possible turn out to be so specific they raise an uncomfortable question: a free certificate authority, a dominant browser willing to punish holdouts, and a search engine rewarding compliance, all arriving within a narrow window. What about the parts of the internet where no single actor holds that kind of leverage?

Chokepoints and Consequences

Trust by Design

In April 2018, a small hosting company in Ohio told the internet's core routers it was Amazon Web Services. The routers believed it. They had no mechanism to do otherwise. The protocol that directs traffic between networks was designed for a world of cooperating institutions that trusted each other. That world disappeared decades ago. The protocol kept running. Patches keep accumulating on top. And unlike the web, no chokepoint exists to force a real upgrade.

Chokepoints and Consequences

The HTTPS Exception

The entire web upgraded its security posture in about five years. For foundational internet infrastructure, that kind of change almost never happens. The conditions that made HTTPS possible turn out to be so specific they raise an uncomfortable question: a free certificate authority, a dominant browser willing to punish holdouts, and a search engine rewarding compliance, all arriving within a narrow window. What about the parts of the internet where no single actor holds that kind of leverage?

Chokepoints and Consequences

Trust by Design

In April 2018, a small hosting company in Ohio told the internet's core routers it was Amazon Web Services. The routers believed it. They had no mechanism to do otherwise. The protocol that directs traffic between networks was designed for a world of cooperating institutions that trusted each other. That world disappeared decades ago. The protocol kept running. Patches keep accumulating on top. And unlike the web, no chokepoint exists to force a real upgrade.

Further Routing

Switzerland Built an Alternative to BGP. Nobody Noticed.

SCION carries 220 billion Swiss francs daily, proving the gap between working replacement and actual adoption.

Is BGP Safe Yet?

Only 6.5% of users protected by ROV. Signing routes and enforcing validation are separate coordination problems.

Switzerland Wants to Replace the Internet's Most Fragile Protocol

Reviewing a Historical Internet Vulnerability: Why Isn't BGP More Secure?

SCION Internet Architecture: Deployment and Standardization Status

Further Routing

Switzerland Built an Alternative to BGP. Nobody Noticed.SCION carries 220 billion Swiss francs daily, proving the gap between working replacement and actual adoption.

Is BGP Safe Yet?Only 6.5% of users protected by ROV. Signing routes and enforcing validation are separate coordination problems.

Quick links

Switzerland Wants to Replace the Internet's Most Fragile Protocol

Reviewing a Historical Internet Vulnerability: Why Isn't BGP More Secure?

SCION Internet Architecture: Deployment and Standardization Status

Past Articles

The Clock Everyone Can See

At 03:14:07 UTC on January 19, 2038, a counter running since 1970 will hit its maximum value and wrap to a date in Decem...

The Fifty-Year Byte

In the early 1970s, someone at Bell Labs made a quiet decision about how C would store text. No memo survives. That choi...

A Text File and a Handshake

In 1994, a software engineer whose server had just been crashed by someone's web crawler proposed a fix: a plain text fi...

The Test That Taught Machines to Pass It

Between 2009 and today, billions of people clicked through grid squares identifying crosswalks, storefronts, and traffic...

Past Articles

The Clock Everyone Can See

At 03:14:07 UTC on January 19, 2038, a counter running since 1970 will hit its maximum value and wrap to a date in Decem...

The Fifty-Year Byte

In the early 1970s, someone at Bell Labs made a quiet decision about how C would store text. No memo survives. That choi...

A Text File and a Handshake

In 1994, a software engineer whose server had just been crashed by someone's web crawler proposed a fix: a plain text fi...

The Test That Taught Machines to Pass It

Between 2009 and today, billions of people clicked through grid squares identifying crosswalks, storefronts, and traffic...