Emerging threats in global Internet infrastructure have highlighted critical vulnerabilities in backbone routing protocols such as Border Gateway Protocol (BGP) and Multiprotocol Label Switching (MPLS). Traditional trust-based and perimeter-centric ISP security architectures are demonstrably insufficient against sophisticated modern attacks, including route hijacks, insider threats, and distributed denial-of-service (DDoS) campaigns. This paper formulates and evaluates a proactive security architecture model for ISP backbone routing, grounded in Zero Trust principles. Integrating techniques for continuous identity validation, micro-segmentation, cryptographic route authentication, and automated real-time anomaly detection, we propose a comprehensive defense-in-depth approach targeting both BGP and MPLS domains. The novel architecture addresses authentication, authorization, context-aware access control, and secure path computation, while embedding horizontal and vertical segmentation within the ISP core. We analyze existing vulnerabilities, review state-of-the-art zero trust implementations, formalize a control plane security blueprint, and present empirical evaluation metrics for resilience, response time, and detection accuracy. Experimental and simulation-based analysis demonstrates that our architecture provides robust mitigation against prefix hijacks, route-leak attacks, and lateral exploits. Our results support Zero Trust as a foundational paradigm for next-generation ISP backbone security, significantly hardening both routing infrastructure and service continuity against a spectrum of advanced threats.

Border Gateway Protocol (BGP), Multiprotocol Label Switching (MPLS), Access Control List (ACL), Authentication, Authorization, Accounting (AAA), Internet Service Provider (ISP), Secure Communication, Network Segmentation.

RFC 4271: A Border Gateway Protocol 4 (BGP-4), IETF, Jan. 2006. [Online]. Available: https://tools.ietf.org/html/rfc4271

RFC 4272: BGP Security Vulnerabilities Analysis, IETF, Nov. 2005. [Online]. Available: https://tools.ietf.org/html/rfc4272

RFC 6810: Origin Validation for BGP, IETF, Jan. 2013. [Online]. Available: https://tools.ietf.org/html/rfc6810

RFC 8205: BGPsec Protocol Specification, IETF, Sept. 2017. [Online]. Available: https://tools.ietf.org/html/rfc8205

RFC 3031: Multiprotocol Label Switching Architecture, IETF, Jan. 2001. [Online]. Available: https://tools.ietf.org/html/rfc3031

National Institute of Standards and Technology, SP 800-207: Zero Trust Architecture, Aug. 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-207/final

Cisco Zero Trust Architecture Guide, Feb. 2023. [Online].Available: https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-ag.html

Dip Bharatbhai Patel. (2025). Comparing Neural Networks and Traditional Algorithms in Fraud Detection. The American Journal of Applied Sciences, 7(07), 128–132. https://doi.org/10.37547/tajas/Volume07Issue07-13