Thanks for replying to my post instead of keeping the non-brilliance of my ideas to yourself. My biggest concern when writing that post was that I was talking to myself. I'll attempt to address your concerns one by one.
You're... welcome?
Just about all ISPs and backbone carriers carry full tables and many large organisations do as well for multihoming purposes.
Then I misunderstood you. I thought you were repeating what others have said earlier, claiming each router carries a complete copy of all the routes on the Internet, which of course isn't true.
Now that we have that cleared up, I'll snip out parts I don't need to reply to.
Your bitcoinesque solution for IPv6 allocation would make things worse.
It seemed like a technical solution to avoid the politics of Internet governance. I admit it wasn't well thought out, however I am curious how it would make things worse by allowing a small block of IPv6 addresses to be allocated in a decentralized way and adding cryptographic integrity along the way.
Plus, networks transit other networks all the time, meaning one network can advertise a prefix they don't own, legitimately.
I should have been more specific; I was suggesting originating advertisements would be signed as opposed to transient advertisements.
You are asking for DomainKeys but with routes. That is too computationally expensive right now and would require too many lookups and time. Perhaps somewhere down the line when the big iron routers catch up with CPU resources vs line speed.
Routers that speak BGP are on the ISP and backbone level,
Medium to large organisations also use BGP to advertise their address space to their ISP(s).
Not to your home router.
and are physically secured.
Originating BGP route advertisement signing is not intended to supplant physical security measures.
I'm aware of the difference between remote access, console access, and physical access, and hardware vs software.
Your home router doesn't speak BGP, and if it did, your ISP's router would ignore it.
None of this would really be necessary for a home user as their ISP would be doing all of this on their behalf.
That's what I just said...
To announce rogue routes, one needs to hack into the ISP and backbone peering routers -- which happened recently, but is rare.
To announce rogue routes, one only needs an ISP that doesn't filter incoming BGP advertisements properly. It seems apparent as the Internet grows there will be more and more BGP peerings and as a consequence of that not all of them will be competent or aboveboard with their implementations.
You're just restating what I said. I guess I wasn't clear, but I'm also assuming a best practice (or as near as possible) implementation, because there's no use talking about security if people are going to leave the front door open, right? It's not even a discussion at that point.
Again, anyone with access to the routers can do this right now. Any organization that doesn't shut its front door can have this happen. This can be solved through best practices. This isn't e-mail. Even if you got people on board for this, it would take a protocol revision AND all new hardware for everyone. It's not going to happen anytime soon.
Don't take it personally. Your offered solution for route signing (whether you wrote them or not) just isn't feasible right now.
