So. I get it. Encryption is good for everything, even BGP. But your Slashdotted blog post is somewhat irresponsible and leads to some unnecessary support phone calls (in this case for/to me).
Firstly, the whole BGP RPKI thing is of dubious value to a small ISP. In general, with a small number of “very large” upstreams and maybe an exchange or two, the validation is more pertinant to the large ISPs and exchanges.
That-all-said, I’m always willing to implement new security things. Going down the rabbit hole, there are a number of missing points to your blog post that will vastly slow adoption. At least, you need:
-
A step-by-step create your certificate and sign your CIDRs and upload that info here thing. I realize this is complicated by registries, but at least the first part.
-
You need to broaden your software appeal. At least one of you on the blog post works with OpenBSD… and yet I don’t see anything in ports. FRR seems to support librtr and some export of data, but I can’t find any easy bit of management for the “lookup cache” bit.
-
an acknowledgement that (for instance) frr or quagga is in this fight too.