For both RPKI-based BGP Route Origin Validation and RPKI-based BGPsec - that meme “widespread adoption is a prerequisite to benefit” is somewhat annoying in getting widespread adoption going. Plz Stop It! :-)
In my opinion, global scale BGP routing security does *not* depend on concepts like “herd immunity”. Rather, I would frame “BGP routing security” as a problem requiring selfish acts, not collective action. The benefits become immediately available to you and your EBGP peer (who agreed to participate in the effort). Commercial incentives align with upgrading (both transport capacity and security) one peer at a time.
All of RPKI ROV, BGPsec, ASPA/peerlock, and even older plain-text stuff like “IRR” are incrementally deployable technologies; because how else would one ever get anything deployed in fast-and-wide growing multiple-operator networks such as the Internet? Nothing happens at the same time. But when it happens, it progresses at the pace of decades, at times so slow one might think the paint isn’t drying on the wall.
BGP sessions “worth protecting” usually are the revenue generating/cost reduction sessions, and as such usually are assigned highest LOCAL_PREF. I think this property has interesting implications on how routing security features become available and are demanded from others throughout the ecosystem. For most networks at the edge, the private peering sessions also are the BGP sessions with the least BGP state on either side, compared to say upstream.
The “significant upgrades” aspect is just part of the job and happen no matter what. Every network replaces all their kit at some point in time; but sometimes it takes as long as ten to fifteen years! The good news is that every replacement also comes with improved cryptographic op accelerators in the CPU and more memory; and it all seems to be converging towards commonly available general purpose computing systems on which people can run any BGP stack they want.
I’m bullish on BGP routing security tech already specified and published through the IETF process :-)
Kind regards,
Job