route ingress

The issue here is people deliberately injecting bogus routing information.
Any "chain of trust" systems break down if there's somebody abusing the
trust. This means that tier-1 ISPs shouldn't trust routing information
coming from tier-2 ISPs, etc. That leaves the only workable option -
cryptographical authentication of routes, by the presense of signature
by a trusted address space registry.