>(But! oh no! you're trusting everyone's BGP announcements as well! And
> they're really easy to spoof...)
Not if you are using authentication (typically MD5 based) and ACLs, or S-BGP. If you are accepting BGP advertisements from anyone, you are asking for it. You should only accept routing updates from trusted peers, peers that you have identified as ones that you should be receiving announcements from.