To add more fuel to the fire, how does one combat the issue of "stolen" IP addresses. Stolen IP's are worse to me than a user doing NAT.
Slightly intuitive users could figure out that their IP is one of a /24 and just statically assign one to their other machine with out paying for it, and worse take somebodies IP and make that user non-functional. I know the cable modem service where I live will allow this type of activity.
Oh, that one is pretty easy: DOCSIS makes it pretty easy to detect spoofed/stolen source IP addresses. Not many providers turn on this capability for various operational reasons, but the source IP addresses can be locked down quite snugly. DOCSIS has these per-modem security associations (SIDs, IIRC). IP addresses are handed out by DHCP servers behind the CMTS, right? Well, in the course of doing the return part of the DHCP relay the CMTS can and sometimes do record the IP-MAC-SID binding, and then later they can verify that packets received from the Cable Modem have a source IP address that was in fact assigned by the DHCP server and was bound to that SID. DOCSIS had so much per-modem state, include power-levels, encryption keys, etc., that it was pretty easy to think of them as kinda like VCs. After that it seemed like a good idea to do this binding to detect and prevent spoofed source addreses. Even RPF checking couldn't have done anything to prevent spoofing any of the 10K-20K addresses that might legitimately be downstream of a CMTS, whereas this mechanism prevents the spoofers from using anything except their legitimate address(es). Now we return to your regularly schedule rant... -- Jim