And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer.
Clean internet service is internet service that delivers only valid IP datagrams. Most internet service is clean internet service. Any internet service that looks above layer 3 to make forwarding decisions is not clean internet service.
I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless.
I agree that the IDL is overboard. I even agree with your second sentence. Consumers need to demand software which does not support these exploits from their software vendors. That is the real solution. The internet is a transport, just like the phone line coming into your home. Nothing prevents someone from making an obscene phone call to your house. The most common problem software today is like having a telephone that won't let you hang up on the prank caller, then, demanding that the phone company prevent those calls from coming in the first place. Problem is that people understand that TPC can't tell a prank call from a legitimate one, but, for some reason, they expect ISPs to be able to magically tell whether this HTTP session is an exploit while this other one isn't.
The reason this isn't economical today is because ISP lack any responsibility. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended.
The reason is that the ISPs can't tell the exploits from the legitimate traffic in most cases, and, even if they did, do you really want ISPs making value judgement about content on behalf of their users? That's a really bad model. It's just not good for innovation, free speech, mom, or apple pie. Yes, ISPs should investigate abuse complaints and immediately disconnect users that are spewing abuse. Yes, this needs to happen more consistently and more rapidly. However, content filtration at the ISP level is not a solution, it's just a different problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me.