In a message written on Wed, Mar 28, 2012 at 11:00:39AM -0400, Patrick W. Gilmore wrote:
#1) Money. Whenever someone asks "why...?", the answer is usually "money". It costs money - CapEx if your equipment doesn't support RPF, and OpEx even if it does. Plus opportunity cost if your customers don't like it or you screw up, as those customers will find someone who doesn't filter and move.
#2) Laziness. When the question is "why have [you|they] not...?", the second most common answer is laziness. Some call it "inertia", but reality is people are busy, lazy, etc.
While Patrick is spot on, there is a third issue which is related to money and laziness, but also has some unique aspects. BCP38 makes the assumption that the ISP does some "configuration" to insure only properly sourced packets enter the network. That may have been true when BCP38 was written, but no longer accurately reflects how networks are built and operated. To get source address validation widely deployed it needs to be baked into consumer CPE. The requirement needs to be a "default on" in the DOCSYS specs, for instance. Residential gateways need to come from the factory with unicast RPF turned on. BCP38 needs to be applied at the OEM level in equipment maufacturing, not at the operational level with ISP's. There are, simply, too many variations in CPE devices to expect ISP's to _configure_ them. Even when the configuration is "standardized" (like DOCSYS) ISP's have to think really hard about the operational impact of turning on a feature; and one buggy implementationc can scuttle an idea network wide. Which really comes back to Patrick's point #2. If the people who care about this want to see a positive change they need to stop badgering ISP's to implement BCP38 and start badgering Linksys/Netgear/D-Link/Motorola/Apple/Touchstone/SMC/Westtel to make unicast RPF a default part of their gateway implementation. More importantly, they need to get them to brand it as a _feature_, protect your computer from being used by hackers, our router insures they won't use up all of your data cap! Then it will be something they can sell, and thus something they will implement. As long as folks keep beating on (consumer) ISPs to implement BCP38, nothing will happen. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/