uPRF is only one of several ways to implement BCP38. you could do it with contracts and reverse-SLA's and thus no technology (on your side) at all: demand that a customer pay 10X his bill, or $1.00 per packet, whichever is lower, if they emit packets with source addresses no explicitly named in the contract. why pay for expensive upgrades on your end of the link, when all you really care about is that BCP38's rules are observed?
No reasonably sized provider is going to do that. There is too much competition, most of which is based on price. Until the companies creating the price pressure die (as in die completely, not re-emerge under a new, slightly different name), there is going to be no financial insentive for anyone to spend money improving their network. Let me underline, I am not talking about smaller ISPs, smaller networks or smaller service providers.
that is of course good news. but it demonstrates a pitfall in CFO-think, which is the belief that participating in assymetric cost:benefit efforts (where uunet bears the cost of an upgrade in order for all the non-uunet parts of the internet to get the benefit of less spoofed traffic, and the abuse incident costs don't drop nearly enough to pay for the upgrades) is essentially a selfless act.
Rubbish. CFO speak is what keeps the companies alive. Engineer-speak typically lands the company in chapter 11. Companies in Chapter 11 have too many operational decisions dictated by the courts, and those that think CFO speak would greally hate to hear courts on the topic.
we all want cleaner ddos flows. when we get ddos'd, we want to be able to look at the source addresses, look 'em up in whois, and call the launch-isp, and get things stopped. we want to be able to turn on flow shaping and know that an attacker can't cause us to use an arbitrarily large number of buckets. we *all* want these things. even the bad guys, who are often the victim of ddos attacks by other bad guys, want these things.
It is possible that _nanog_ subscribers want this. I am not quite clear how one can make that generalization about those behind kor.net, those in .ru, .ua etc. Finally,
how are we going to get there? the first thing is, some nets who want the internet to work this way have to implement BCP38 in their own corner of the internet. then they have to start de-peering with nets who don't do it, and offer a better rate to customers who do it than to those who don't. then they have to de-peer with anyone who doesn't require their peers and customers to do it. then they have to refuse as customers anyone who won't do it.
Last time I checked it was 2004, not 1998. The companies are financed by revenues that they generate, not IPOs or VCs based on a promise of enormous payoff sometime down the road. Cash is the king.
it's all very simple, and it's inevitable. you and your CFO's have a couple of choices to make. first thing is, do you want the insurance companies, government regulatory agencies, and ISO9000 people to be making these rules or do you want to make them at the technical and business level?
Yes, I do. This will level playing field and hopefully force a few of the big networks out of business completely, decreasing price pressure on this service. A drop in the price pressure will create an opportunity for those companies to spend the money (should they want to or be forced to) to be better internet citizens. This is just the cold blooded economic reality. The same reality which dictates that only smaller companies can enfore strict anti-spam policies, and prevent their customers from behaving badly. Alex