这导致了当今互联网上大量的垃圾邮件/黑客流量……之所以存在,是因为它们不乏隐藏的地方。源 IP 地址欺骗是他们的第一道防线之一。
The industry name for the feature you are asking about is called "Unicast Reverse Path Forwarding" (or as Cisco calls it, "uRPF"); it is defined in RFC 3704 and is considered a Best Current Practice (see BCP38).
Speaking at a very high level, most of the hardware used by ISPs has this feature built into an ASIC; normally there is not a huge penalty for turning it on. Sometimes there are feature conflicts, but again this is not a huge deal in most cases.
The biggest reason it isn't universal is because the internet is still somewhat like the American "wild west" in the 1800s; consider them analagous to a town's sheriff. The policies and competency of the engineering/operational personnel varies, and many ISPs are too busy with making things "work" that they don't have cycles to make things "work well".
That dynamic is particularly true in smaller countries; I worked for a large network equipment manufacturer in a previous life and occasionally traveled throughout southeast asia conducting ISP seminars. Smaller countries are often half a decade (or more) behind the practices and competency of ISPs here in the US (that's not to say that US ISPs are terribly great on the whole either, but they are generally much better off than, say, some of the ISPs operating in the smaller islands in the Pacific).
This results in the non-trivial amount of spamming / hacker traffic on the internet today... it's there because they have no lack of places to hide. Source IP address spoofing is one of their first lines of defense.
发布评论
评论(1)
您所询问的功能的行业名称称为“单播反向路径转发”(或如思科所称,"uRPF");它在 RFC 3704 中定义,并被认为是当前最佳实践(请参阅BCP38)。
从非常高的层面来说,ISP 使用的大多数硬件都将此功能内置到 ASIC 中;通常打开它不会有很大的惩罚。有时会出现功能冲突,但在大多数情况下这也不是什么大问题。
它没有普及的最大原因是互联网仍然有点像 1800 年代美国的“狂野西部”;将他们视为类似于城镇的警长。工程/运营人员的政策和能力各不相同,许多 ISP 都忙于让事情“正常运转”,而没有周期让事情“正常运转”。
这种动态在较小的国家尤其如此。我前世在一家大型网络设备制造商工作,偶尔跑遍东南亚举办ISP研讨会。较小的国家通常比美国 ISP 的做法和能力落后五年(或更长时间)(这并不是说美国 ISP 总体上非常出色,但它们通常比某些国家/地区要好得多)太平洋较小岛屿上运营的 ISP 的数量)。
这导致了当今互联网上大量的垃圾邮件/黑客流量……之所以存在,是因为它们不乏隐藏的地方。源 IP 地址欺骗是他们的第一道防线之一。
The industry name for the feature you are asking about is called "Unicast Reverse Path Forwarding" (or as Cisco calls it, "uRPF"); it is defined in RFC 3704 and is considered a Best Current Practice (see BCP38).
Speaking at a very high level, most of the hardware used by ISPs has this feature built into an ASIC; normally there is not a huge penalty for turning it on. Sometimes there are feature conflicts, but again this is not a huge deal in most cases.
The biggest reason it isn't universal is because the internet is still somewhat like the American "wild west" in the 1800s; consider them analagous to a town's sheriff. The policies and competency of the engineering/operational personnel varies, and many ISPs are too busy with making things "work" that they don't have cycles to make things "work well".
That dynamic is particularly true in smaller countries; I worked for a large network equipment manufacturer in a previous life and occasionally traveled throughout southeast asia conducting ISP seminars. Smaller countries are often half a decade (or more) behind the practices and competency of ISPs here in the US (that's not to say that US ISPs are terribly great on the whole either, but they are generally much better off than, say, some of the ISPs operating in the smaller islands in the Pacific).
This results in the non-trivial amount of spamming / hacker traffic on the internet today... it's there because they have no lack of places to hide. Source IP address spoofing is one of their first lines of defense.