I do recall soemthing Cisco implemented that checked you have a route back to any source address that comes in on a suitably configured interface else it'll drop the packet as being spoofed, this soulds good - anybody tried it?
Hey, that sounds neat, more info?
It is an IOS 12.0 feature. It requires that you run CEF (most if not all platforms can do that in 12.0). The interface command is ip verify unicast reverse-path For each packet it checks that it has a route back to the source IP address pointing out the interface where the packet entered, and drops the packet if it doesn't. For rather obvious reasons this feature cannot be used where you have asymmetric traffic patterns. This commonly occurs in backbone networks with "hot-potato" routing between providers which peer in multiple places. But then again, this checking should be done on the edges of the network, where asymmetry should be much less of a problem. With early revisions of 12.0 there were issues with helper-address handling -- bootp requests from 0.0.0.0 would be dropped on the floor instead of being forwarded (ugh!). I think that is now fixed, though. And, yes, we are using the feature. - Håvard