Just a couple of minor comments from the peanut gallery. :-)

[1] I haven't seen (or prehaps I missed) any mention of RFC2827,
which is also considered to be a 'Best Current Practice' (BCP38),
which I coauthored:

 http://www.rfc-editor.org/rfc/bcp/bcp38.txt

It is difficult, if mot impossible, to determine the extent to
which BCP38 is delpoyed -- even though its deployment should be
encouraged.

[2] Rob Beverly is/was the catalyst behind the Spoofer Project to
determine the extent to which this was deployed. either at the
network ingress or at the host level:

 http://momo.lcs.mit.edu/spoofer/summary.php

- ferg



-- John Kristoff <jtk@northwestern.edu> wrote:

On Wed, 18 Jan 2006 15:09:14 +0000
"rishi jethwa" <rishi_jethwa@hotmail.com> wrote:

> This spoofing and  DoS problem would be completely solved
> if all the routers in the internet  would employ ingress filtering.

This is simply not true.  A great number of DoS attacks currently do
not spoof their source address and even those that do often only spoof
within the local /24 netblock.

> But as of now there is no general consensus  on employing ingress
> filtering. All they want is to concentrate on effciency  of moving
> packets.

Actually I think there is consensus that anti-spoof filtering is
generally a good idea, but the reason it isn't ubiquitous is usually
because of practical limitations (e.g. equipment support and complex
network configurations).

[snip]

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg@netzero.net or fergdawg@sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/