It's called BCP38 and decent ISPs and competent network admins do it. I do it on the port level for all my IPv4 addresses (that is, all packets leaving a xen vps of mine are dropped unless they come from the address I assigned them.) and I will do it for IPv6 when I build out the routing infrastructure for my new location.
It's really pretty easy to do... especially just edge level like you are talking about. The problem is that it costs me some time/money (even if it's only a little) to do it, and it mostly benefits other people. So some ISPs still don't do it.
but it's really easy. on my router I look at all outgoing packets, and I ask "Does this IP have a source address that is reasonable? (one of my IPs, or an IP of someone for whom I am carrying traffic.)" If my router sees a outgoing packet with a source address not associated with me, it's obviously spoofed, so it drops the packet. If everyone did this, spoofing would only be possible within your own network.
Every time an ISP does this, the world becomes a little better for all of us. But spoofing will still be a problem until all ISPs do this, and that probably won't happen for a while.
(you also do this to incoming packets, if it is an incoming packet coming in from the internet and it has a source of one of my IP addresses, something has obviously gone horribly wrong. drop the packet. but this only protects you from the most obvious spoofs. It is very important if you do IP based security.)
Thanks, exactly what I was looking for. Now, if only we could start a movement to only use BCP38 compliant ISPs. And then convince our ISPs to reject all packets from other ISPs that have been shown to be non-compliant, in case any survived.
EDIT: The way I put it may be a bit extreme, but the idea is there.
I'm not sure it's too extreme. take it to NANOG. We'd need the support of big players, much more than one-and-a-half rack operations like me. (though bcp38 compliance is much more common amongst the big players. Heck, the provider I'm moving away from doesn't do it, something I didn't know before I signed a contract. For that matter, I only do it on outgoing IPv4. I don't do it on incoming packets or IPv6. This will be corrected in the network upgrade that is in progress now, but still.)
The big problem with your proposal is verification. It seems... difficult to verify that another network properly implemented BCP38 without actually putting a probe on that network.
It's really pretty easy to do... especially just edge level like you are talking about. The problem is that it costs me some time/money (even if it's only a little) to do it, and it mostly benefits other people. So some ISPs still don't do it.
http://www.faqs.org/rfcs/bcp/bcp38.html
but it's really easy. on my router I look at all outgoing packets, and I ask "Does this IP have a source address that is reasonable? (one of my IPs, or an IP of someone for whom I am carrying traffic.)" If my router sees a outgoing packet with a source address not associated with me, it's obviously spoofed, so it drops the packet. If everyone did this, spoofing would only be possible within your own network.
Every time an ISP does this, the world becomes a little better for all of us. But spoofing will still be a problem until all ISPs do this, and that probably won't happen for a while.
(you also do this to incoming packets, if it is an incoming packet coming in from the internet and it has a source of one of my IP addresses, something has obviously gone horribly wrong. drop the packet. but this only protects you from the most obvious spoofs. It is very important if you do IP based security.)