By now we all should know that it is a bad idea to rely on an
unauthenticated IP address as a basis for determining the source of a
packet. Similarly. the IP header checksum offers no security. We
have a variety of IETF standard protocols (e.g., IPsec and TLS) that
provide suitable assurance for data origin authentication and
integrity for application data sent via IP. Thus, if anyone is
really concerned about know with whom they are communicating, and
whether a packet was modified in transit, they should be using these
standards security technologies. Many web sites for which these
security concerns are significant already make use of SSL/TLS anyway.
While I naturally agree that one should not use unauthenticated
IP addresses to determine the source of a packet, I think it's a
big stretch to say that the existence of IPsec and TLS means that
it's okay for third parties to forge source addresses.
and for different reasons, both IPsec and TLS are of fairly limited
applicability for application-level security - we are still missing
lots of pieces.
Keith