I've just had a great idea. IP spoofing can be a big problem -- it can
be used to poison DNS caches and hijack TCP sessions, and to cause a
denial of service attack.
We can use the same technique as SPF to address this forgery, though. I
can publish a record which says the MAC address of my Ethernet card or
the phone number I dial from (or whatever's appropriate to my
connection). When someone receives a packet which claims to be from my
IP address, they can check to see if it comes from my MAC address, or my
phone line -- and if it does not, they can discard it because it's a
forgery.
There may be some other machines out there which currently send packets
claiming to be from my IP address, but they can stop doing that (they
can use NAT) -- it's my right to declare that I don't want my IP address
to be 'forged' like that.
I think this can address a really important security problem on the
Internet. I don't want to use IPSec to sign my outgoing packets; I want
to do it this way -- it's much better.
--
dwmw2