If loose rpf doesn't work, you're about to start dropping packets *anyhow*. Unless, of course, you *INTENDED* to have a topology where you're accepting traffic from another AS and forwarding it, and you don't have a return path yourself, but the destination *does* have an assymetric path. Oh.. and you have to consider it acceptable that if any OTHER customer, connected to that part of your AS that doesn't have a route, tries to contact the source, that they can't get there. Sounds like you're trying to either shoot yourself in the foot, or design a new too-clever-by-half way of building a VPN. ------------> take a simple scenario AS-1 , AS-2 and AS-3 and as-4 AS-2 and as-3 in the middle, as-1 and as-4 multihome on them and are on either side of as-2 and as-3..they dont peer with each other ...(though as-2 and as-3 mebbe) as-1 advertises a network x.y.z.w via as-2 only. as-4 sees this and knows that to go back to x.y.z.w he has to go via as-2 as-4 advertises a network a.b.c.d via as-3 only.... as-1 sees this too traffic has to go between x.y.z.w and a.b.c.d please tell me what symmetry u see here?... and this doesnt happen on the net?? now what do u do in AS-2 and AS-3? if u say as-2 and as-3 will learn the networks via as-1 and as-4 resp or by their own peering, then thats the whole point....they know the "network" exists ..they dont know which set of traffic goes via thm and which doesnt... coz u cant...u never know what "source IP goes via you"...u know that it will be destined somewhere and u will know the destination if all routing on the net is proper......thats all...yo u may know the source too...but ur paath to the source wont be the path from where the packet came to you from the source... if what u mean by loose is "exist only" then yes on a bgp running router probably the WHOLE INTERNET IS EXIST ONLY...that surely gives u enuf ips to spoof with....?? how do u block by source????????? you could only know that "frrom that link between as-1 and as-2 there will be some traffic from a network IP of AS-1" etc...which still is a huge network..enuf to spoof lots of IPs..... jusst got a stinker from bdragon too.....mebbe i am dumb and you could do as u please... im not questioning ur argument here...but i simply dont see it...?? this is what i saw and i mentioned it.... -gudnite Alok