One could note that a regular packet-filtering ACL inbound on the customer's port could achieve a congruent functionality. That's probably true. In this case, I had a different idea in mind when I asked for the feature but this is what came out.
Right, the latter is nothing more than a standard packet filter. Ideally, on could employ the same policy used for route filtering from a peer (perhaps generated via IRR or other similar mechanism) to perform source address 'authorization' in the forwarding path. Given, the practicality of performing these functions in hardware today is, well, interesting.... If this were widely supported and deployed (especially inter- domain), IP spoofing DoS attacks would largely be a thing of the past. Of course, if prefix filtering and/or ingress packet filtering were widely deployed even at the edge, this would largely be a thing if the past. This is one of the things that we plan to discuss during the "Service Provider Route Filtering" panel @NANOG. -danny