Every packet with a source address that's not assigned to the customer who it is arriving from *IS* a spoofed packet, regardless of *why* it has an errant address. They must all be filtered regardless of content or purpose! The sooner your customers realise their configuration errors, the better (and the happier they'll be!).
Greg A. Woods
That definition, if you really mean it, would make nearly every packet on the Internet spoofed. Sooner or later, pretty much every packet winds up coming into a router with a source not assigned to the customer on the other end of that link. I prefer a much more useful definition of "spoofed". A packet is said to be spoofed if it is introduced onto the Internet and originated on a machine whose administration has not been assigned that IP address for use on the Internet. I can cite you several sources that support my definition. But I don't think you really believed what you said anyway. I'd love to hear your explanation of why a unidirectional VPN is a configuration error. DS