That's once again a matter of defaults -- routers should _by default_ discard all packets from interfaces which they won't use for forwarding those packets back. This rule works is 99.9% of cases preventing SA spoofing and some cases of transient loops, and can be disabled where asymmetrical routing is desired. I also have thought of some mechanism to allow destination host to quench sender forcefully, by telling the intermediate router(s) to disallow forwarding to some destination for some period of time (a minute would do nice to render flooding attacks ineffective), but there's a problem with authentication (i.e. there's a need for the router to "call back" to confirm that destination indeed wants to shut up somebody). Finally, routers could implement a kind of "reverse trace" ICMP with the following functionality: on receiption of RT ICMP message take the SA from the ICMP and send back reply message. After that install watchpoint to look for packets going to that address (the "watchpoint" may be implemented as a host route to some special interface). If watchpoint is triggered (i.e. we've got a packet going to the SA) send copy of the RT ICMP to the interface from which the offending packet came from and remove the watchpoint. If watchpoing wasn't triggrded for some time, remove it silently. That simple mechanism would allow to track down sources of forged (or mis-configured) SAs pretty quickly. However it is ineffectual if source-based routing with a large number of variant routes is used. But then, unrestricted SBR is very dangerous anyway (it allows to create artificial congestions by emitting relatively small streams of bogons with routes wound in tight loops). --vadim