Rob and Marius,
When considering:
- I did realize other spoofed packets may enter and route. I've been researching that as well, and have thus far only filtered against someone spoofing an IP in my subnet ONLY
- I considered that other 44 operators know our Public IP (Rob noted this), I did not consider them as a part of the assessment, as we MUST know one another's Public IPs to properly route traffic
- We do not publicize our IPs; but considering it's possible, Marius' solution is the only reasonable answer for all cases (i.e. to only accept IPENCAP on the real WAN). Although, afterwhich an operator can only use 44 addresses routed to the PHY with that Public IP address
- While only accepting 44net traffic on the tunnel could prevent spoofing to Public addresses, it only prevents spoofing to one another by trust, and others through the same Security by Obscurity of not publicizing the Public IP addresses
- Lynwood KB3VWG