no ip forged-source-address

RPF checking can only go so far. You would need RPF checking down to the
host level and I haven't heard anyone discuss that yet.

Is this a reason not to do what we can now?


Let's start with getting it going in the right direction, at least.