RE: no ip forged-source-address

If you go back to the thread, you'll see that I was responding to the
idea that using src-addr verification would not prevent someone from
spoofing addresses on his/own own subnet. Others pointed out that while
this might hide the true offender, it would still make the DoS attack
easier to mitigate because the src addresses would indicate the network
from which the attack originated (if not the actual hosts). Some folks
didn't seem to appreciate the value here, therefore I asserted that
there is a specific difference between packets with virtually random src
addrs, and packets that passed through src-addr filters. The first set
are not traceable and src addresses generally useless, while the 2nd set
have src addresses that can be used to trace to at least the attack's
source network.

As for your confusion, I am not sure that I can help with that. :slight_smile: