So what source IP validation requirements should be required or recommended on the MASQUE endpoints.
For the basic VPN case where the MASQUE client gets assigned a single address or prefix by the MASQUE server I think it both straightforward and should be required for the MASQUE server to block any IP packets that are coming from the client with a source unicast IP address that isn't from the assigned prefix.
For the whole network this becomes more complex but still I think there should be recommendation on applying source address validation so that Connect-IP isn't a mechanism used for source address spoofing.
So what source IP validation requirements should be required or recommended on the MASQUE endpoints.
For the basic VPN case where the MASQUE client gets assigned a single address or prefix by the MASQUE server I think it both straightforward and should be required for the MASQUE server to block any IP packets that are coming from the client with a source unicast IP address that isn't from the assigned prefix.
For the whole network this becomes more complex but still I think there should be recommendation on applying source address validation so that Connect-IP isn't a mechanism used for source address spoofing.