I would suggest an optionally enabled feature in the firewall filtering for routers that:
1. Looks at the routing table.
2. Discards the default route(s) from it's read-only observation of the routing table, (or routes that use a specified upstream interface.)
3. Builds a firewall ruleset where packets not having source addresses in those IP ranges found in the routing table are discarded or handled by a user specified option.
4. Maintains the correlation between routing table and firewall.
This feature could then be applied to an interface, and it would stop all spoofing very easily and automatically.
It has long been a good security practice to not let packet pass through routers when you know they don't come or don't look like they come from your own network. (Unless you are an upstream BGP player, then there are BGP Filters for that). However, I have a big network with lots of MTs and lots of IP ranges and am always adding IP ranges, changing things, etc.. and it is not practical to manually create rules like this that block forged packets or illegitimate packet sources. I was recently reminded I should be doing more firewalling of this nature after seeing how the v3.2 snmp exploit's source forging works so well and easily.