WRAP supports an extended forwarding path (EFP) check based on the WRAP header indicating the (relay) path it took to the receiver, not just the port that the packet arrives on. The receiver can easily reject packets from untrusted relay agents. This check is not tied to the reverse path logic because a receiver or relay can check whether the relays that the packet took are trusted and accepted, independent of whether it would forward a packet to the source of this packet back along the same path. Unlike conventional source routing, WRAP operates with strict reverse path forwarding (RPF) checking in place and does not allow source spoofing attacks. Even with encryption techniques providing authentication, RPF checks at the IP and WRAP levels are important to prevent denial of service attacks and various forms of network device failures and misconfiguration.
Verification of packet sources and prevention of man-in-the-middle attacks are a growing concern with the scaling of the Internet. So-called source spoofing is the basis for many denial of service and security attacks. While end-to-end encryption techniques, properly deployed, can protect confidentiality and integrity and ensure authentication, they can, by their cost in processing, actually make denial-of-service a bigger problem. That is, the increased time to decrypt a packet with secure communication, only to discover it is a bogus packet, means a node loses more resources in an encrypted denial-of-service attack than with plaintext messages. (Providing wire-speed hardware-supported encryption addresses this problem in part, but is an expensive solution for low-end systems and generally does not deal with setup processing, such PKE-based authentication on connection setup.) For mission-critical applications, denial-of-service may be as damaging an attack as any of the other possible security attacks.