IP Spoofing is NOT IP Hijacking which is causing confusion for anyone reading this. IP Spoofing at its minimum / bare bones explanation is also called impersonation. Let's have an ASCII look at what it does, and how it happens:
You (1.2.3.4) --> connect to your bank --> Bank (2.2.2.2)
In spoofing, I can pretend to be anyone I want, if I am on your network:
Me (1.2.3.4) to you --> I am 2.2.2.2 --> You
Me (1.2.3.4) to you --> I am Google.com --> You
This is a moot point because if you respond, I will NEVER see the response, I am not 2.2.2.2 nor Google. This is called blind spoofing. For impersonation, I want to pretend to be your bank without you knowing this, because I want to steal your money. Therefore I need to see your responses and your bank's response. Now I have to perform multiple impersonations. I have to pretend to you, that I am your bank, and I have to pretend to your bank, that I am you:
Me (1.2.3.5) --> to your ROUTING handler (be it a router or your routing table)
Me (1.2.3.5) --> I am 2.2.2.2 --> You
Me (1.2.3.5) --> I am 1.2.3.4 --> Your bank
For this to occur I MUST be in your infrastructure. Think of this as a proxy server. Using a proxy server the connection is the same:
Me (1.2.3.5) --> proxy server (1.2.3.10) --> Bank (2.2.2.2)
Bank responds --> proxy server --> Me
Traffic needs to flow to and from. In an IP Hijacking scenario, data is relayed, hence there is no spoofing (I can proxy to see everything) BGP Hijacking enables watching the wire. Someone ON the network that is performing the hijacking can then perform the spoofing.
Now in the case of an ISP/NSP/NAP, a government may take this approach:
You (1.2.3.4) --> ISP (1.2.3.1 default route) --> Bank (2.2.2.2) # Normal connection
In the above, this would be the non-tampered session that would occur. In say an NSA tapped network this is what would occur:
You (1.2.3.4) --> ISP (1.2.3.1) --> internal ISP proxy <-- NSA (1.2.4.1) --> Bank (2.2.2.2)
From your perspective, you are connecting to your ISP, then to your bank. You will never (and can never) see the proxying occurring. This is the kind spoofing/masquerating/impersonation done with systems created by companies like Narus that used a tap at AT&T to tap main connections.
There is little to be done on a scale of eavesdropping like this, as government agencies have the capabilities of using SSL certificates, and other means to prevent you from knowing what is going on. VPN tunneling won't prevent it, as you are at the mercy of your provider, and a warrant is a warrant.
There is no need for "BGP Hijacking", BCP filtering to even enter this discussion as BCP filtering will not counter the above proxy example. BCP filtering covers spoofing, not proxying, nor hijacking. If an attacker manages to manipulate the routing table on say your operating system, BCP is a moot point.