Address spoofing depends crucially on being able to hide the real source address, so why not make that impossible? One way to do it would be to have all the ISPs and network carriers whose connections constitute the Internet certify where packets entering the network come from. . . .
If you ever feel in need of a lesson in humility, try reading through the TCP/IP RFCs and related literature. I have two questions I have no idea how to answer but rather naively expected that reading this material would help. It didn't, in truth because I didn't understand most of it; so now I'm asking you to explain the issues to me.

The two questions are, first, why can't router software let us stamp out address spoofing? And secondly, why do we use firewalls?

Address spoofing depends crucially on being able to hide the real source address, so why not make that impossible?

One way to do it would be to have all the ISPs and network carriers whose connections constitute the Internet certify where packets entering the network come from.

Any packet has to have an origin characterized, from an Internet perspective, by the point at which it first reaches part of the shared resource -- usually a router or other device maintained by an ISP or backbone carrier. Suppose, therefore, that we put software on those devices that allows them to form a self-authenticating community and insert a signed source address into every packet forwarded from the customer's premises.