Service Provider Infrastructure Security
draft-ietf-opsec-infrastructure-security-01
Document | Type |
Expired Internet-Draft
(opsec WG)
Expired & archived
|
|
---|---|---|---|
Author | Darrel Lewis | ||
Last updated | 2007-04-10 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Intended RFC status | (None) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | Dead WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Expired | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This RFC describes best current practices for implementing Service Provider network infrastructure protection for network elements. This RFC complements and extends RFC 2267 and RFC 3704. RFC 2267 provides guidelines for filtering traffic on the ingress to service provider networks. RFC 3704 expands the recommendations described in RFC 2267 to address operational filtering guidelines for single and multi-homed environments. The focus of those RFCs is on filtering packets on ingress to a network, regardless of destination, if those packets have a spoofed source address, or if the source address fall within "reserved" address space. Deployment of RFCs 2267 and 3704 has limited the effects of denial of service attacks by dropping ingress packets with spoofed source addresses, which in turn offers other benefits by ensuring that packets coming into a network originate from validly allocated and consistent sources. This document focuses solely on traffic destined to elements of the the network infrastructure itself. This document presents techniques that, together with network edge ingress filtering and RFC 2267 and RFC 3704, provides a defense in depth approach for infrastructure protection. This document does not present recommendations for protocol validation (i.e. "sanity checking") nor does it address guidelines for general security configuration.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)