Service Provider Infrastructure Security

Document Type Expired Internet-Draft (opsec WG)
Author Darrel Lewis 
Last updated 2007-04-10
Stream IETF
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state Dead WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This RFC describes best current practices for implementing Service Provider network infrastructure protection for network elements. This RFC complements and extends RFC 2267 and RFC 3704. RFC 2267 provides guidelines for filtering traffic on the ingress to service provider networks. RFC 3704 expands the recommendations described in RFC 2267 to address operational filtering guidelines for single and multi-homed environments. The focus of those RFCs is on filtering packets on ingress to a network, regardless of destination, if those packets have a spoofed source address, or if the source address fall within "reserved" address space. Deployment of RFCs 2267 and 3704 has limited the effects of denial of service attacks by dropping ingress packets with spoofed source addresses, which in turn offers other benefits by ensuring that packets coming into a network originate from validly allocated and consistent sources. This document focuses solely on traffic destined to elements of the the network infrastructure itself. This document presents techniques that, together with network edge ingress filtering and RFC 2267 and RFC 3704, provides a defense in depth approach for infrastructure protection. This document does not present recommendations for protocol validation (i.e. "sanity checking") nor does it address guidelines for general security configuration.


Darrel Lewis (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)