Skip to main content

Service Provider Infrastructure Security

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Darrel Lewis
Last updated 2006-06-23
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This RFC defines best current practices for implementing Service Provider network infrastructure protection for network elements. This RFC complements and extends RFC 2267 and RFC 3704. RFC 2267 provides guidelines for filtering traffic on the ingress to service provider networks. RFC 3704 expands the recommendations described in RFC 2267 to address operational filtering guidelines for single and multi-homed environments. The focus of those RFCs is on filtering ingress packets ingress, regardless of destination, if those packets are have spoofed source address or fall within "reserved" address space. Deployment of RFCs 2267 and 3704 has limited the effects of denial of service attacks by dropping ingress packets with spoofed source addresses, which in turn offers other benefits by ensuring that packets coming into a network originate from validly allocated and consistent sources. This document focuses solely on traffic destined to the network infrastructure itself to protect the network from denial of service and other attacks. This document presents techniques that, together with network edge ingress filtering and RFC 2267 and RFC 3704, create a layered approach for infrastructure protection. This document does not present recommendations for protocol validation (i.e. "sanity checking") nor does it address guidelines for general security configuration.


Darrel Lewis

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)