Service Provider Infrastructure Security
draft-lewis-infrastructure-security-00

Abstract

This RFC defines best current practices for implementing Service Provider network infrastructure protection for network elements. This RFC complements and extends RFC 2267 and RFC 3704. RFC 2267 provides guidelines for filtering traffic on the ingress to service provider networks. RFC 3704 expands the recommendations described in RFC 2267 to address operational filtering guidelines for single and multi-homed environments. The focus of those RFCs is on filtering ingress packets ingress, regardless of destination, if those packets are have spoofed source address or fall within "reserved" address space. Deployment of RFCs 2267 and 3704 has limited the effects of denial of service attacks by dropping ingress packets with spoofed source addresses, which in turn offers other benefits by ensuring that packets coming into a network originate from validly allocated and consistent sources. This document focuses solely on traffic destined to the network infrastructure itself to protect the network from denial of service and other attacks. This document presents techniques that, together with network edge ingress filtering and RFC 2267 and RFC 3704, create a layered approach for infrastructure protection. This document does not present recommendations for protocol validation (i.e. "sanity checking") nor does it address guidelines for general security configuration.

Authors

Darrel Lewis

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)