RFC 3871           Operational Security Requirements      September 2004

   Justification.

      See sections 3 of [RFC1918], sections 5.3.7 and 5.3.8 of

      [RFC1812], and [RFC2827].

   Examples.

      This requirement could be satisfied in several ways.  It could be

      satisfied by the provision of a single command that automatically

      generates and applies filters to an interface that implements

      anti spoofing.  It could be satisfied by the provision of a

      command that causes the return path for packets received to be

      checked against the current forwarding tables and dropped if they

      would not be forwarded back through the interface on which they

      were received.

      See [RFC3704].

   Warnings.

      This requirement only holds for single homed networks.  Note that

      a simple forwarding table check is not sufficient in the more

      complex scenarios of multi homed or multi attached networks, i.e.,

      where the traffic may be asymmetric.  In these cases, a more

      extensive check such as Feasible Path RPF could be very useful.

2.5.6.  Support Automatic Discarding Of Bogons and Martians

   Requirement.

      The device MUST provide a means to automatically drop all "bogons"

      (Section 1.8) and "martians" (Section 1.8).  This option MUST work

      in the presence of dynamic routing and dynamically assigned

      addresses.

   Justification.

      These sorts of packets have little (no?) legitimate use and are

      used primarily to allow individuals and organization to avoid

      identification (and thus accountability) and appear to be most

      often used for DoS attacks, email abuse, hacking, etc.  In

      addition, transiting these packets needlessly consumes resources

      and may lead to capacity and performance problems for customers.

      See sections 3 of [RFC1918], sections 5.3.7 and 5.3.8 of

      [RFC1812], and [RFC2827].

Jones                        Informational                     [Page 33]