RFC 3871           Operational Security Requirements      September 2004

   Examples.

      This requirement could be satisfied by the provision of a command

      that causes the return path for packets received to be checked

      against the current forwarding tables and dropped if no viable

      return path exists.  This assumes that steps are taken to assure

      that no bogon entries are present in the forwarding tables (for

      example filtering routing updates per Section 2.7.5 to reject

      advertisements of unassigned addresses).

      See [RFC3704].

   Warnings.

      This requirement only holds for single homed networks.  Note that

      a simple forwarding table check is not sufficient in the more

      complex scenarios of multi homed or multi attached networks, i.e.,

      where the traffic may be asymmetric.  In these cases, a more

      extensive check such as Feasible Path RPF could be very useful.

2.5.7.  Support Counters For Dropped Packets

   Requirement.

      The device MUST provide accurate, per interface counts of spoofed

      packets dropped in accordance with Section 2.5.5 and Section

      2.5.6.

   Justification.

      Counters can help in identifying the source of spoofed traffic.

   Examples.

      An edge router may have several single homed customers attached.

      When an attack using spoofed packets is detected, a quick check of

      counters may be able to identify which customer is attempting to

      send spoofed traffic.

   Warnings.

      None.

Jones                        Informational                     [Page 34]