RFC 3871           Operational Security Requirements      September 2004

2.6.2.  Support Directional Application Of Rate Limiting Per Interface

   Requirement.

      The device MUST provide support to rate limit input and/or output

      separately on each interface.

   Justification.

      This level of granular control allows appropriately targeted

      controls that minimize the impact on third parties.

   Examples.

      If an ICMP flood is directed a single customer on an edge router,

      it may be appropriate to rate limit outbound ICMP only on that

      customers interface.

   Warnings.

      None.

2.6.3.  Support Rate Limiting Based on State

   Requirement.

      The device MUST be able to rate limit based on all TCP control

      flag bits.  The device SHOULD support rate limiting of other

      stateful protocols where the normal processing of the protocol

      gives the device access to protocol state.

   Justification.

      This allows appropriate response to certain classes of attack.

   Examples.

      For example, for TCP sessions, it should be possible to rate limit

      based on the SYN, SYN ACK, RST, or other bit state.

   Warnings.

      None.

Jones                        Informational                     [Page 36]