RFC 3871           Operational Security Requirements      September 2004

   Warnings.

      None.

2.7.3.  Ability to Filter Traffic THROUGH the Device

   Requirement.

      It MUST be possible to apply the filtering mechanism to traffic

      that is being routed (switched) through the device.

   Justification.

      This permits implementation of basic policies on devices that

      carry transit traffic (routers, switches, etc.).

   Examples.

      One simple and common way to meet this requirement is to provide

      the ability to filter traffic inbound to each interface and/or

      outbound from each interface.  Ingress filtering as described in

      [RFC2827] provides one example of the use of this capability.

   Warnings.

      None.

2.7.4.  Ability to Filter Without Significant Performance Degradation

   Requirement.

      The device MUST provide a means to filter packets without

      significant performance degradation.  This specifically applies to

      stateless packet filtering operating on layer 3 (IP) and layer 4

      (TCP or UDP) headers, as well as normal packet forwarding

      information such as incoming and outgoing interfaces.

      The device MUST be able to apply stateless packet filters on ALL

      interfaces (up to the maximum number possible) simultaneously and

      with multiple filters per interface (e.g., inbound and outbound).

   Justification.

      This enables the implementation of filtering wherever and whenever

      needed.  To the extent that filtering causes degradation, it may

      not be possible to apply filters that implement the appropriate

      policies.

Jones                        Informational                     [Page 38]