RFC 3871           Operational Security Requirements      September 2004

   Examples.

      Another way of stating the requirement is that filter performance

      should not be the limiting factor in device throughput.  If a

      device is capable of forwarding 30Mb/sec without filtering, then

      it should be able to forward the same amount with filtering in

      place.

   Warnings.

      The definition of "significant" is subjective.  At one end of the

      spectrum it might mean "the application of filters may cause the

      box to crash".  At the other end would be a throughput loss of

      less than one percent with tens of thousands of filters applied.

      The level of performance degradation that is acceptable will have

      to be determined by the operator.

      Repeatable test data showing filter performance impact would be

      very useful in evaluating conformance with this requirement.

      Tests should include such information as packet size, packet rate,

      number of interfaces tested (source/destination), types of

      interfaces, routing table size, routing protocols in use,

      frequency of routing updates, etc.  See [bmwg acc bench].

      This requirement does not address stateful filtering, filtering

      above layer 4 headers or other more advanced types of filtering

      that may be important in certain operational environments.

2.7.5.  Support Route Filtering

   Requirement.

      The device MUST provide a means to filter routing updates for all

      protocols used to exchange external routing information.

   Justification.

      See [RFC3013] and section 3.2 of [RFC2196].

   Examples.

      Operators may wish to ignore advertisements for routes to

      addresses allocated for private internets.  See eBGP.

   Warnings.

      None.

Jones                        Informational                     [Page 39]