RFC 3871           Operational Security Requirements      September 2004

2.8.2.  Ability to Filter on Addresses

   Requirement.

      The function MUST be able to control the flow of traffic based on

      source and/or destination IP address or blocks of addresses such

      as Classless Inter Domain Routing (CIDR) blocks.

   Justification.

      The capability to filter on addresses and address blocks is a

      fundamental tool for establishing boundaries between different

      networks.

   Examples.

      One example of the use of address based filtering is to implement

      ingress filtering per [RFC2827].

   Warnings.

      None.

2.8.3.  Ability to Filter on Protocol Header Fields

   Requirement.

      The filtering mechanism MUST support filtering based on the

      value(s) of any portion of the protocol headers for IP, ICMP, UDP

      and TCP.  It SHOULD support filtering of all other protocols

      supported at layer 3 and 4.  It MAY support filtering based on the

      headers of higher level protocols.  It SHOULD be possible to

      specify fields by name (e.g., "protocol = ICMP") rather than bit 

      offset/length/numeric value (e.g., 72:8 = 1).

   Justification.

      Being able to filter on portions of the header is necessary to

      allow implementation of policy, secure operations, and support

      incident response.

   Examples.

      This requirement implies that it is possible to filter based on

      TCP or UDP port numbers, TCP flags such as SYN, ACK and RST bits,

      and ICMP type and code fields.  One common example is to reject

      "inbound" TCP connection attempts (TCP, SYN bit set+ACK bit clear

      or SYN bit set+ACK,FIN and RST bits clear).  Another common

Jones                        Informational                     [Page 42]