| Number | Files | Title | Authors | Date | More Info | Status |
|---|---|---|---|---|---|---|
| RFC 3704,BCP 84 | Ingress Filtering for Multihomed Networks | F. Baker, P. Savola | March 2004 | UpdatesRFC 2827, Updated byRFC 8704 | Best Current Practice | |
| RFC 8704,BCP 84 | Enhanced Feasible-Path Unicast Reverse Path Forwarding | K. Sriram, D. Montgomery, J. Haas | February 2020 | UpdatesRFC 3704 | Best Current Practice |
BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
This document identifies a need for and proposes improvement of theunicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) fordetection and mitigation of source address spoofing (see BCP 38).Strict uRPF is inflexible about directionality, the loose uRPF isoblivious to directionality, and the current feasible-path uRPFattempts to strike a balance between the two (see RFC 3704). However,as shown in this document, the existing feasible-path uRPF still hasshortcomings. This document describes enhanced feasible-path uRPF(EFP-uRPF) techniques that are more flexible (in a meaningful way)about directionality than the feasible-path uRPF (RFC 3704). Theproposed EFP-uRPF methods aim to significantly reduce false positivesregarding invalid detection in source address validation (SAV).Hence, they can potentially alleviate ISPs' concerns about thepossibility of disrupting service for their customers and encouragegreater deployment of uRPF techniques. This document updates RFC3704.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.