A method and system for filtering malicious packets received at the edge of a service provider (SP) domain is provided. A protocol aware border element identifies the protocol used by any ingress packet, and then determines which domain-specific information is used in the application payload of the packet to form the source identity. If this packet pretends to come from the SP domain, and no domain entity is allowed to roam, the packet is identified as illegitimate and is subjected to a given security policy. The border element also identifies as legitimate the SP domain entities that are allowed to roam, and legitimate sources outside said SP domain that communicates customary with entities in the SP domain.