diff --git a/daemon/face/tcp-factory.cpp b/daemon/face/tcp-factory.cpp
index d301350..cd3119e 100644
--- a/daemon/face/tcp-factory.cpp
+++ b/daemon/face/tcp-factory.cpp
@@ -7,6 +7,7 @@
 #include "tcp-factory.hpp"
 #include "core/resolver.hpp"
 #include "core/logger.hpp"
+#include "core/network-interface.hpp"
 
 NFD_LOG_INIT("TcpFactory");
 
@@ -15,6 +16,78 @@
 TcpFactory::TcpFactory(const std::string& defaultPort/* = "6363"*/)
   : m_defaultPort(defaultPort)
 {
+
+}
+
+void
+TcpFactory::prohibitEndpoint(const tcp::Endpoint& endpoint)
+{
+  using namespace boost::asio::ip;
+
+  static const address_v4 ALL_V4_ENDPOINT(address_v4::from_string("0.0.0.0"));
+  static const address_v6 ALL_V6_ENDPOINT(address_v6::from_string("::"));
+
+  const address& address = endpoint.address();
+
+  if (address.is_v4() && address == ALL_V4_ENDPOINT)
+    {
+      prohibitAllIpv4Endpoints(endpoint.port());
+    }
+  else if (endpoint.address().is_v6() && address == ALL_V6_ENDPOINT)
+    {
+      prohibitAllIpv6Endpoints(endpoint.port());
+    }
+
+  NFD_LOG_TRACE("prohibiting TCP " <<
+                endpoint.address().to_string() << ":" << endpoint.port());
+
+  m_prohibitedEndpoints.insert(endpoint);
+}
+
+void
+TcpFactory::prohibitAllIpv4Endpoints(const uint16_t port)
+{
+  using namespace boost::asio::ip;
+
+  const std::list<shared_ptr<NetworkInterfaceInfo> > nicList(listNetworkInterfaces());
+
+  for (std::list<shared_ptr<NetworkInterfaceInfo> >::const_iterator i = nicList.begin();
+       i != nicList.end();
+       ++i)
+    {
+      const shared_ptr<NetworkInterfaceInfo>& nic = *i;
+      const std::vector<address_v4>& ipv4Addresses = nic->ipv4Addresses;
+
+      for (std::vector<address_v4>::const_iterator j = ipv4Addresses.begin();
+           j != ipv4Addresses.end();
+           ++j)
+        {
+          prohibitEndpoint(tcp::Endpoint(*j, port));
+        }
+    }
+}
+
+void
+TcpFactory::prohibitAllIpv6Endpoints(const uint16_t port)
+{
+  using namespace boost::asio::ip;
+
+  const std::list<shared_ptr<NetworkInterfaceInfo> > nicList(listNetworkInterfaces());
+
+  for (std::list<shared_ptr<NetworkInterfaceInfo> >::const_iterator i = nicList.begin();
+       i != nicList.end();
+       ++i)
+    {
+      const shared_ptr<NetworkInterfaceInfo>& nic = *i;
+      const std::vector<address_v6>& ipv6Addresses = nic->ipv6Addresses;
+
+      for (std::vector<address_v6>::const_iterator j = ipv6Addresses.begin();
+           j != ipv6Addresses.end();
+           ++j)
+        {
+          prohibitEndpoint(tcp::Endpoint(*j, port));
+        }
+    }
 }
 
 shared_ptr<TcpChannel>
@@ -26,6 +99,8 @@
 
   channel = make_shared<TcpChannel>(boost::cref(endpoint));
   m_channels[endpoint] = channel;
+  prohibitEndpoint(endpoint);
+
   NFD_LOG_DEBUG("Channel [" << endpoint << "] created");
   return channel;
 }
@@ -57,6 +132,11 @@
   else if (uri.getScheme() == "tcp6")
     addressSelector = resolver::Ipv6Address();
 
+  if (!uri.getPath().empty())
+    {
+      onConnectFailed("Invalid URI");
+    }
+
   TcpResolver::asyncResolve(uri.getHost(),
                             uri.getPort().empty() ? m_defaultPort : uri.getPort(),
                             bind(&TcpFactory::continueCreateFaceAfterResolve, this, _1,
@@ -70,6 +150,13 @@
                                            const FaceCreatedCallback& onCreated,
                                            const FaceConnectFailedCallback& onConnectFailed)
 {
+  if (m_prohibitedEndpoints.find(endpoint) != m_prohibitedEndpoints.end())
+    {
+      onConnectFailed("Requested endpoint is prohibited "
+                      "(reserved by this NFD or disallowed by face management protocol)");
+      return;
+    }
+
   // very simple logic for now
 
   for (ChannelMap::iterator channel = m_channels.begin();
diff --git a/daemon/face/tcp-factory.hpp b/daemon/face/tcp-factory.hpp
index 6ba2e37..d4b6618 100644
--- a/daemon/face/tcp-factory.hpp
+++ b/daemon/face/tcp-factory.hpp
@@ -67,6 +67,16 @@
              const FaceConnectFailedCallback& onConnectFailed);
 
 private:
+
+  void
+  prohibitEndpoint(const tcp::Endpoint& endpoint);
+
+  void
+  prohibitAllIpv4Endpoints(const uint16_t port);
+
+  void
+  prohibitAllIpv6Endpoints(const uint16_t port);
+
   /**
    * \brief Look up TcpChannel using specified local endpoint
    *
@@ -88,6 +98,8 @@
   ChannelMap m_channels;
 
   std::string m_defaultPort;
+
+  std::set<tcp::Endpoint> m_prohibitedEndpoints;
 };
 
 } // namespace nfd
diff --git a/daemon/face/udp-channel.cpp b/daemon/face/udp-channel.cpp
index 390b412..49c22b7 100644
--- a/daemon/face/udp-channel.cpp
+++ b/daemon/face/udp-channel.cpp
@@ -31,7 +31,7 @@
     {
       m_socket->set_option(ip::v6_only(true));
     }
-  
+
   try {
     m_socket->bind(m_localEndpoint);
   }
@@ -41,9 +41,9 @@
     throw Error("Failed to properly configure the socket. "
                 "UdpChannel creation aborted, check the address (" + std::string(e.what()) + ")");
   }
-  
+
   this->setUri(FaceUri(localEndpoint));
-  
+
   //setting the timeout to close the idle faces
   m_closeIdleFaceEvent = scheduler::schedule(m_idleFaceTimeout,
                                 bind(&UdpChannel::closeIdleFaces, this));
@@ -62,7 +62,7 @@
     throw Error("Listen already called on this channel");
   }
   m_isListening = true;
-  
+
   onFaceCreatedNewPeerCallback = onFaceCreated;
   onConnectFailedNewPeerCallback = onListenFailed;
 
@@ -76,7 +76,8 @@
 
 void
 UdpChannel::connect(const udp::Endpoint& remoteEndpoint,
-                    const FaceCreatedCallback& onFaceCreated)
+                    const FaceCreatedCallback& onFaceCreated,
+                    const ConnectFailedCallback& onConnectFailed)
 {
   ChannelFaceMap::iterator i = m_channelFaces.find(remoteEndpoint);
   if (i != m_channelFaces.end()) {
@@ -88,10 +89,10 @@
   //creating a new socket for the face that will be created soon
   shared_ptr<ip::udp::socket> clientSocket =
     make_shared<ip::udp::socket>(boost::ref(getGlobalIoService()));
-  
+
   clientSocket->open(m_localEndpoint.protocol());
   clientSocket->set_option(ip::udp::socket::reuse_address(true));
-  
+
   try {
     clientSocket->bind(m_localEndpoint);
     clientSocket->connect(remoteEndpoint); //@todo connect or async_connect
@@ -101,8 +102,8 @@
   }
   catch (boost::system::system_error& e) {
     clientSocket->close();
-    throw Error("Failed to properly configure the socket. Check the address ("
-                + std::string(e.what()) + ")");
+    onConnectFailed("Failed to configure socket (" + std::string(e.what()) + ")");
+    return;
   }
   createFace(clientSocket, onFaceCreated, false);
 }
@@ -144,7 +145,7 @@
       return;
   }
 
-  connect(*remoteEndpoint, onFaceCreated);
+  connect(*remoteEndpoint, onFaceCreated, onConnectFailed);
 }
 
 size_t
@@ -229,7 +230,7 @@
 UdpChannel::closeIdleFaces()
 {
   ChannelFaceMap::iterator next =  m_channelFaces.begin();
-  
+
   while (next != m_channelFaces.end()) {
     ChannelFaceMap::iterator it = next;
     next++;
diff --git a/daemon/face/udp-channel.hpp b/daemon/face/udp-channel.hpp
index 0243dd6..f5dd16e 100644
--- a/daemon/face/udp-channel.hpp
+++ b/daemon/face/udp-channel.hpp
@@ -69,7 +69,8 @@
    */
   void
   connect(const udp::Endpoint& remoteEndpoint,
-          const FaceCreatedCallback& onFaceCreated);
+          const FaceCreatedCallback& onFaceCreated,
+          const ConnectFailedCallback& onConnectFailed);
   /**
    * \brief Create a face by establishing connection to the specified
    *        remote host and remote port
diff --git a/daemon/face/udp-factory.cpp b/daemon/face/udp-factory.cpp
index 36b1fcd..e99961a 100644
--- a/daemon/face/udp-factory.cpp
+++ b/daemon/face/udp-factory.cpp
@@ -7,6 +7,7 @@
 #include "udp-factory.hpp"
 #include "core/global-io.hpp"
 #include "core/resolver.hpp"
+#include "core/network-interface.hpp"
 
 namespace nfd {
 
@@ -19,6 +20,89 @@
 {
 }
 
+
+
+void
+UdpFactory::prohibitEndpoint(const udp::Endpoint& endpoint)
+{
+  using namespace boost::asio::ip;
+
+  static const address_v4 ALL_V4_ENDPOINT(address_v4::from_string("0.0.0.0"));
+  static const address_v6 ALL_V6_ENDPOINT(address_v6::from_string("::"));
+
+  const address& address = endpoint.address();
+
+  if (address.is_v4() && address == ALL_V4_ENDPOINT)
+    {
+      prohibitAllIpv4Endpoints(endpoint.port());
+    }
+  else if (endpoint.address().is_v6() && address == ALL_V6_ENDPOINT)
+    {
+      prohibitAllIpv6Endpoints(endpoint.port());
+    }
+
+  NFD_LOG_TRACE("prohibiting UDP " <<
+                endpoint.address().to_string() << ":" << endpoint.port());
+
+  m_prohibitedEndpoints.insert(endpoint);
+}
+
+void
+UdpFactory::prohibitAllIpv4Endpoints(const uint16_t port)
+{
+  using namespace boost::asio::ip;
+
+  static const address_v4 INVALID_BROADCAST(address_v4::from_string("0.0.0.0"));
+
+  const std::list<shared_ptr<NetworkInterfaceInfo> > nicList(listNetworkInterfaces());
+
+  for (std::list<shared_ptr<NetworkInterfaceInfo> >::const_iterator i = nicList.begin();
+       i != nicList.end();
+       ++i)
+    {
+      const shared_ptr<NetworkInterfaceInfo>& nic = *i;
+      const std::vector<address_v4>& ipv4Addresses = nic->ipv4Addresses;
+
+      for (std::vector<address_v4>::const_iterator j = ipv4Addresses.begin();
+           j != ipv4Addresses.end();
+           ++j)
+        {
+          prohibitEndpoint(udp::Endpoint(*j, port));
+        }
+
+      if (nic->isBroadcastCapable() && nic->broadcastAddress != INVALID_BROADCAST)
+        {
+          NFD_LOG_TRACE("prohibiting broadcast address: " << nic->broadcastAddress.to_string());
+          prohibitEndpoint(udp::Endpoint(nic->broadcastAddress, port));
+        }
+    }
+
+  prohibitEndpoint(udp::Endpoint(address::from_string("255.255.255.255"), port));
+}
+
+void
+UdpFactory::prohibitAllIpv6Endpoints(const uint16_t port)
+{
+  using namespace boost::asio::ip;
+
+  const std::list<shared_ptr<NetworkInterfaceInfo> > nicList(listNetworkInterfaces());
+
+  for (std::list<shared_ptr<NetworkInterfaceInfo> >::const_iterator i = nicList.begin();
+       i != nicList.end();
+       ++i)
+    {
+      const shared_ptr<NetworkInterfaceInfo>& nic = *i;
+      const std::vector<address_v6>& ipv6Addresses = nic->ipv6Addresses;
+
+      for (std::vector<address_v6>::const_iterator j = ipv6Addresses.begin();
+           j != ipv6Addresses.end();
+           ++j)
+        {
+          prohibitEndpoint(udp::Endpoint(*j, port));
+        }
+    }
+}
+
 shared_ptr<UdpChannel>
 UdpFactory::createChannel(const udp::Endpoint& endpoint,
                           const time::seconds& timeout)
@@ -45,6 +129,7 @@
   channel = make_shared<UdpChannel>(boost::cref(endpoint),
                                     timeout);
   m_channels[endpoint] = channel;
+  prohibitEndpoint(endpoint);
 
   return channel;
 }
@@ -80,6 +165,11 @@
                 "endpoint is already allocated for a UDP unicast channel");
   }
 
+  if (m_prohibitedEndpoints.find(multicastEndpoint) != m_prohibitedEndpoints.end()) {
+    throw Error("Cannot create the requested UDP multicast face, "
+                "remote endpoint is owned by this NFD instance");
+  }
+
   if (localEndpoint.address().is_v6() || multicastEndpoint.address().is_v6()) {
     throw Error("IPv6 multicast is not supported yet. Please provide an IPv4 address");
   }
@@ -149,6 +239,11 @@
   else if (uri.getScheme() == "udp6")
     addressSelector = resolver::Ipv6Address();
 
+  if (!uri.getPath().empty())
+    {
+      onConnectFailed("Invalid URI");
+    }
+
   UdpResolver::asyncResolve(uri.getHost(),
                             uri.getPort().empty() ? m_defaultPort : uri.getPort(),
                             bind(&UdpFactory::continueCreateFaceAfterResolve, this, _1,
@@ -168,6 +263,13 @@
     return;
   }
 
+  if (m_prohibitedEndpoints.find(endpoint) != m_prohibitedEndpoints.end())
+    {
+      onConnectFailed("Requested endpoint is prohibited "
+                      "(reserved by this NFD or disallowed by face management protocol)");
+      return;
+    }
+
   // very simple logic for now
 
   for (ChannelMap::iterator channel = m_channels.begin();
@@ -177,7 +279,7 @@
     if ((channel->first.address().is_v4() && endpoint.address().is_v4()) ||
         (channel->first.address().is_v6() && endpoint.address().is_v6()))
     {
-      channel->second->connect(endpoint, onCreated);
+      channel->second->connect(endpoint, onCreated, onConnectFailed);
       return;
     }
   }
diff --git a/daemon/face/udp-factory.hpp b/daemon/face/udp-factory.hpp
index 969ef8c..fe69794 100644
--- a/daemon/face/udp-factory.hpp
+++ b/daemon/face/udp-factory.hpp
@@ -26,7 +26,7 @@
   {
     Error(const std::string& what) : ProtocolFactory::Error(what) {}
   };
-  
+
   explicit
   UdpFactory(const std::string& defaultPort = "6363");
 
@@ -66,10 +66,10 @@
    *
    * Note that this call will **BLOCK** until resolution is done or failed.
    *
-   * If localHost is a IPv6 address of a specific device, it must be in the form: 
+   * If localHost is a IPv6 address of a specific device, it must be in the form:
    * ip address%interface name
    * Example: fe80::5e96:9dff:fe7d:9c8d%en1
-   * Otherwise, you can use :: 
+   * Otherwise, you can use ::
    *
    * Once a face is created, if it doesn't send/receive anything for
    * a period of time equal to timeout, it will be destroyed
@@ -98,7 +98,7 @@
    * creation fails and an exception is thrown
    *
    * \returns always a valid pointer to a MulticastUdpFace object, an exception
-   *          is thrown if it cannot be created. 
+   *          is thrown if it cannot be created.
    *
    * \throws UdpFactory::Error
    *
@@ -108,12 +108,12 @@
   shared_ptr<MulticastUdpFace>
   createMulticastFace(const udp::Endpoint& localEndpoint,
                       const udp::Endpoint& multicastEndpoint);
-  
+
   shared_ptr<MulticastUdpFace>
   createMulticastFace(const std::string& localIp,
                       const std::string& multicastIp,
                       const std::string& multicastPort);
-  
+
   // from Factory
   virtual void
   createFace(const FaceUri& uri,
@@ -129,9 +129,19 @@
   MulticastFaceMap m_multicastFaces;
 
 private:
+
+  void
+  prohibitEndpoint(const udp::Endpoint& endpoint);
+
+  void
+  prohibitAllIpv4Endpoints(const uint16_t port);
+
+  void
+  prohibitAllIpv6Endpoints(const uint16_t port);
+
   void
   afterFaceFailed(udp::Endpoint& endpoint);
-    
+
   /**
    * \brief Look up UdpChannel using specified local endpoint
    *
@@ -142,8 +152,8 @@
    */
   shared_ptr<UdpChannel>
   findChannel(const udp::Endpoint& localEndpoint);
-  
-  
+
+
   /**
    * \brief Look up multicast UdpFace using specified local endpoint
    *
@@ -154,16 +164,18 @@
    */
   shared_ptr<MulticastUdpFace>
   findMulticastFace(const udp::Endpoint& localEndpoint);
-  
+
   void
   continueCreateFaceAfterResolve(const udp::Endpoint& endpoint,
                                  const FaceCreatedCallback& onCreated,
                                  const FaceConnectFailedCallback& onConnectFailed);
-  
+
   typedef std::map< udp::Endpoint, shared_ptr<UdpChannel> > ChannelMap;
   ChannelMap m_channels;
-  
+
   std::string m_defaultPort;
+
+  std::set<udp::Endpoint> m_prohibitedEndpoints;
 };
 
 } // namespace nfd