| Internet-Draft | BGP-LS for advertising SAV Rules | March 2026 |
| Tong, et al. | Expires 3 September 2026 | [Page] |
This document proposes extensions to the BGP Link-State protocol for advertising Source Address Validation (SAV) rule-related information.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Source Address Validation (SAV) is an effective method to mitigate source address spoofing attacks. It is typically deployed at network edges, such as edge routers or Autonomous System Border Routers (ASBRs). Currently, various intra‑domain and inter‑domain SAV mechanisms ([RFC3704], [RFC8704], [I-D.ietf-sidrops-bar-sav], [I-D.geng-idr-bgp-savnet]) exist, where SAV rules can be generated based on information advertised by routing protocols (such as OSPF, OSPFv3, IS-IS, BGP, etc.). The SAV rules on a router are dynamically constructed according to the topology (including source prefixes) of subnets or Autonomous Systems (AS) connected to it.¶
To facilitate SAV rule monitoring, attack traceback, and service anomaly analysis, it is critical to dynamically and in real time obtain SAV rule‑related information for source prefixes associated with the subnets or AS connected to routers. The BGP Link‑State (BGP‑LS) protocol [RFC9552] can efficiently collect link‑state and trafiic engineering information from networks. This document proposes extensions to BGP‑LS to support the collection of SAV rule‑related information from routers. For the purpose of advertising SAV rules within BGP‑LS advertisements, two new NLRIs called SAV Rule NLRIs are proposed for IPv4 and IPv6, respectively.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The "Link-State NLRI" defined in [RFC9552] is extended to carry the SAV rule-related information. The format of "Link-State NLRI" is defined in [RFC9552] as follows:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NLRI Type | Total NLRI Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
// Link-State NLRI (variable) //
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This document defines two new NLRI Types known as IPv4 SAV Rule NLRI and IPv6 SAV Rule NLRI (values are TBD) for the advertisement of SAV rule-related information.¶
This document defines SAV Rule NLRI Types with their common format as shown in the following figure:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
| Protocol-ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier |
+ (8 octets) +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Local Node Descriptors TLVs (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// SAV Rule Descriptors TLVs (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fields are defined as follows:¶
Protocol-ID: Specifies the source of SAV rules in this NLRI. Protocol-ID values defined in [RFC9552][RFC9086] can be reused.¶
Local Node Descriptors TLV: Contains Node Descriptors for the nodes storing SAV rules. This is a mandatory TLV in SAV Rule NLRIs. The Type is 256. The length of this TLV is variable. The value contains one or more Node Descriptor sub-TLVs defined in [RFC9552].¶
SAV Rule Descriptors TLVs: There can be one or more SAV Rule Descriptors TLVs for carrying SAV rules.¶
The SAV Rule Descriptor field is a set of TLV triplets. SAV Rule Descriptors TLVs identify a set of SAV rules having the same set of valid interfaces as defined in [I-D.ietf-savnet-general-sav-capabilities]. The following TLVs are valid as SAV Rule Descriptors in the SAV Rule NLRI:¶
+-------------+---------------------+----------+
| TLV Code | Description | Length |
| Point | | |
+-------------+---------------------+----------+
| TBD | Interface Name | variable |
| TBD | Interface Group | 4 |
| TBD | SAV Prefix | variable |
+-------------+---------------------+----------+
An Interface Name TLV is used to identify one valid interface of the source prefixes carried in SAV Prefix TLVs. The format of Interface Name TLV is as follows:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Interface Name (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
There can be zero, one or more Interface Name TLVs in the SAV Rule Descriptor field.¶
An Interface Group TLV is to identify a group of valid interfaces of the source prefixes carried in SAV Prefix TLVs. The format of Interface Group TLV is as follows:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Interface Group (4 octets) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Interface Group value can have either a local meaning or a global meaning. On the one hand, it can be a local interface property on the target routers, and the meaning of it depends on the configurations of network administrator [I-D.ietf-idr-flowspec-interfaceset]. On the other hand, a global meaning Group Identifier field carries an AS number, which represents all the interfaces connected to the neighboring AS with the AS number. [I-D.geng-idr-flowspec-sav]¶
Interface Group value can also be an Interface ID for identifying a specific interface.¶
There can be zero, one or more Interface Group TLVs in the SAV Rule Descriptor field. Interface Group TLVs can be used together with Interface Name TLVs.¶
When there is neither an Interface Name TLV nor an Interface Group TLV, the source prefixes carried in SAV Prefix TLVs are considered valid for all the interfaces on the router.¶
A SAV Prefix TLV carries one IP address prefix (IPv4 or IPv6). The format of SAV Prefix TLV is as follows:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix Length | IP Prefix (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
There can be one or more SAV Prefix TLVs in the SAV Rule Descriptor field. The IPv4 SAV Prefix TLVs will only appear in the IPv4 SAV Rule NLRI, and The IPv6 SAV Prefix TLVs are only for the IPv6 SAV Rule NLRI¶
There can be more than one SAV mechanisms based on the same source (identified by Protocol-ID). In order to distinguish the different sources of rules in a more fine-grained manner, the Type field needs to be allocated for multiple values, and each value identifies a specific SAV mechanism based on the same source identified by Protocol-ID.¶
The BGP-LS Attribute, an optional and non-transitive BGP Attribute, is used to carry the validation mode information of SAV rules {I-D.ietf-savnet-general-sav-capabilities}. The following SAV Mode Attribute TLV is defined for the BGP-LS Attribute associated with a SAV Rule NLRI:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M | Reserved | +-+-+-+-+-+-+-+-+
The SAV Mode TLV carries a Mode field (The "M" field is shown in the figure and occupies two bits) describing the validation mode of SAV.¶
When M field is set to 00, the mode is IBA-SAV: interface-based prefix allowlist. The NLRI carries the source prefixes and interfaces. Only the carried prefixes are valid on the carried interfaces, and any other prefixes are invalid on these interfaces.¶
When M field is set to 01, the mode is IBB-SAV: interface-based prefix blocklist. The NLRI carries the source prefixes and interfaces. Only the carried prefixes are invalid on the carried interfaces, and any other prefixes are valid on these interfaces.¶
When M field is set to 10, the mode is PBA-SAV: prefix-based interface allowlist. The NLRI carries the source prefixes and interfaces. Only the carried interfaces are valid for the carried prefixes, and any other interfaces are invalid for those prefixes. Any other prefixes will not be validated.¶
When M field is set to 11, the mode is PBB-SAV: prefix-based interface blocklist. The NLRI carries the source prefixes and interfaces. Only the carried interfaces are invalid for the carried prefixes, and any other interfaces are valid for those prefixes. Any other prefixes will not be validated.¶
SAV actions in this document adopt the traffic filtering actions defined in [RFC8955] and [RFC8956].¶
Traffic filtering actions defined in [RFC8955] include traffic-rate-bytes, traffic-rate-packets, traffic-action, rt-redirect, and traffic-marking, which are applicable to IPv4 and IPv6. Rt-redirect-ipv6 is a new traffic filtering action defined in [RFC8956], which is applicable to IPv6. The encapsulation formats of SAV actions are consistent with the encapsulation formats defined in [RFC8955] and [RFC8956].¶
A SAV rule may match multiple SAV actions, and there may be conflicts among these SAV actions. Section 7.7 of [RFC8955] describes the conflicts among Traffic filtering actions.¶
SAV rules only exist on the routers running SAV mechanisms/protocols and the controller, these routers are usually access routers or boundary routers. This document describes extensions to the BGP-LS NLRI. The Routers running SAV mechanisms/protocols establish BGP-LS sessions with the controller respectively to report multi-sourced SAV rules.¶
+--------------------------+
| Controller |
+--------------------------+
/ \
/ \ BGP-LS advertisements for SAV Rule NLRIs
+---------------------/------------------------\--------------+ +---------------+
| AS100 / \ | | AS200 |
| +---------+ +---------+ | | +---------+ |
| access router | Router1 | | Router2 |-------|----|--| Router3 | |
| +---------+ +---------+ | | |+--------+ |
| / \ boundary router | | |
| / \ | +---------------+
| / \ |
| / \ |
| +---------+ +---------+ |
| | Subnet1 | | Subnet2 | |
| +---------+ +---------+ |
| |
+-------------------------------------------------------------+
Based on Figure 8, the process of reporting SAV rules via BGP-LS is described as follows: Step 1: R1 and R2 run SAV mechanism/protocol, and generate multi-sourced SAV rules. R1 serves as an access router connecting local subnets, while R2 functions as a border router peering with external AS. These routers running SAV mechanisms can exchange SAV specific information between them. Step 2: R1 and R2 respectively establish BGP-LS sessions with the controller. Step 3: R1 and R2 generate BGP-LS advertisements for the SAV Rule NLRIs. Step 4: R1 and R2 report multi-sourced SAV rules to the controller through the sav rule NLRIs (as defined in Section 2). This enables the controller to monitor and manage multi-sourced SAV rules.¶
The Existing BGP operational and management procedures apply to this document. No new procedures are defined in this document. The considerations as specified in [RFC9552] apply to this document.¶
This section describes the code point allocation by IANA for this document.¶
This document requests assigning code-points from the registry for SAV Rule NLRIs:¶
+------+---------------------------+ | Type | NLRI Type | +------+---------------------------+ | TBD | IPv4 SAV Rule NLRI | | TBD | IPv6 SAV Rule NLRI | +------+---------------------------+¶
This document requests assigning code-points from the registry for BGP-LS SAV Rule Descriptors TLVs based on Figure 3.¶
This document requests assigning a code-point from the registry for the BGP-LS SAV Mode attribute TLV.¶
Procedures and protocol extensions defined in this document do not affect the base BGP security model. See [RFC6952] for details. The security considerations of the base BGP-LS specification as described in [RFC9552] also apply.¶