<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY bom    "&#65279;">
  <!ENTITY wd     "&#x2011;">
]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902"
     docName="draft-li-opsawg-stateful-copp-00"
     category="std" submissionType="IETF" consensus="true" version="3"
     xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="Stateful CoPP">Stateful Control Plane Policing</title>
    <seriesInfo name="Internet-Draft" value="draft-li-opsawg-stateful-copp-00"/>

    <author fullname="Zhiqiang Li" initials="Z." surname="Li">
      <organization>China Mobile</organization>
      <address>
        <postal><city>Beijing</city><code>100053</code>
        <country>China</country></postal>
        <email>lizhiqiangyjy@chinamobile.com</email>
      </address>
    </author>
    <author fullname="Zongpeng Du" initials="Z." surname="Du">
      <organization>China Mobile</organization>
      <address>
        <postal><city>Beijing</city><code>100053</code>
        <country>China</country></postal>
        <email>duzongpeng@chinamobile.com</email>
      </address>
    </author>
    <author fullname="Junjie Wang" initials="J." surname="Wang">
      <organization>Centec</organization>
      <address>
        <postal><city>Shanghai</city><code>201203</code>
        <country>China</country></postal>
        <email>wangjj@centec.com</email>
      </address>
    </author>
    <author fullname="Wei Cheng" initials="W." surname="Cheng">
      <organization>Centec</organization>
      <address>
        <postal><city>Shanghai</city><code>201203</code>
        <country>China</country></postal>
        <email>chengw@centec.com</email>
      </address>
    </author>
    <author fullname="Guoying Zhang" initials="G." surname="Zhang">
      <organization>Centec</organization>
      <address>
        <postal><city>Shanghai</city><code>201203</code>
        <country>China</country></postal>
        <email>zhanggy@centec.com</email>
      </address>
    </author>
    <author fullname="Xun Sun" initials="X." surname="Sun">
      <organization>Inesa</organization>
      <address>
        <postal><city>Shanghai</city><code>200030</code>
        <country>China</country></postal>
        <email>sunxun@inesa.com</email>
      </address>
    </author>
    <author fullname="Chunhao Zhao" initials="C." surname="Zhao">
      <organization>SAIA</organization>
      <address>
        <postal><city>Shanghai</city><code>200125</code>
        <country>China</country></postal>
        <email>chunhao.zhao@sh-aia.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="4"/>
    <area>OPS</area>
    <workgroup>OPSAWG</workgroup>
    <keyword>CoPP</keyword>
    <keyword>control plane</keyword>
    <keyword>security</keyword>
    <keyword>DoS</keyword>
    <keyword>rate limiting</keyword>
    <keyword>stateful</keyword>
    <abstract>
      <t>Control Plane Policing (CoPP), as described in RFC 6192, classifies control-plane-destined traffic using static packet header fields. This static classification cannot distinguish legitimate protocol traffic from attack traffic that matches the same header-based rules.</t>
      <t>This document specifies Stateful CoPP, an operational practice in which the router's runtime protocol state -- including configured peer identities, session state, and expected ingress interfaces -- is incorporated into CoPP classification. Stateful CoPP allows confirmed legitimate traffic to receive preferential access to control plane CPU resources under attack conditions.</t>
    </abstract>
  </front>

  <middle>
<section anchor="introduction" numbered="true" toc="include"><name>Introduction</name>
<t><xref target="RFC6192"/> describes a method for protecting a router's control plane from denial-of-service attacks by deploying filters in the forwarding plane. The operational practice based on this method, Control Plane Policing (CoPP), classifies control-plane-destined traffic into protocol-specific categories (e.g., OSPF, BGP, SSH, SNMP) using ACLs that match on IP protocol number, source and destination address prefix, and transport-layer port number. Per-category rate limits are then applied to each class.</t>
<t>CoPP as described in <xref target="RFC6192"/> operates on static packet header fields and does not take into account the runtime state of the router's protocol sessions. This means that when an attacker crafts packets matching a legitimate protocol class -- for instance, TCP packets with destination port 179 from a spoofed address within a permitted BGP peer subnet -- the CoPP policy cannot distinguish these from genuine BGP traffic. Both share the same rate limit, and under sufficient attack volume, legitimate packets may be dropped.</t>
<t>The router itself, however, maintains runtime state that is directly relevant: it knows exactly which protocol peers are configured, which sessions are currently established, and which interfaces those peers are connected to. This document specifies how this runtime state can be incorporated into CoPP classification.</t>
<t>The practice of incorporating runtime state into CoPP policies is already deployed operationally. Common examples include installing per-peer ACL entries derived from the BGP neighbor configuration, and programming hardware filters that match established TCP session 5-tuples. This document brings together these practices and discusses their applicability, interactions, and operational considerations.</t>
<section anchor="requirements-language" numbered="true" toc="include"><name>Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
</section></section>
<section anchor="stateful-copp-classification" numbered="true" toc="include"><name>Stateful CoPP Classification</name>
<t>Stateful CoPP extends the static CoPP model by incorporating information from the router's runtime protocol state into the forwarding-plane classification. The following subsections describe the categories of runtime state that are applicable and how each can inform classification decisions.</t>
<section anchor="peer-identity" numbered="true" toc="include"><name>Peer Identity and Session State</name>
<t>The router's protocol configuration contains the precise set of protocol peers: BGP neighbor addresses, OSPF interface assignments, LDP discovery sources, and so on. A packet whose source address exactly matches a configured peer address can be distinguished from a packet whose source merely falls within a permitted prefix range.</t>
<t>For example, a router with configured eBGP peers at 198.51.100.1, 198.51.100.5, and 198.51.100.9 can install per-peer entries that give traffic from those exact addresses priority over other BGP-class traffic from the broader 198.51.100.0/24 range. This is equivalent to adding more specific match rules to the CoPP policy, derived automatically from the protocol configuration.</t>
<t>Where session state is available, the classification can be further refined. Traffic from a BGP peer in Established state is expected protocol operation; a burst of BGP OPEN packets from an address whose session is already Established is anomalous. An implementation MAY adjust rate limits based on the current session state of each peer.</t>
</section>
<section anchor="ingress-interface" numbered="true" toc="include"><name>Ingress Interface</name>
<t>For directly connected peers, the router knows which interface each peer is reachable through. A control plane packet arriving on an interface inconsistent with the expected path for the claimed source may indicate address spoofing. An implementation MAY validate the ingress interface of control plane packets against the expected interface for each configured peer. This is conceptually similar to strict-mode unicast Reverse Path Forwarding (uRPF) <xref target="RFC3704"/> applied specifically to the set of known peer addresses. This check is most useful for directly connected single-hop peers and is less applicable in multihop scenarios.</t>
</section>
<section anchor="per-source-rate" numbered="true" toc="include"><name>Per-Source Rate Limiting</name>
<t>Static CoPP applies aggregate rate limits to each protocol class. This means a single attacking source can consume the entire rate budget for a class, starving all legitimate peers. Per-source rate limiting distributes the class rate budget across individual sources. Each source is rate-limited independently, ensuring that a single misbehaving source cannot exhaust the class budget. The per-source rate SHOULD reflect the expected protocol behavior; for instance, a BGP peer in Established state with a 90-second hold time does not normally generate more than a few packets per second of KEEPALIVE traffic. Care SHOULD be taken to accommodate legitimate traffic bursts, such as BGP UPDATE storms during convergence events or OSPF LSA flooding after a topology change.</t>
</section></section>
<section anchor="operational-considerations" numbered="true" toc="include"><name>Operational Considerations</name>
<section anchor="dynamic-updates" numbered="true" toc="include"><name>Dynamic Updates</name>
<t>Stateful CoPP classification entries SHOULD be updated dynamically as the router's protocol state changes. When a new peer is configured, a session transitions to Established, or a peer is removed from the configuration, the corresponding forwarding-plane classification entries SHOULD be adjusted. Stale entries could create windows for attack traffic to receive unwarranted priority.</t>
</section>
<section anchor="forwarding-plane-impl" numbered="true" toc="include"><name>Forwarding-Plane Implementation</name>
<t>Stateful CoPP classification SHOULD be evaluated in the forwarding plane or in dedicated hardware, as close to the network interfaces as possible. If classification consumes control plane CPU cycles, it could itself become a vector for resource exhaustion. Hardware support for per-source counters and per-peer ACL entries varies across platforms; the set of stateful criteria deployed should match the capabilities of the hardware.</t>
</section>
<section anchor="combining-criteria" numbered="true" toc="include"><name>Combining Criteria</name>
<t>The stateful classification criteria described can be deployed independently. An operator may choose to deploy only peer identity checks, or only per-source rate limiting, depending on the deployment environment and hardware capabilities. When multiple criteria are deployed together, the method of combining them is an implementation choice. Operators SHOULD have the ability to configure which criteria are active and to adjust parameters for their environment.</t>
</section></section>
<section anchor="relationship" numbered="true" toc="include"><name>Relationship to Existing Work</name>
<t>Stateful CoPP is complementary to existing control plane protection practices. GTSM <xref target="RFC5082"/> verifies that a packet's IP TTL indicates a directly connected sender. The ingress interface check provides similar topological verification. Both may be deployed together; GTSM operates on a per-protocol basis while ingress interface checking can be applied across all CoPP classes.</t>
<t>TCP-AO <xref target="RFC5925"/> and TCP MD5 <xref target="RFC2385"/> authenticate individual TCP sessions. These operate at the TCP layer; packets failing authentication are discarded by the TCP stack but still consume forwarding-to-CPU bandwidth. Stateful CoPP classification based on peer identity can reduce this bandwidth consumption by filtering in the forwarding plane.</t>
<t>Source address validation (BCP 38 <xref target="RFC2827"/>, BCP 84 <xref target="RFC3704"/>) prevents spoofing from outside the network but does not prevent spoofing from within a permitted prefix range. Peer identity classification narrows the match to the exact set of configured peer addresses. <xref target="RFC7454"/> describes BGP-specific operational security practices including GTSM, prefix-based ACLs, TCP-AO, and max-prefix limits. Stateful CoPP applies the same principles (peer-specific filtering, session-awareness) at the CoPP layer, generalizing them across all control plane protocols.</t>
</section>
<section anchor="security-considerations" numbered="true" toc="include"><name>Security Considerations</name>
<t>Stateful CoPP classification criteria that depend on dynamically learned state (such as per-source traffic rate baselines) may be susceptible to poisoning if an attacker can inject traffic during initial operation. Operators SHOULD establish baseline parameters under known-good conditions, and implementations SHOULD support operator-configured values as an alternative. Classification state derived from protocol configuration and session state MUST be maintained consistently between the control plane and the forwarding-plane component performing the classification. Inconsistency -- for example, granting CPU access priority for a peer removed from configuration -- could allow attack traffic to bypass rate limiting. Configuration of stateful CoPP parameters SHOULD be protected by the same access control that protects other router security configuration.</t>
</section>
<section anchor="iana-considerations" numbered="true" toc="include"><name>IANA Considerations</name>
<t>This document has no IANA actions.</t>
</section>
  </middle>

  <back>
      <references title="Normative References">
    <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
      <front>
        <title>Key words for use in RFCs to Indicate Requirement Levels</title>
        <author initials="S." surname="Bradner" fullname="Scott Bradner"/>
        <date year="1997" month="March"/>
      </front>
      <seriesInfo name="BCP" value="14"/>
      <seriesInfo name="RFC" value="2119"/>
      <seriesInfo name="DOI" value="10.17487/RFC2119"/>
    </reference>
    <reference anchor="RFC6192" target="https://www.rfc-editor.org/info/rfc6192">
      <front>
        <title>Protecting the Router Control Plane</title>
        <author initials="D." surname="Dugal" fullname="David Dugal"/>
        <author initials="C." surname="Pignataro" fullname="Carlos Pignataro"/>
        <author initials="R." surname="Dunn" fullname="Richard Dunn"/>
        <date year="2011" month="March"/>
      </front>
      <seriesInfo name="RFC" value="6192"/>
      <seriesInfo name="DOI" value="10.17487/RFC6192"/>
    </reference>
    <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
      <front>
        <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
        <author initials="B." surname="Leiba" fullname="Barry Leiba"/>
        <date year="2017" month="May"/>
      </front>
      <seriesInfo name="BCP" value="14"/>
      <seriesInfo name="RFC" value="8174"/>
      <seriesInfo name="DOI" value="10.17487/RFC8174"/>
    </reference>
    <reference anchor="RFC2385" target="https://www.rfc-editor.org/info/rfc2385">
      <front>
        <title>Protection of BGP Sessions via the TCP MD5 Signature Option</title>
        <author initials="A." surname="Heffernan" fullname="Andrew Heffernan"/>
        <date year="1998" month="August"/>
      </front>
      <seriesInfo name="RFC" value="2385"/>
      <seriesInfo name="DOI" value="10.17487/RFC2385"/>
    </reference>
    <reference anchor="RFC2827" target="https://www.rfc-editor.org/info/rfc2827">
      <front>
        <title>Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing</title>
        <author initials="P." surname="Ferguson" fullname="Paul Ferguson"/>
        <author initials="D." surname="Senie" fullname="Daniel Senie"/>
        <date year="2000" month="May"/>
      </front>
      <seriesInfo name="BCP" value="38"/>
      <seriesInfo name="RFC" value="2827"/>
      <seriesInfo name="DOI" value="10.17487/RFC2827"/>
    </reference>
    <reference anchor="RFC3704" target="https://www.rfc-editor.org/info/rfc3704">
      <front>
        <title>Ingress Filtering for Multihomed Networks</title>
        <author initials="F." surname="Baker" fullname="Fred Baker"/>
        <author initials="P." surname="Savola" fullname="Pekka Savola"/>
        <date year="2004" month="March"/>
      </front>
      <seriesInfo name="BCP" value="84"/>
      <seriesInfo name="RFC" value="3704"/>
      <seriesInfo name="DOI" value="10.17487/RFC3704"/>
    </reference>
    <reference anchor="RFC5082" target="https://www.rfc-editor.org/info/rfc5082">
      <front>
        <title>The Generalized TTL Security Mechanism (GTSM)</title>
        <author initials="V." surname="Gill" fullname="Vijay Gill"/>
        <author initials="J." surname="Heasley" fullname="John Heasley"/>
        <author initials="D." surname="Meyer" fullname="David Meyer"/>
        <author initials="P." surname="Savola" fullname="Pekka Savola, Ed."/>
        <author initials="C." surname="Pignataro" fullname="Carlos Pignataro"/>
        <date year="2007" month="October"/>
      </front>
      <seriesInfo name="RFC" value="5082"/>
      <seriesInfo name="DOI" value="10.17487/RFC5082"/>
    </reference>
    <reference anchor="RFC5925" target="https://www.rfc-editor.org/info/rfc5925">
      <front>
        <title>The TCP Authentication Option</title>
        <author initials="J." surname="Touch" fullname="Joe Touch"/>
        <author initials="A." surname="Mankin" fullname="Allison Mankin"/>
        <author initials="R." surname="Bonica" fullname="Ron Bonica"/>
        <date year="2010" month="June"/>
      </front>
      <seriesInfo name="RFC" value="5925"/>
      <seriesInfo name="DOI" value="10.17487/RFC5925"/>
    </reference>
    <reference anchor="RFC7454" target="https://www.rfc-editor.org/info/rfc7454">
      <front>
        <title>BGP Operations and Security</title>
        <author initials="J." surname="Durand" fullname="Jerome Durand"/>
        <author initials="I." surname="Pepelnjak" fullname="Ivan Pepelnjak"/>
        <author initials="G." surname="Doering" fullname="Gert Doering"/>
        <date year="2015" month="February"/>
      </front>
      <seriesInfo name="BCP" value="194"/>
      <seriesInfo name="RFC" value="7454"/>
      <seriesInfo name="DOI" value="10.17487/RFC7454"/>
    </reference>
      </references>
      <section anchor="acknowledgements" numbered="false" toc="include">
        <name>Acknowledgements</name>
        <t>The authors would like to thank the members of the OPSAWG Working Group for their review and feedback.</t>
      </section>
  </back>
</rfc>
