<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-wang-grow-bmp-policy-preview-00"
     ipr="trust200902">
  <front>
    <title abbrev="BGP RP PV &amp; IV">BGP Route Policy Pre-view and Intent
    Verification Using BGP Monitoring Protocol</title>

    <author fullname="Lili Wang" initials="L." surname="Wang">
      <organization>Huawei Technologies</organization>

      <address>
        <postal>
          <street>Huawei Bld., No.156 Beiqing Rd.</street>

          <city>Beijing</city>

          <code>100095</code>

          <country>China</country>
        </postal>

        <email>lily.wong@huawei.com</email>
      </address>
    </author>

    <author fullname="Nan Geng" initials="N." surname="Geng">
      <organization>Huawei Technologies</organization>

      <address>
        <postal>
          <street>Huawei Bld., No.156 Beiqing Rd.</street>

          <city>Beijing</city>

          <code>100095</code>

          <country>China</country>
        </postal>

        <email>gengnan@huawei.com</email>
      </address>
    </author>

    <author fullname="Lei Li" initials="L." surname="Li">
      <organization>Huawei Technologies</organization>

      <address>
        <postal>
          <street>Huawei Bld., No.156 Beiqing Rd.</street>

          <city>Beijing</city>

          <code>100095</code>

          <country>China</country>
        </postal>

        <email>kenny.lilei@huawei.com</email>
      </address>
    </author>

    <author fullname="Shunwan Zhuang" initials="S." surname="Zhuang">
      <organization>Huawei Technologies</organization>

      <address>
        <postal>
          <street>Huawei Bld., No.156 Beiqing Rd.</street>

          <city>Beijing</city>

          <region/>

          <code>100095</code>

          <country>China</country>
        </postal>

        <phone/>

        <facsimile/>

        <email>zhuangshunwan@huawei.com</email>

        <uri/>
      </address>
    </author>

    <date day="6" month="July" year="2026"/>

    <abstract>
      <t>Deploying BGP route policies in live production networks carries
      significant operational risks, often resulting in unintended route
      leaks, suboptimal routing paths, or blackholes. This document proposes
      an extension to the BGP Monitoring Protocol (BMP) that enables a BGP
      speaker to pre-view and dry-run a candidate route policy within a
      localized control-plane sandbox. The resulting post-policy route changes
      (deltas) are streamed asynchronously to a centralized controller via a
      new BMP message type. This architecture allows the controller to verify
      policy alignment with network intents, subsequently triggering either an
      explicit commit or a rollback before any forwarding plane changes take
      effect.</t>

      <t/>
    </abstract>

    <note title="Requirements Language">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
      "OPTIONAL" in this document are to be interpreted as described in BCP 14
      <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when,
      they appear in all capitals, as shown here.</t>
    </note>
  </front>

  <middle>
    <section title="Introduction">
      <t>BGP route policies (e.g., prefix-lists, AS-path filters, community
      manipulation) are the primary tool for inter-domain traffic engineering.
      However, modern policy structures are complex and highly error-prone.
      When a network operator or an automated orchestrator deploys a modified
      policy to a router, the resulting BGP updates instantly propagate
      throughout the network. If the policy contains a logical flaw,
      widespread traffic disruption occurs before monitoring systems can
      react.</t>

      <t>Existing network validation models rely on offline simulation tools.
      While useful, these simulations cannot perfectly replicate the internal,
      real-time state machine and multi-vendor nuances of a live router's RIB
      processing engine.</t>

      <t>This document defines a protocol-driven mechanism for "on-box" policy
      pre-viewing. By leveraging a control-plane sandbox, a router executes
      candidate policies against its live Adj-RIB-In without modifying its
      active Local-RIB or Forwarding Information Base (FIB). The simulated
      differences (Deltas) are asynchronously reported via an extended BGP
      Monitoring Protocol (BMP) <xref target="RFC7854"/> session, providing a
      reliable, zero-risk framework for closed-loop intent verification.</t>

      <t/>
    </section>

    <section title="Terminology and Architectural Overview">
      <t/>

      <t><figure>
          <artwork align="left"><![CDATA[
   o  Candidate Policy: A route policy configuration that is staged but 
      not yet committed or activated in the dataplane.
   o  Control-Plane Sandbox: An isolated software environment within the 
      BGP routing process used exclusively for dry-running candidate policies.
   o  Shadow Local-RIB: A temporary routing information base generated inside 
      the sandbox representing the simulated state of chosen routes.
   o  Policy Transaction ID: A unique identifier assigned by the controller 
      to trace the lifecycle of a specific policy modification event.



]]></artwork>
        </figure></t>

      <t/>
    </section>

    <section title="Extension to BMP: Route Pre-view Monitoring (RPM) Message">
      <t>This document introduces a new BMP message type, termed the Route
      Pre-view Monitoring (RPM) Message (Suggested Type Value: TBD1).</t>

      <t>The RPM message extends the standard BMP Route Monitoring (RM)
      structure by appending a mandatory Policy Transaction Header to
      encapsulate pre-view context.</t>

      <t><figure>
          <artwork align="left"><![CDATA[
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        BMP Common Header                      |
   |                           (6 octets)                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Per-Peer Header                        |
   |                          (42 octets)                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 Policy Transaction ID (4 octets)              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Pre-view Flag |                   Reserved                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  BGP UPDATE PDU (Variable Length)             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

]]></artwork>
        </figure></t>

      <t><list style="symbols">
          <t>Policy Transaction ID: A 32-bit unsigned integer linking the
          pre-viewed routes back to the configuration transaction initialized
          by the controller.</t>

          <t>Pre-view Flag: A 1-octet bitmask defined as follows:</t>

          <t><list style="symbols">
              <t>0x01 (Add): The route inside the BGP UPDATE would be newly
              selected and installed due to the candidate policy.</t>

              <t>0x02 (Withdraw/Deny): The route would be denied or filtered
              out by the candidate policy, causing a withdrawal from the
              active RIB.</t>

              <t>0x03 (Modify): The route is still accepted, but its path
              attributes (e.g., Local-Pref, Communities) are mutated.</t>
            </list></t>
        </list></t>

      <t/>
    </section>

    <section title="Operational Procedures">
      <t/>

      <section title="Sandbox Initialization and Delta Computation">
        <t>When a candidate policy configuration block is staged on the router
        with a designated Transaction ID, the router MUST NOT evaluate this
        policy against the active operational Local-RIB.</t>

        <t>Instead, the router spawns a temporary Sandbox context:</t>

        <t><list style="numbers">
            <t>The router feeds the existing Adj-RIB-In routes of the targeted
            peer(s) through the candidate policy engine.</t>

            <t>The resulting route outputs are gathered into a temporary
            Shadow Local-RIB.</t>

            <t>The router performs a mathematical matrix comparison: `Delta =
            Shadow Local-RIB - Operational Local-RIB`.</t>

            <t>For each non-zero Delta entry, the router generates an RPM
            message containing the simulated route state and streams it to the
            BMP receiver.</t>
          </list></t>
      </section>

      <section title="The Intent Validation Loop">
        <t>The centralized SDN controller listens to the RPM stream. By
        aggregating these messages across multiple monitored nodes, the
        controller can verify high-level intents (e.g., ensuring traffic does
        not transit a restricted Autonomous System).</t>

        <t/>
      </section>

      <section title="Transaction Resolution: Commit or Rollback">
        <t>Once verification concludes, the controller completes the
        transaction using the device's configuration channel (e.g.,
        NETCONF/YANG):</t>

        <t><list style="symbols">
            <t>Commit Execution: If the Delta aligns with operator intent, the
            controller executes a configuration `&lt;commit&gt;`. The router
            merges the Shadow Local-RIB entries directly into the operational
            Local-RIB and updates the hardware FIB linecards.</t>

            <t>Rollback/Discard Execution: If the Delta violates intent, the
            controller issues a `&lt;discard-changes&gt;` or abort command.
            The router purges the Sandbox instance and drops the Shadow
            Local-RIB from memory, leaving active data-plane traffic entirely
            undisturbed.</t>
          </list></t>

        <t/>
      </section>
    </section>

    <section title="Performance and Scalability Optimization">
      <t>Executing comprehensive shadow calculations across multi-million
      route tables can stress device CPU and memory. Implementations MUST
      follow these scoping rules:</t>

      <t><list style="symbols">
          <t>Incremental Evaluation: The router SHOULD limit policy execution
          only to routes belonging to neighbors directly referenced by the
          policy modification.</t>

          <t>Suppression of Unchanged Flows: If a route passes through the
          candidate policy with its primary path selection status and all
          attributes completely unchanged, the router MUST NOT generate an RPM
          message for that route.</t>
        </list></t>

      <t/>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <t>This document requests IANA to allocate a new message type value from
      the "BGP Monitoring Protocol (BMP) Message Types" sub-registry:</t>

      <t><figure>
          <artwork align="left"><![CDATA[
   o  Type: TBD1
   o  Description: Route Pre-view Monitoring (RPM) Message
   o  Reference: [This-Document]

]]></artwork>
        </figure></t>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>RPM messages expose the hypothetical routing shifts of an enterprise
      fabric prior to deployment. If intercepted, an attacker could deduce
      intended traffic engineering patterns. The BMP sessions carrying RPM
      messages MUST be encrypted using TCP-AO <xref target="RFC5925"/> or TLS
      profiles customized for BMP.</t>

      <t/>
    </section>

    <section title="Contributors ">
      <t>The following people made significant contributions to this
      document:</t>

      <t><figure>
          <artwork align="left"><![CDATA[To be added.

]]></artwork>
        </figure></t>
    </section>

    <section anchor="Acknowledgements" title="Acknowledgements">
      <t>The authors would like to acknowledge the review and inputs from
      xxx.</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.2119"?>

      <?rfc include='reference.RFC.4271'?>

      <?rfc include='reference.RFC.4760'?>

      <?rfc include='reference.RFC.5925'?>

      <?rfc include='reference.RFC.8174'?>

      <?rfc include='reference.RFC.7854'?>
    </references>

    <references title="Informative References">
    </references>
  </back>
</rfc>
