| Internet-Draft | IPFIX BGP Prefix Origin Validation | February 2026 |
| Liu, et al. | Expires 14 August 2026 | [Page] |
This document defines an IP Flow Information Export (IPFIX) Information Element for monitoring the state of Resource Public Key Infrastructure (RPKI) based BGP Prefix Origin Validation. The Information Element enables network operators to collect and analyze BGP route validation states (valid, invalid, not-found) to facilitate the detection of potential route hijacks improving network observability and security.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The RPKI [RFC6480] provides a cryptographic framework for validating the association between IP address blocks and Autonomous System (AS) numbers. BGP Prefix Origin Validation, as defined in [RFC6811], enables routers to verify whether the origin AS of a BGP route announcement is authorized to advertise the corresponding IP prefix, based on Route Origin Authorizations (ROAs) [RFC9582] in the RPKI.¶
When BGP Prefix Origin Validation is enabled on a router, the router maintains a local cache of Validated ROA Payloads (VRPs) obtained through the RPKI-to-Router protocol (RTR) [RFC8210]. For each received BGP UPDATE message, the router extracts the announced IP prefix and its origin AS, compares this tuple against the local VRP cache, and assigns a validation state (valid, invalid, not-found) according to the algorithm specified in [RFC6811]. This validation state can be attached as a local path attribute to the BGP route entry and influence subsequent routing decisions, such as route filtering and route preference adjustment.¶
While this validation mechanism enhances BGP security, network operators currently lack standardized methods to monitor the validation states across their network infrastructure. IP Flow Information Export (IPFIX) [RFC7011] provides a standard protocol for exporting flow information from network devices. There is an existing IPFIX Information Element bgpValidityState (Element ID 294, see IANA-IPFIX), which defines the "validity state" of the BGP route correspondent source or destination IP address. This element does not specifically address RPKI-based origin validation.¶
This document defines a new IPFIX Information Element specifically designed for monitoring the state of RPKI-based BGP Prefix Origin Validation. The element enables network operators to collect, analyze, and monitor the validation states of BGP routes across their network infrastructure.¶
This document uses the following terms defined in [RFC6811].¶
Validated ROA Payload (VRP): A locally stored object which contains the content (IP address, prefix length, maximum length, origin AS number).¶
Prefix: (IP address, prefix length), interpreted as is customary (see [RFC4632]).¶
Route: Data derived from a received BGP UPDATE, as defined in [RFC4271].¶
Additionally, this document uses the terms defined in [RFC7011].¶
Observation Point: An Observation Point is a location in the network where packets can be observed. Examples include a line to which a probe is attached; a shared medium, such as an Ethernet-based LAN; a single port of a router; or a set of interfaces (physical or logical) of a router.¶
Exporter: A device that hosts one or more Exporting Processes is termed an Exporter.¶
IPFIX Device: An IPFIX Device hosts at least one Exporting Process. It may host further Exporting Processes as well as arbitrary numbers of Observation Points and Metering Processes.¶
Information Element: An Information Element is a protocol and encoding independent description of an attribute that may appear in an IPFIX Record. Information Elements are defined in the IANA "IPFIX Information Elements" registry (see IANA-IPFIX). The type associated with an Information Element indicates constraints on what it may contain and also determines the valid encoding mechanisms for use in IPFIX.¶
Exporting Process: The Exporting Process sends IPFIX Messages to one or more Collecting Processes. The Flow Records in the Messages are generated by one or more Metering Processes.¶
Collecting Process: A Collecting Process receives IPFIX Messages from one or more Exporting Processes. The Collecting Process might process or store Flow Records received within these Messages, but such actions are out of scope for this document.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section defines a new IPFIX Information Element for monitoring RPKI-based BGP Prefix Origin Validation.¶
bgpPrefixOriginValidationState¶
TBD1¶
It indicates the validation state of a BGP route prefix and its origin ASN as determined by BGP Prefix Origin Validation as defined in [RFC6811].¶
This element describes the result of comparing a BGP route prefix derived from a BGP UPDATE message against VRP obtained from RPKI server. The validation algorithm follows RFC6811.¶
The state of BGP Prefix Origin Validation is encoded in a single octet, where only the two latest significant bits (bits 0 and 1) are used. The four possible state are:¶
00: BGP Prefix Origin Validation is not enabled on the exporting device for this prefix. This indicates the administrative state where validation is inactive (e.g., not configured).¶
01: The validation state for the route prefix is valid. The state means at least one VRP matches the route prefix.¶
10: The validation state for the route prefix is invalid. The state means at least one VRP covers the route prefix, but no VRP matches it.¶
11: The validation state for the route prefix is not found. This state means no VRP covers the route prefix.¶
Bits 2 to 7 are reserved. The Exporting Process MUST set these bits to zero. The Collecting Process MUST ignore them.¶
unsigned8¶
identifier¶
See [RFC6811] the definition of validation state of BGP route prefix.¶
The Observation Point [RFC7011] for monitoring BGP Prefix Origin Validation states is typically the router performing the validation. The router acting as an IPFIX Exporter is expected to have BGP Prefix Origin Validation enabled and properly configured. This includes establishing RTR sessions with RPKI cache servers and ensuring the local VRP cache is synchronized.¶
When network operators design a template for IPFIX export of BGP Prefix Origin Validation information export, which should combine with other context informations, such as sourceIPv4Prefix/sourceIPv6Prefix, sourceIPv4PrefixLength/sourceIPv6PrefixLength, bgpSourceAsNumber, as defined in [RFC7012].¶
In scenarios of network changes or maintenance, frequent export of IPFIX records for BGP validation states may lead to considerable overhead on router resources and bandwidth. Operators should balance monitoring needs with performance impact by using thresholds, adjusted export intervals, or focused sampling, such as prioritizing invalid states, refer to [RFC5475] for sampling and filtering strategies.¶
The security considerations for IPFIX in general discussed in [RFC7011], and those for RPKI and BGP Prefix Origin Validation discussed in [RFC6811] apply to this document.¶
The IPFIX data records containing BGP Prefix Origin Validation state SHOULD be transported using security protocols (such as TLS, DTLS) and satisfy the mutual authentication between IPFIX Exporting Processes and IPFIX Collecting Processes as specified in [RFC7011]. An implementation may use BGP Prefix Origin Validation state as the information input for network routing policies. Network operators should ensure that the data collection and storage of BGP Prefix Origin Validation state comply with applicable privacy regulations.¶
IANA is requested to assign a new Information Element ID in the IPFIX Information Elements registry.¶
Information Element bgpPrefixOriginValidationState with Element ID TBD1.¶