| Internet-Draft | PCEP for SAV | February 2026 |
| Song, et al. | Expires 8 August 2026 | [Page] |
This document presents a method of Path Computation Element (PCE) for Source Address Validation (SAV) in networks. It extends Path Computation Element Communication Protocol (PCEP) to support SAV policy distribution and synchronization between PCEP speakers for threat mitigation for source address spoofing.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Source Address Validation (SAV) is a critical security mechanism designed to mitigate IPv4 and IPv6 source address spoofing attacks by validating the legitimacy of source prefixes against their ingress interfaces. Traditional methods like ACL-based ingress filtering, strict uRPF and loose uRPF mechanisms [RFC3704] have some issues as described in [I-D.ietf-savnet-intra-domain-problem-statement] and [I-D.ietf-savnet-inter-domain-problem-statement]. The new inter-domain SAV mechanism is required not to generate false positive or false negative policies leading to improper block or permit of traffic.¶
The PCE architecture, defined in [RFC4655], provides a centralized control framework for path computation in networks. This document presents a PCE-based SAVNET solution to enable dynamic policy enforcement within the networks. By extending the PCEP protocol, the PCE can efficiently manage SAV policies, validate the legitimacy of source address prefixes, and enforce traffic filtering actions to mitigate the threats posed by source address spoofing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terms defined in [RFC5440]: PCC, PCE, PCEP Peer, and PCEP speaker.¶
This document uses the following terms defined in [RFC8051]: stateful PCE.¶
This document uses the following terms defined in [I-D.ietf-savnet-intra-domain-architecture]: SAV, SAV rule, SAV Information Base.¶
A PCC may use PCEP protocol to send a SAV request for one or more incoming interfaces to a PCE. The PCE may reply with a set of computed SAV policies to the PCC. For example, in an enterprise AS, PCE receives SAV request from a PCC (e.g., edge routers or border routers). The PCE computes that source prefix (for example, 2001:db8:1::/48) is only valid on interfaces connected to the data center Subnet. Any traffic with this prefix arriving at an AS border router is dropped unless it originates from the designated interfaces.¶
The PCE-based SAVNET solution supports both single-PCE and multi-PCE coorperative environments. It is applicable to single-domain and multi-domain AS networks, wich may leverage PCE for cross-domain policy coordination. For example, if the attacker switches the entry from Eth1/0 of R1 in AS60001 to Eth5/0 of R5 in AS60004, the PCE as network controller needs to synchronize and enforce the SAV policies across domains. The centralized control capability of PCE can enhance the dynamics of SAV strategies and the efficiency of cross-domain coordination.¶
The PCE provides a centralized control framework for SAV policy computation, the visibility of global SAV policy and global filtering policy optimization and across-domains coordination. PCE as SAV policy controller manages and delivers SAV information to the underlay network, which acquires SAV policies eliminating the needs for mutual communication between network nodes.The following figure shows an example of process for PCE using PCEP to install SAV policies on PCC (i.e., AS boarder routers) in inter-domain networks.¶
+----------------+
| PCE |
-------------+(SAV Controller)+-----------
| +-------+--------+ |<--PCEP
| | |
+-----+--------+ +------+-------+ +-------+------+
| PCC | | PCC | | PCC |
|(ASx NetNodes)| |(ASy NetNodes)| |(ASz NetNodes)|
+--------------+ +--------------+ +--------------+
PCE as SAV controller collects SAV information for SAV policy generation of mapping valid interfaces with prefix (e.g., 2001:db8::/32) to have the capability of global SAV policy visibility for single or multiple domains policy enforcement and coordination.¶
PCE sends PCEP protocol messages (see [RFC8231]) to instal SAV policies, dynamic SAV policy updates.¶
PCC deploys SAV policies which stores in SAV Information Database for mapping of source address prefix with valid ingress interfaces for ingress traffic filtering.¶
When the PCE speakers supporting SAV, the PCEP is required to support the following functionalities.¶
The PCEP MUST support SAV information collection for intra-domain and cross-domain networks.¶
The PCEP MUST support SAV capability advertisement in single and multi-domains.¶
The PCEP MUST support dynamic updates of SAV policies for network changes (e.g., link failures, prefix additions).¶
The PCEP MUST support backward compatibility with existing SAVNET mechanisms (e.g., BAR-SAV).¶
The PCEP sessions for SAV MUST be secured against tampering and unauthorized access.¶
The open message is used to establish a PCEP session between PCEP speakers. To support SAV functionality, a new flag SAV-CAPABILITY is introduced for SAV capability advertisement in this document.¶
The SAV-CAPABILITY TLV is optional TLV and its format frefers to figure 9 in [RFC8231]. A new value for Flags field is TBD for the SAV capability advertisement.¶
A new optional SAV object (class=TBD) for SAV information and its related object body formatted as TLV introduced in this document. A SAV-POLICY object is used to carry information of SAV policy within a PCEP update message for SAV policy delivery and updates.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Object-class | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | // Object Body // | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SAV-POLICY object class value is TBD.¶
The TLV format for SAV-POLICY object consists of IPv4/IPv6 prefix and incoming-interface list (legitimate or illegitimate interfaces). The TLV format is showed as the following figure:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |L| Type | Flag | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Prefix Length | IP Source Prefix (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |InterfaceLength| Interface List (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The type (8 bits) of the TLV is TBD.¶
The length field is 16 bits long, indicates the total length of the TLV in octects.¶
The value contains the following fields:¶
L: 1 bit long, identifies IP source prefix types, including IPv4 and IPv6 types.¶
Flag: 8 bits long, identifies the validation modes used in network nodes. The validation modes include 4 modes: interface-based prefix allowlist, interface-based prefix blocklist, prefix-based interface allowlist, prefix-based interface blocklist. By selecting modes in different scenarios, the network can be secured to mitigate spoofing attacks, as introduced in [I-D.ietf-savnet-general-sav-capabilities].¶
Interface List: contains a list of interfaces. If it is a whitelist, it represents a list of interfaces allowed to access; if it is a blacklist, it represents a list of interfaces not allowed to access. The interface list can be expressed in the form of interface ID, interface name, or index.¶
IP source prefix: contains the source address prefix information.¶
The PCE needs to send PCUpd message for triggering mechanism when PCE makes actively update to the SAV policies, the possible trigger conditions may involve: topology changes (e.g., interface status modified), policy updates (e.g., the new added IP source prefix affiliated interfaces), and attack response from external threats.¶
IANA is requested to allocate a new flag value for SAV-CAPABILITY and a new class value for SAV object.¶
PCE security introduced in PCE Architecture [RFC5394], PCEP [RFC5440] and stateful PCE [RFC8231] also applies for this draft. PCEP sessions for SAV policy distribution MUST use TLS 1.3 [RFC8346] to prevent tampering. SAVNET security considerations covered in [I-D.ietf-savnet-intra-domain-architecture] and [I-D.ietf-savnet-inter-domain-architecture] are also applicable to the PCE-based SAVNET solution defined in this document.¶
The authors would like to acknowledge Haisheng Wu and Zhenghai Wang for their helpful comments.¶