Problem Statement of SAVI Beyond the First Hop

Document Type Expired Internet-Draft (individual)
Last updated 2017-11-13 (latest revision 2017-05-09)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


IETF Source Address Validation Improvements (SAVI) working group is chartered for source address validation within the first hop from end hosts, i.e., preventing a node from spoofing the IP source address of another node in the same IP link. However, since SAVI requires the edge routers or switches to be upgraded, the deployment of SAVI will need a long time. During this transition period, some source address validation techniques beyond the first hop (SAVI-BF) may be needed to complement SAVI and protect the networks from spoofing based attacks. In this document, we first propose three desired features of the SAVI-BF techniques. Then we analyze the problems of the current SAVI-BF technique, ingress filtering. Finally, we discuss the directions that we can explore to improve SAVI-BF.


Jun Bi (
Bingyang Liu (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)