Simplifying Firewall Rules with Network Programming and SRH Metadata

Document Type Expired Internet-Draft (individual)
Authors Jim Guichard  , Clarence Filsfils  , Daniel Bernier  , Zhenbin Li  , Francois Clad  , Pablo Camarillo  , Ahmed Abdelsalam 
Last updated 2020-10-10 (latest revision 2020-04-08)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml htmlized pdfized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


A clear application of the SRv6 Network Programming model consists in steering, in a stateless manner, packets through a Service Function Chain (SFC). Each Service Function (SF) is identified by a segment. Each SF can enrich its operation thanks to metadata present in the SRH. This document describes a practical use-case where the SF is a firewall and the metadata helps to drastically decrease the number of rules that need to be maintained by the operation team.


Jim Guichard (
Clarence Filsfils (
Daniel Bernier (
Zhenbin Li (
Francois Clad (
Pablo Camarillo (
Ahmed Abdelsalam (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)