Problem Statement, Gap Analysis, and Requirements for Intra-domain Source Address Validation
draft-ietf-savnet-intra-domain-problem-statement-25
Discuss
Yes
Jim Guichard
No Objection
Gorry Fairhurst
No Record
Mahesh Jethanandani
Mike Bishop
Summary: Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved.
Roman Danyliw
Discuss
Discuss
(2026-04-14 for -22)
Sent
** Section 5.1
Any new intra-domain SAV mechanism MUST improve the accuracy of
source address validation compared to existing uRPF-based mechanisms.
In particular, it MUST reduce the occurrence of improper blocks
(i.e., blocking legitimate traffic), improper permits (i.e., allowing
spoofed traffic), or both. Specifically, it MUST satisfy the
following conditions:
* result in fewer improper blocks than strict uRPF, particularly in
scenarios involving asymmetric routes or hidden prefixes;
* result in fewer improper permits than loose uRPF.
How would the measurement of this approach be computed? Would the accuracy have to hold for any arbitrary configuration? Would it be possible for some configuration to make strict+loose uPRF equivalent to this new mechanism?
** Section 5.2
Any new intra-domain SAV mechanism MUST be capable of automatically
generating and updating SAV rules on routers, rather than relying
entirely on manual updates as in ACL-based SAV. Automation helps
reduce operational complexity and maintenance overhead, while
allowing some initial configuration to improve SAV accuracy. This
ensures the mechanism is deployable in practical networks without
introducing excessive management burden.
I think I understand the requirement in the sense that there is a desire to add automation to the process. What I’m hoping the text could clarify is why automation can’t be added to ACL-based SAV, and why it is considered entirely manual.
** Section 5.4
Second, such mechanism MUST NOT transmit excessive SAV-specific
information via a protocol, as this could significantly increase the
burden on the routers’ control planes and potentially degrade the
performance of existing protocols.
How would one know that they aren’t transmitting “excessive” to meet this requirement?
Comment
(2026-04-14 for -22)
Sent
Thank you to Tim Evens for the GENART review. ** Section 5 These informational requirements can not be used to initiate standards-track protocol changes. The intent of this text is not clear. Procedurally, when can any informational status document initiate changes in another document? ** Section 5.5 Any new intra-domain SAV mechanism SHOULD verify the authenticity and trustworthiness of information before using it. When would it be appropriate for this new intra-domain SAV mechanism NOT verify the information? ** Section 5.6 Any new intra-domain SAV mechanism MUST NOT introduce additional security vulnerabilities to existing intra-domain architectures or protocols. How would one show that this condition was met?
Tommy Jensen
Discuss
Discuss
(2026-04-15 for -23)
Sent
One sentence summary: I would like to discuss why the authors and WG believe this needs to be published as an RFC, and if that results in a good reason to do so, how the current hand waving of security requirements can be improved. I echo what other ADs are raising. In my experience, WGs do well with having their own requirements document with WG consensus but not publishing as an RFC. For example, add and deleg both took this approach. It would save going through the much more stringent bar of IESG review over what the WG knows they need to define success amongst themselves for future documents. However, I am reviewing as if there are good reasons to publish as an RFC that I'm not aware of. As such, I want to bring up the same bit Roman did, which jumped out at me: > Any new intra-domain SAV mechanism MUST NOT introduce additional > security vulnerabilities to existing intra-domain architectures or > protocols. As a WG document, I would say this is underspecified but maybe the WG knows what they mean. As an RFC, I do not think this is appropriate at all. Combining this with the Security Considerations that says this introduces no new considerations and I do not think this document says much that is meaningful to people outside your very specific context. It's possible some of this may be obvious to your WG even if not written down because of context for terminology (i.e. "vulnerability" means something specific like "attack surface represented by the presence of a node" to say "MUST NOT introduce additional hops to existing..."). If so, that needs to be defined here, as it currently could be interpreted as "MUST NOT introduce the potential for CVEs" or a number of other things that are quite difficult to mandate normatively. For an example of how security considerations can still apply to a requirements document, check out Section 4 of the add WG's requirements document (which is what their Security Considerations section links to): https://datatracker.ietf.org/doc/html/draft-ietf-add-requirements-00 All this becomes non-applicable if this is a document the WG writes for themselves, setting aside that then my review isn't needed anyway, because there's some wiggle room for WGs to "know what they meant" since the WG itself can shift its take on requirements as work on drafts meeting those requirements proceeds. This isn't a flexibility given once it is published as an RFC however.
Comment
(2026-04-15 for -23)
Sent
No additional commentary; I do not wish to waste the authors' time fine tuning the document since I think this document is probably reasonable as WG self-guidance for to measure how their drafts meet these requirements as it is. I highly encourage consideration of not publishing this as an RFC.
Gunter Van de Velde
Yes
Comment
(2026-04-14 for -22)
Sent
# Gunter Van de Velde, RTG AD, comments for draft-ietf-savnet-intra-domain-problem-statement-22 # The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-savnet-intra-domain-problem-statement-22.txt # Thank you for fixing all the comments and issues from the prior Telechat. This document has improved significantly, is easy to read and is well written. # Detailed Review # =============== 166 Improper Block: The validation results that the packets with 167 legitimate source addresses are blocked improperly due to inaccurate 168 SAV rules. 169 170 Improper Permit: The validation results that the packets with spoofed 171 source addresses are permitted improperly due to inaccurate SAV 172 rules. GV> Maybe trivial and mostly editorial, is it possible to add a few words on "proper block (or simply 'block')" and "proper permit (or simply 'permit')". The above explains the improper beg=havior without specifying what is proper behavior. 177 1.2. Requirements Language 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 181 "OPTIONAL" in this document are to be interpreted as described in 182 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 183 capitals, as shown here. GV> This is an informational document and BCP14 keywords do not necessary apply. Potentially you want to add the following paragraph for clarity: " The requirements language is used in Section 5 and applies to implementations of SAV conformant to the listed requirements. " 231 requires manual maintenance. Operators must update them promptly to 232 reflect changes in prefixes or topology. Failure to do so may result 233 in outdated ACLs that inadvertently block legitimate traffic. GV> The larger security issue is not an improper block, but a improper permit. Could be worthwile to add to the paragraph. Thanks for this write-up. Gunter Van de Velde RTG Area Director
Jim Guichard
Yes
Andy Newton
No Objection
Comment
(2026-04-15 for -23)
Sent
I want to thank Robert Sparks for his ARTART review, and echo his comment about the need for this to be published as an RFC (also mentioned by Charles and Med). I have no objection to this document proceeding.
Charles Eckel
No Objection
Comment
(2026-04-15 for -23)
Sent
I want to thank Robert Sparks for the ARTART review. I agree with his suggestion to consider using the document to refine the group's charter text rather than publishing it as an informational RFC. That said, I do not have any ART-related concerns, nor do I object to the publication of this document if there is working group consensus that it is helpful to do so. The document provides a gap analysis and identifies requirements for new intra-domain SAV solutions; however, I find these requirements to be subjective and difficult to prove that a given solution or mechanism will necessarily address them. Roman has already provided more detailed feedback for this as part of his DISCUSS, which I support.
Christopher Inacio
No Objection
Comment
(2026-04-15 for -23)
Sent
Thank you to Robert Sparks and Ben Schwartz for the reviews. They were very helpful. I will echo the comment of both reviewers and other ADs - this document doesn't appear to need to be published. It really seems most useful as a document guiding the design of any additional SAV mechanisms or enhancements. That is material useful for inside the WG.
Deb Cooley
No Objection
Comment
(2026-04-15 for -23)
Sent
Thanks to Ben Schwartz for their multiple secdir reviews. It is unusual to have this many reviewers suggest that the draft should not be an RFC. I count at least three (Art, Secdir, Opsdir) plus at least a couple of ADs. I support the discuss positions of Roman, Med and Ketan.
Éric Vyncke
(was Discuss)
No Objection
Comment
(2026-05-19 for -24)
Sent
Thanks for addressing (partly) my DISCUSS points (see https://mailarchive.ietf.org/arch/msg/savnet/lXvPRzPjJ0V0r97rKHToQx1Zyds/ for archive). By "partly addressing my DISCUSS point", I mean that, while the clarity is vastly better, I had to read 3 times the section 1 to eventually understand it. The term "intra-domain SAV" is still heavily misleading. The authors have selected to address my non-blocking COMMENTs, while this is disapointing, it is not blocking. Finally, I still support Roman Danyliw's DISCUSS related to the vague use of "fewer" in section 5.1
Gorry Fairhurst
No Objection
Ketan Talaulikar
(was Discuss)
No Objection
Comment
(2026-05-09 for -24)
Sent
Thanks to the authors and the WG for their work on this document. Also thanks for the productive discussions and the updates to address the discussion points and comments in my original ballot.
Mohamed Boucadair
(was Abstain, Discuss)
No Objection
Comment
(2026-05-11 for -24)
Sent
Hi Dan, Jianping, Lancheng, Mingqing, and Nan, Thank you for the discussion and for taking care of the comments. The changes [1] made since my first ballot [2] are really great. Cheers, Med [1] https://author-tools.ietf.org/iddiff?url1=draft-ietf-savnet-intra-domain-problem-statement-22&url2=draft-ietf-savnet-intra-domain-problem-statement-24&difftype=--html [2] https://mailarchive.ietf.org/arch/msg/savnet/s0128azyYuCAVcU-1wgR9BZrkNk/
Mahesh Jethanandani
No Record
Mike Bishop
No Record