| Internet-Draft | PRISM | January 2026 |
| Willman | Expires 3 August 2026 | [Page] |
This document specifies PRISM, an application-aware traffic steering protocol for Software-Defined Wide Area Networks (SD-WAN). PRISM provides deep application identification, per-flow tracking, Service Level Agreement (SLA) enforcement, and policy-based path selection integration with Segment Routing over IPv6 (SRv6).¶
PRISM is designed as a companion protocol to CONDUIT (Cryptographic Orchestration of Network Distributed Underlay for IPsec Transport), together providing a complete open-standard SD-WAN solution. CONDUIT manages the encrypted tunnel fabric while PRISM provides the application intelligence and policy enforcement.¶
The protocol is fully programmable via gRPC, supports distributed and centralized deployment models, and mandates compliance with Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) cryptographic requirements.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Software-Defined Wide Area Networks (SD-WAN) have emerged as a critical technology for enterprises and tactical networks requiring Intelligent traffic management across multiple WAN connections. However, existing SD-WAN solutions are predominantly proprietary, creating several challenges:¶
Organizations deploying proprietary SD-WAN solutions¶
become dependent on a single vendor for features, updates, and interoperability.¶
Proprietary solutions cannot interoperate¶
with equipment from other vendors, limiting deployment flexibility and multi-vendor environments.¶
Closed implementations prevent security auditing¶
and verification of traffic handling behavior.¶
Many commercial SD-WAN products do not¶
support government-mandated cryptographic standards such as CNSA 2.0.¶
An open-standard SD-WAN protocol would address these limitations by providing a vendor-neutral specification that enables interoperability, permits security auditing, and ensures compliance with required cryptographic standards.¶
SD-WAN functionality comprises two distinct concerns:¶
Tunnel Fabric Management: Creating, monitoring, and maintaining encrypted tunnels across multiple WAN links. [I-D.conduit-tunnel-fabric] addresses this function.¶
Application-Aware Traffic Steering: Identifying applications, tracking flows, enforcing policies, and selecting optimal paths based on application requirements. This function is addressed by PRISM.¶
PRISM and [I-D.conduit-tunnel-fabric] together form a complete open-standard SD-WAN solution with clear separation of responsibilities:¶
CONDUIT Responsibilities:¶
IPsec tunnel lifecycle management (creation, deletion, rekeying)¶
Tunnel health monitoring (probing, metrics collection)¶
Metric publishing to SRv6/IGP¶
IKEv2 security association management¶
PRISM Responsibilities:¶
Application identification (deep packet inspection, heuristics)¶
Flow tracking and management¶
Policy definition and enforcement¶
SLA monitoring and alerting¶
Traffic class assignment for SRv6 steering¶
The relationship can be summarized as: PRISM decides WHAT traffic class each flow belongs to; SRv6 decides WHICH path to use based on Flex-Algo; CONDUIT ensures the paths EXIST and reports their quality.¶
+==========================+======================================+ | Parameter | Requirement | +==========================+======================================+ | Flow Scale | 10 million concurrent flows per node | +--------------------------+--------------------------------------+ | Application Signatures | 5000+ applications recognized | +--------------------------+--------------------------------------+ | Classification Latency | Less than 100 microseconds | +--------------------------+--------------------------------------+ | Policy Scale | 100,000 policies per node | +--------------------------+--------------------------------------+ | SLA Measurement Accuracy | Within 1ms for latency metrics | +--------------------------+--------------------------------------+ | API Coverage | 100% functionality via gRPC | +--------------------------+--------------------------------------+ | Cryptographic Suite | Full CNSA 2.0 compliance | +--------------------------+--------------------------------------+
This document specifies:¶
Application identification mechanisms and signature format¶
Flow tracking and management procedures¶
Policy framework for traffic steering¶
SLA definition and enforcement¶
Integration with SRv6 for path selection¶
Control protocol for distributed operation¶
gRPC API for management and analytics¶
This document does not specify:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A network service or program identified by its traffic¶
characteristics, such as Microsoft Teams, Salesforce, or SSH.¶
A grouping of applications with similar¶
characteristics or business purposes, such as "unified communications" or "business critical".¶
A set of patterns or heuristics used to¶
Identify a specific application from its network traffic.¶
A unidirectional sequence of packets sharing common¶
identifying characteristics, typically a 5-tuple of protocol, source address, source port, destination address, and destination port.¶
A bidirectional communication comprising two related flows¶
(forward and reverse directions).¶
A classification assigned to flows that maps to¶
specific SRv6 treatment, including path selection and QoS.¶
A set of performance thresholds that¶
define acceptable service quality for an application or traffic class.¶
A rule that matches traffic based on specified conditions¶
and applies designated actions.¶
Analysis of packet contents beyond¶
layer 4 headers to identify applications.¶
A device implementing the PRISM protocol, typically co-¶
located with a CONDUIT node.¶
A centralized management entity that distributes¶
policies and aggregates analytics from PRISM nodes.¶
A PRISM deployment consists of the following components:¶
A centralized or distributed management entity¶
responsible for policy management and distribution, application signature database maintenance, aggregated analytics, and reporting, and SLA monitoring dashboard.¶
A data plane element deployed at network edges¶
responsible for application identification, flow tracking, and classification, policy enforcement, per-flow metrics collection, and SRv6 traffic class assignment.¶
Co-located tunnel fabric manager providing IPsec¶
tunnel management and path quality metrics (feeds into SLA calculations).¶
Forwarding plane that executes traffic engineering¶
decisions based on traffic class assignments from PRISM.¶
PRISM supports multiple deployment models:¶
Each PRISM node operates independently. Policies¶
are configured locally on each node. No central controller required. Suitable for small deployments or disconnected operations.¶
PRISM Controller manages all nodes. Policies¶
are defined centrally and distributed to nodes. Centralized analytics and reporting. Suitable for enterprise deployments.¶
Regional controllers manage local nodes. Global¶
controller coordinates regional controllers. Policies can be global, regional, or local. Suitable for large distributed deployments.¶
Central controller for policy distribution. Local¶
autonomy for real-time decisions. Nodes operate independently if the controller is unreachable. Suitable for tactical/resilient deployments.¶
+=======================+=======+=============================+ | Method | Layer | Description | +=======================+=======+=============================+ | Port-based | L4 | Well-known ports (SSH=22) | +-----------------------+-------+-----------------------------+ | Protocol Signature | L7 | Pattern matching in payload | +-----------------------+-------+-----------------------------+ | TLS/SNI Analysis | L7 | Server Name Indication | +-----------------------+-------+-----------------------------+ | DNS Correlation | L7 | Map DNS queries to flows | +-----------------------+-------+-----------------------------+ | Certificate Analysis | L7 | X.509 certificate fields | +-----------------------+-------+-----------------------------+ | Behavioral Heuristics | L3-L7 | Traffic patterns/timing | +-----------------------+-------+-----------------------------+ | Machine Learning | L3-L7 | Trained classifiers | +-----------------------+-------+-----------------------------+ | IP Reputation | L3 | Known service IP ranges | +-----------------------+-------+-----------------------------+
Classification proceeds through methods in order of reliability until a confident identification is achieved.¶
For encrypted traffic (TLS/DTLS), PRISM uses metadata analysis without decryption:¶
The SNI field in the TLS¶
The client Hello message reveals the intended server hostname. This is the primary method for HTTPS classification.¶
Server certificates contain identifying¶
information, including Common Name, Subject Alternative Names, Organization, and Issuer.¶
TLS handshake characteristics create a unique¶
fingerprints for client and server implementations.¶
Statistical analysis of¶
packet sizes, timing, and directionality can identify applications without payload inspection.¶
IMPORTANT: PRISM does not perform TLS interception or decryption. All encrypted traffic analysis is performed on metadata and observable traffic characteristics.¶
+========================+============================+
| Category | Description |
+========================+============================+
| unified-communications | Voice, video, messaging |
| | (Teams, Zoom, Webex) |
+------------------------+----------------------------+
| business-critical | Core business applications |
| | (ERP, CRM, custom apps) |
+------------------------+----------------------------+
| cloud-services | SaaS applications (O365, |
| | Salesforce, Workday) |
+------------------------+----------------------------+
| infrastructure | Network services (DNS, |
| | NTP, SNMP) |
+------------------------+----------------------------+
| security | Security tools (AV |
| | updates, SIEM) |
+------------------------+----------------------------+
| file-transfer | File sharing (SharePoint, |
| | Box, FTP) |
+------------------------+----------------------------+
| web-browsing | General web traffic |
+------------------------+----------------------------+
| streaming-media | Video/audio streaming |
| | (YouTube, Spotify) |
+------------------------+----------------------------+
| remote-access | VPN, RDP, SSH |
+------------------------+----------------------------+
| unknown | Unclassified traffic |
+------------------------+----------------------------+
A composite key identifies flows:¶
Standard 5-Tuple:¶
IP Protocol (8 bits)¶
Source IP Address (128 bits for IPv6)¶
Destination IP Address (128 bits for IPv6)¶
Source Port (16 bits)¶
Destination Port (16 bits)¶
Extended Identifiers (optional):¶
Flows progress through the following states:¶
First packet observed. Application identification in progress.¶
Default traffic class applied.¶
Multiple packets observed. Application identification¶
in progress. May transition to ESTABLISHED once classification confidence exceeds threshold.¶
Application identified with sufficient confidence.¶
Traffic class assigned based on policy. SLA monitoring is active.¶
Connection termination detected. Preparing to collect¶
final statistics.¶
Flow terminated. Final statistics recorded. Entry¶
scheduled for removal after reporting.¶
PRISM policies follow a match-action model with the following structure:¶
Policies can match on:¶
When a policy matches, the following actions may be applied:¶
Set traffic class (maps to SRv6 color),¶
set DSCP value¶
Prefer specific path characteristics, avoid specific¶
paths, pin to a specific path¶
Apply SLA profile, set violation actions¶
Bandwidth Management: Rate limit, bandwidth guarantee¶
Permit, deny, redirect to inspection¶
+================+=========+========+======+====================+ | Profile | Latency | Jitter | Loss | Use Case | +================+=========+========+======+====================+ | realtime-voice | 150ms | 30ms | 1% | VoIP | +----------------+---------+--------+------+--------------------+ | realtime-video | 200ms | 50ms | 1% | Video conferencing | +----------------+---------+--------+------+--------------------+ | interactive | 300ms | 100ms | 2% | Virtual desktop | +----------------+---------+--------+------+--------------------+ | transactional | 500ms | N/A | 0.1% | Database, API | +----------------+---------+--------+------+--------------------+ | best-effort | N/A | N/A | N/A | General browsing | +----------------+---------+--------+------+--------------------+
+===============+=======+===========+=======================+
| Traffic Class | Color | Flex-Algo | Description |
+===============+=======+===========+=======================+
| realtime | 100 | 128 | Voice, real-time C2 |
+---------------+-------+-----------+-----------------------+
| video | 200 | 129 | Video conferencing |
+---------------+-------+-----------+-----------------------+
| interactive | 300 | 128 | VDI, interactive apps |
+---------------+-------+-----------+-----------------------+
| business | 400 | default | Business applications |
+---------------+-------+-----------+-----------------------+
| best-effort | 0 | default | Default treatment |
+---------------+-------+-----------+-----------------------+
PRISM influences path selection through traffic class assignment, not direct path manipulation. The sequence is:¶
PRISM classifies flow and assigns traffic class¶
Traffic class maps to SRv6 color¶
SRv6 color maps to SR policy¶
SR policy specifies Flex-Algo or explicit path¶
SRv6 data plane forwards accordingly¶
This maintains clean separation: PRISM determines the application requirements, SRv6 satisfies them.¶
PRISM control messages are transported via UDP on port 4796.¶
All control messages are authenticated using HMAC-SHA-384.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Node ID (64 bits) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Timestamp (64 bits) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | HMAC-SHA-384 (384 bits) | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Total header size: 72 octets (consistent with CONDUIT)¶
+=======+===============+========================================+ | Value | Name | Description | +=======+===============+========================================+ | 0x01 | HELLO | Node discovery and capability exchange | +-------+---------------+----------------------------------------+ | 0x02 | HELLO_ACK | Response to HELLO | +-------+---------------+----------------------------------------+ | 0x10 | POLICY_PUSH | Policy distribution from controller | +-------+---------------+----------------------------------------+ | 0x11 | POLICY_ACK | Policy receipt acknowledgment | +-------+---------------+----------------------------------------+ | 0x20 | FLOW_REPORT | Flow statistics report | +-------+---------------+----------------------------------------+ | 0x21 | FLOW_SYNC | Flow state synchronization (HA) | +-------+---------------+----------------------------------------+ | 0x30 | SLA_ALERT | SLA violation notification | +-------+---------------+----------------------------------------+ | 0x31 | SLA_CLEAR | SLA violation cleared | +-------+---------------+----------------------------------------+ | 0x40 | APP_SIGNATURE | Application signature update | +-------+---------------+----------------------------------------+ | 0x0F | ERROR | Error notification | +-------+---------------+----------------------------------------+
PRISM exposes functionality through five gRPC services:¶
Policy lifecycle management (CRUD for policies, SLA¶
profiles)¶
Application signature management¶
Flow visibility and real-time streaming¶
SLA compliance reports and traffic analytics¶
Node configuration¶
All gRPC connections MUST use mutual TLS (mTLS) with CNSA 2.0 compliant certificates.¶
PRISM implementations MUST comply with CNSA 2.0:¶
AES-256-GCM for symmetric encryption¶
ECDH P-384 for key exchange¶
ECDSA P-384 for digital signatures¶
SHA-384 for hashing¶
HMAC-SHA-384 for message authentication¶
The gRPC API MUST use TLS 1.3 with the TLS_AES_256_GCM_SHA384 cipher suite.¶
PRISM performs deep packet inspection, which raises privacy concerns. PRISM analyzes metadata of encrypted traffic but does not decrypt contents. Organizations SHOULD define data retention policies.¶
Sophisticated actors may attempt to evade identification. Implementations SHOULD employ multiple identification methods and provide mechanisms to review classifications.¶
Policies MUST be authenticated using HMAC-SHA-384. Policy changes SHOULD require appropriate authorization and be logged for audit.¶
This document requests the allocation of UDP port 4796 for PRISM control messages.¶
This document requests the creation of a "PRISM Application Categories." registry with initial values from 0x01 (unified-communications) through 0xFF (unknown).¶
The authors thank the networking community for discussions on SD-WAN requirements and open standards approaches.¶