| Internet-Draft | SD-WAN Edge Discovery | February 2026 |
| Dunbar, et al. | Expires 24 August 2026 | [Page] |
The document describes the BGP mechanisms for SD-WAN (Software Defined Wide Area Network) edge node attribute discovery. These mechanisms include a new tunnel type and sub-TLVs for the BGP Tunnel-Encapsulation Attribute (RFC9012) and set of NLRI (network layer reachability information) for SD-WAN underlay information.¶
In the context of this document, BGP Route Reflector (RR) is the component of the SD-WAN Controller that receives the BGP UPDATE from SD-WAN edges and in turn propagates the information to the intended peers that are authorized to communicate via the SD-WAN overlay network.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document describes the BGP signaling extensions that enable SD-WAN edge nodes to advertise client route reachability, underlay tunnel properties, and security related attributes required to establish and maintain SD-WAN overlay tunnels. The SD-WAN Hybrid Tunnel forms a logical overlay between edge nodes across heterogeneous underlay networks (e.g., MPLS VPNs, direct Layer 2 links, or public Internet).¶
The mechanisms defined in this document apply to both: 1) SD-WAN Secure L3VPN deployments, where L3VPN services are delivered over SD-WAN Hybrid tunnels; and 2) SD-WAN Secure Links deployments, where encrypted logical links are formed between SD-WAN edge nodes without using L3VPN address families.¶
BGP [RFC4271] serves as the control plane for these SD-WAN deployments. All BGP peers participating in SD-WAN edge discovery are assumed to maintain secure transport connections with their Route Reflector (RR), either via network service provider private paths or via other secure transport mechanisms. The establishment and maintenance of such secure transport connections are outside the scope of this document.¶
This document defines a new SD-WAN Hybrid Tunnel type and associated sub-TLVs for the BGP Tunnel Encapsulation Attribute [RFC9012], as well as new NLRIs for advertising SD-WAN underlay information. These extensions enable SD-WAN edge nodes to exchange the information necessary to establish and update secure SD-WAN overlay tunnels, as described in [Net2Cloud].¶
An SD-WAN network defined in [MEF70.1] and [MEF70.2] refers to a policy-driven network over multiple heterogeneous underlay networks to get better WAN bandwidth management, visibility, and control. In many deployments, L3VPN services are offered over SD-WAN overlays to provide site-to-site connectivity with traffic segmentation, security, and performance guarantees. These L3VPN services leverage SD-WAN Secure Links, i.e. encrypted data plane tunnels established between SD-WAN edge nodes using mechanisms such as IPsec, to carry user traffic between endpoints.¶
This document describes the BGP mechanisms used to support such L3VPN deployments by enabling SD-WAN edge nodes to advertise underlay attributes, tunnel characteristics, and security association related attributes. These mechanisms enable dynamic tunnel selection, service-level steering, and secure endpoint discovery.¶
The SD-WAN usage model, including its deployment scenarios and BGP requirements, is detailed in [SD-WAN-BGP-USAGE] and not repeated here. This document focuses solely on the signaling extensions and encapsulation mechanisms required to support those scenarios in BGP.¶
[RFC9012] defines a BGP mechanism that links routes (prefix and Next Hop) to a specific tunnels using a specific encapsulation. The SD-WAN Secure Links Topology uses a single hybrid logical link on a SD-WAN Peer to represent multiple underlay topology links. The SD-WAN peer distributes IPsec security association (IPsec SA) [RFC4301] related information regarding the hybrid link or individual underlay links.¶
The traffic is routed via normal IPv4/IPv6 forwarding without any VPN addition. The SD-WAN Secure Links provides some link security for some simple cases of the three scenarios from [SD-WAN-BGP-USAGE] that do not require L3VPN addresses (Route Distinguisher (RD), prefix).¶
The following acronyms and terms are used in this document:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The BGP mechanisms defined in this document serve two functions:¶
This section describes the SD-WAN Hybrid Tunnel, the SD-WAN NLRIs, the new sub-TLVs for SD-WAN Tunnel IPsec SA, sub-TLVs for Port attributes, the procedures for the client routes, the procedures for underlay routes, error handling, and considerations for managing SD-WAN technologies.¶
Per [RFC9012], the following two BGP attributes that MAY encode a Tunnel Encapsulation attribute information: the Tunnel Encapsulation Attribute, and the Encapsulation Extended Community as a "barebones" tunnel identification. The encoding for the SD-WAN Hybrid Tunnel is described for both BGP attributes.¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x03 (1 octet)| 0x0c (1 octet)| Reserved (2 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved (2 octets) | Tunnel Type=25 (2 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Encapsulation Extended Community
The NextHop Field in the BGP update is the tunnel egress Endpoint, and this SHOULD be set to the BGP Peer Address for the SD-WAN Peer.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tunnel-Type=25(SD-WAN-Hybrid )| Length (2 Octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sub-TLVs | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The validation procedure for the SD-WAN tunnel TLV has the following components:¶
Prior to installing a route with a SD-WAN tunnel as an active route, the BGP peer installing the route MUST also validate that the SD-WAN tunnel and underlay links are active.¶
Table 1
Client Routes AFI/SAFI = 1/1, 2/1, 1/128, 2/128
Underlay Routes AFI/SAFI = 1/74 and 2/74
sub-TLV Code Client Routes Underlay Routes
------ ---- ------------- ---------------
Encapsulation 1 not valid not valid
Protocol 2 not valid not valid
Color 3 valid *1 not valid *2
Load-Balancing Block 5 not valid not valid *2
Tunnel Egress EP 6 Info rqd *5 required
DS Field 7 not valid not valid *2
UDP Dest. Port 8 not valid not valid *2
Embedded Label H. 9 not valid not valid *2
MPLS label Stack 10 not valid not valid *2
Prefix-SID 11 not valid not valid *2
Preference 12 not valid not valid *2
Binding SID 13 not valid not valid *2
ENLP 14 not valid not valid *2
Priority 15 not valid not valid *2
SPI/SI 16 not valid not valid *2
SRv6 Binding SID 20 not valid not valid *2
IPsec SA ID 64 valid *3 valid *3
Extended Port Attr 65 not valid valid *4
Underlay Type 66 not valid valid *4
IPsec SA Rekey Cnt 67 valid *3 valid *3
IPsec Public Key 68 valid *3 valid *3
IPsec SA Proposal 69 valid *3 valid *3
Simplified IPsec SA 70 valid *3 valid *3
Notes¶
*1 - For client traffic, the Color sub-TLV defined in this document must be validated using the same procedures specified in [RFC9012] for the Color Extended Community. When both the Color Extended Community and the Color sub-TLV are present, the value in the Color Extended Community [RFC9012] takes precedence and must be used for forwarding and policy decisions.¶
*2 - The listed Sub-TLVs are not valid when used with Underlay route advertisements. Future extensions may define their use in that context, but such extensions are outside the scope of this document.¶
*3 - See Section 2.3 (encoding), Section 2.4 (client route validation), and Section 2.5 (underlay route validation) for content processing and validation procedures.¶
*4 - See Section 2.3 (encoding), and 2.6 (error handling for malformed sub-TLVs or incorrect NLRI association).¶
*5 - Per [RFC9012] Section 4.1, when Tunnel Encapsulation Attribute is attached to a client route UPDATE, the Tunnel Egress Endpoint is derived from the BGP NextHop attribute.¶
The Edge BGP Peer using BGP SD-WAN discovery sends the hybrid SD-WAN NLRI with the SD-WAN Hybrid tunnel attribute to advertise the detailed properties associated with the public facing WAN ports and IPsec tunnels. The Edge BGP Peer sends this information to its designated RR via the Secure Transport Connection. Each BGP UPDATE message with a SD-WAN Underlay NLRI MUST contain a Tunnel Encapsulation Attribute for a Hybrid Tunnel type. The Tunnel Encapsulation Attribute can include sub-TLVs for Extended Port attribute (see Section 2.3.6) or IPsec information (see Section 2.3). The IPsec information sub-TLVs include: IPsec SA ID, IPsec SA Nonce, IPsec Public Key, IPsec SA Proposal, and Simplified IPsec SA.¶
A new NLRI SAFI (SD-WAN SAFI=74) is introduced within the MP_REACH_NLRI Path Attribute of [RFC4760] for advertising the detailed properties of the SD-WAN tunnels terminated at the edge node:¶
+------------------+ | Route Type | 2 octets +------------------+ | Length | 2 octets +------------------+ | Type Specific | ~ Value (Variable) ~ | | +------------------+
where:¶
This document defines the following SD-WAN Route type:¶
For advertising the detailed properties of the SD-WAN tunnels terminated at the edge, where the transport network port can be uniquely identified by a tuple of three values (Port-Local-ID, SD-WAN-Color, SD-WAN-Node-ID). The SD-WAN NLRI Route Type =1 has the following encoding:¶
+------------------+
| Route Type = 1 | 2 octets
+------------------+
| Length | 2 octets
+------------------+
| Port-Local-ID | 4 octets
+------------------+
| SD-WAN-Color | 4 octets
+------------------+
| SD-WAN-Node-ID | 4 or 16 octets
+------------------+
Upon receiving an SD-WAN NLRI Route-Type 1, the following validation steps MUST be performed:¶
The Length field MUST contain a value of either 12 or 24 octets, as defined in Section 2.2.1. Any other value renders the NLRI malformed and it MUST be discarded.¶
If Length = 12, the SD-WAN Node-ID field MUST contain exactly 4 octets, representing an IPv4 address. If Length = 24, the SD-WAN Node-ID field MUST contain exactly 16 octets, representing an IPv6 address.¶
The SD-WAN Node-ID MUST be a valid unicast address.¶
Implementations MAY apply additional local policy checks (e.g., verifying whether the advertising BGP speaker is authorized to advertise SD-WAN NLRIs), but these are outside the scope of NLRI field validation itself.¶
If the local policy check fails, the NLRI SHOULD be discarded without affecting the BGP session.¶
The Path Attributes attached to the SD-WAN NLRIs apply to the WAN-facing tunnel endpoints being advertised, not to client routes. These attributes describe properties of the WAN ports (e.g., encapsulation, transport role, or color) that may be used in establishing SD-WAN overlay tunnels between edge nodes. Client routes, which represent customer prefixes, are propagated using separate BGP NLRIs (e.g., IPv4/IPv6 unicast or L3VPN), with their own associated Path Attributes. The SD-WAN NLRI and client route NLRI are independent but may be correlated by the receiving BGP speaker for tunnel selection and service mapping.¶
The IPsec SA Property Sub-TLVs defined in this section are used to signal IPsec SA parameters for SD-WAN Hybrid Tunnels as defined in this document. While these Sub-TLV formats could potentially be reused in other applications that require IPsec SA signaling over BGP, this document defines their semantics and behavior specifically within the SD-WAN Edge Discovery framework.¶
If any sub-TLV is malformed, error handling MUST follow the procedure in Section 13 of [RFC9012].¶
To support key rotation (e.g., updating IPsec keys or parameters), the SD-WAN NLRI (identified by Port-Local-ID, SD-WAN-Color, and SD-WAN-Node-ID) can be re-advertised via a BGP UPDATE message containing updated IPsec SA information. This mechanism enables rapid distribution of new keys without requiring separate key negotiation protocols.¶
The IPsec SA ID Sub-TLV is used to reference one or more previously established IPsec SAs between SD-WAN nodes. This Sub-TLV carries one or more 32-bit Security Parameter Index (SPI) values assigned at the receiving node (i.e., the inbound SPI). When combined with the SD-WAN Node-ID (which identifies the tunnel endpoint address), each SPI uniquely identifies an existing IPsec SA, consistent with the SA identification described in [RFC4301].¶
Multiple SPIs MAY be included within the Sub-TLV to reference multiple pre-established IPsec SAs available for the SD-WAN overlay. This enables advertisement of SA updates, key rotations, or operational state changes without resending full SA parameter sets, thereby significantly reducing the size of BGP UPDATE messages and allowing pairwise IPsec rekeying to proceed independently for each SA.¶
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |IPsec SA ID Sub| Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPsec SA Identifier #1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPsec SA Identifier #2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPsec SA Identifier #n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where:¶
IPsec SA ID Sub-Type (8 bits): 64(IANA Assigned).¶
Length (8 bits): Specifies the total length in octets of the value field (not including the Type and Length fields). For the IPsec SA ID Sub-Type, the Length field SHOULD be equal to 2 + 4 *(number of IPsec SA IDs) .¶
Reserved: Reserved for future use. In this version of the document, the Reserved field MUST be set to zero and MUST be ignored upon receipt. Received values MUST be propagated without change.¶
Value field: The value field consists of a sequence of IPsec SA SPIs, each 4 octets long. As shown in the figure above, n IPsec SAs are attached in the IPsec SA ID sub-TLV:¶
The IPsec SA Rekey Counter Sub-TLV provides the rekey counter for a security association (identified by IPsec SA Identifier).¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|SA-RekeyCounter| Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID Length | Nonce Length |I| Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rekey |
| Counter |
+---------------------------------------------------------------+
| IPsec SA Identifier |
+---------------------------------------------------------------+
| |
~ Nonce Data ~
| |
+---------------------------------------------------------------+
where:¶
SA-RekeyCounter (IPsec SA Rekey Counter) Sub-Type (8 bits): 67 (IANA assigned)¶
length (8 bits): Specifies the total length in octets of the value field (not including the Type and Length fields). The total length is variable with the value equal to 18 plus Nonce length.¶
Reserved: Reserved for future use. In this version of the document, the Reserved field MUST be set to zero and MUST be ignored upon receipt. Received values MUST be propagated without change.¶
ID Length (8 bits): indicates the length in octets of SA-Identifer (SA-SPI). This length SHOULD be 4 octets.¶
Nonce Length (16 bits): indicates the length, in octets, of the Nonce Data. The value MUST be a non-zero multiple of 4 (i.e., the Nonce Data length MUST be a multiple of 32 bits)[RFC7296].¶
I Flag: when set to 1, the I-flag indicates that the communication being established is new. when set to 0, it signals that the communication is a continuation of an existing session.¶
Flags (7 bits): Reserved for future use. In this version of the document, the Reserved field MUST be set to zero and MUST be ignored upon receipt. Received values MUST be propagated without change.¶
Rekey Counter (64 bits): the number of key updates or rekeys that have occurred. Each time a key is rotated or replaced, the Rekey Counter is incremented.¶
IPsec SA Identifier (IPSec SA ID): Identifies the SPI assigned to a specific IPsec SA terminated at the SD-WAN edge node. The length of this field is specified in ID Length. For this specification, the length MUST be 4 octets. Other lengths are outside the scope of this document.¶
Nonce Data: a random or pseudo-random number for preventing replay attacks.¶
The IPsec SA Rekey Counter Sub-TLV is considered malformed under any of the following conditions:¶
Malformed Sub-TLVs are handled according to [RFC9012]; they MUST be ignored and skipped during parsing.¶
The IPsec Public Key Sub-TLV provides the Public Key exchange information and the life span for the Diffie-Hellman Key. The encoding is shown in the figure below:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|IPsec-PublicKey| Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Diffie-Hellman Group Num | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Key Exchange Data ~
| |
+---------------------------------------------------------------+
| Duration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where:¶
IPSec-PublicKey Sub-Type (8 bits): 68 (IANA assigned)¶
length (8 bits): Specifies the total length in octets of the value field (not including the Type and Length fields). The total length is variable with the length being 10 + the Key Exchange Data length.¶
Diffie-Hellman Group Num (16-bits): identifies the Diffie-Hellman group used to compute the Key Exchange Data. Details on Diffie-Hellman group numbers can be found in Appendix B of IKEv2 [RFC7296] and [RFC5114].¶
The Key Exchange data: This refers to a copy of the sender's Diffie-Hellman public value. The length of the Diffie-Hellman public value is defined for MODP groups in [RFC7296] and for ECP groups in [RFC5903].¶
Duration (32 bits): a 4-octet value specifying the life span of the Diffie-Hellman key in seconds.¶
An IPsec Public Key Sub-TLV is considered malformed if any of its fields do not conform to the encoding rules specified above. Malformed Sub-TLVs are handled according to [RFC9012] and MUST be ignored.¶
The IPsec SA Proposal Sub-TLV is used to advertise a set of cryptographic parameters that define the proposal for establishing an IPsec SA. A proposal consists of one or more transform types, where each transform specifies a particular cryptographic function (such as encryption or integrity) and the corresponding algorithm to be used. This structure follows the same model as IKEv2 Proposals defined in [RFC7296].¶
The encoding is shown below:>¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SA Proposal | Length | Reserved (16 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transform Attr Length |Transform Type | Reserved. | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transform ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Transform Attributes ~ | | +---------------------------------------------------------------+
where:¶
The Transform Attributes field may be omitted if no additional parameters are required for the selected algorithm.¶
The Simplified IPsec SA Sub-TLV provides a compact way to signal pre-configured IPsec SA parameters for deployments where full transform negotiation (e.g., via IKEv2) is not supported or not necessary. In such deployments, SD-WAN edge nodes are provisioned (e.g., via SD-WAN controller or management system) with a common set of agreed security profiles, including allowed transforms and algorithms. This Sub-TLV signals which profile entry is to be used for a given SA instance.¶
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|IPsec-simType | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Transform | IPsec Mode | AH algorithms |ESP algorithms |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rekey Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key1 length | Key 1 ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key2 length | Key 2 ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| nonce-length | Nonce ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Duration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where:¶
All other transform values are invalid unless specified by future specifications.¶
Mode = 1 indicates that the Tunnel Mode is used.¶
Mode = 2 indicates that the Transport mode is used.¶
Only Mode values 1 and 2 are valid in this document. All other Mode values are considered invalid unless specified by future specifications.¶
A Simplified IPsec SA Sub-TLV is considered MALFORMED if any of its fields are not properly encoded, do not conform to the specified value ranges above, or contain invalid field lengths. Per [RFC9012], any MALFORMED Sub-TLV MUST be ignored, and processing continues with the remaining Sub-TLVs in the Tunnel Encapsulation Attribute.¶
The Extended Port Attribute Sub-TLV advertises NAT-related properties associated with a public Internet-facing WAN port on an SD-WAN edge node. This information enables peer SD-WAN nodes to establish secure tunnels even when one or both peers are behind NAT devices. An SD-WAN edge node may query a STUN server (Session Traversal Utilities for NAT [RFC8489]) to determine its NAT properties, including its public IP address and public port number. These properties are then advertised to peer nodes using the Extended Port Attribute Sub-TLV.¶
In SD-WAN deployments, NAT devices may exist at one or both ends of the tunnel path. The possible deployment scenarios include:¶
Only one SD-WAN edge node is located behind a NAT device, while its peer is directly reachable.¶
Both SD-WAN edge nodes are behind NAT devices (symmetric or independent NATs).¶
The external address and port assigned to an edge node may change dynamically, either due to ISP address allocation or when traversing NAT devices that use dynamic address pools.¶
Because an SD-WAN edge node may have multiple WAN ports with independent NAT characteristics, the NAT properties are associated with individual WAN ports and are advertised independently for each port using this Sub-TLV. This per-port advertisement allows remote peers to construct appropriate NAT traversal parameters for each potential tunnel endpoint.¶
Unlike pairwise NAT traversal mechanisms such as IKEv2 [RFC7296], which require peers to dynamically discover NAT properties during tunnel setup, the BGP-controlled SD-WAN architecture enables each SD-WAN edge node to proactively advertise its NAT properties to all peers through BGP signaling. This approach simplifies NAT traversal in large-scale SD-WAN deployments where each edge node may need to establish tunnels with many peers.¶
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Type=65(extPort| ExtPort Length| Reserved |I|O|R|R|R|R|R|R|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT Type | Encap-Type |Trans networkID| RD ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Local IP Address |
| 32-bits for IPv4, 128-bits for Ipv6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Local Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public IP |
| 32-bits for IPv4, 128-bits for Ipv6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Public Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extended Sub-Sub-TLV |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where:¶
ExtPort Length: the length of the value field in octets excluding the Type and the Length fields. If IPv4, the length is 32 (8 header, 32 address, 8 for 1 Sub-Sub-TLV). If IPv6, the length is 64 (8 header, 48 addresses, 8 for 1 subSubTLV).¶
Flags (16 bits):¶
NAT Type (8 bits): an unsigned integer indicating the NAT behavior observed for this WAN port. The values are derived from the legacy NAT classification model described in RFC 8489 Section 5. The assigned values are:¶
1: without NAT ;¶
2: 1-to-1 static NAT;¶
3: Full Cone;¶
4: Restricted Cone;¶
5: Port Restricted Cone;¶
6: Symmetric; or¶
7: Unknown (e.g. no response from the STUN server).¶
The NAT Type value is determined by the sender using NAT discovery procedures (e.g., STUN [RFC8489] with legacy tests [RFC8489]) or local administrative configuration. The receiver is not required to verify NAT behavior but MUST validate that the received NAT Type field is within the range 1-7. Values outside this range are considered invalid and result in the Sub-TLV being treated as malformed.¶
Encap-Type(8 bits): An unsigned integer indicating the encapsulation type supported for this WAN port. This field is distinct from the Tunnel Type field in the BGP Tunnel Encapsulation Attribute [RFC9012]. The encapsulation types defined by this document are:¶
Notes:¶
Other values are reserved for future specifications. The Encap-Type identifies the encapsulation protocol used within the IPsec payload when IPsec SA Sub-TLVs (IPsec SA ID, IPsec SA Nonce, IPsec Public Key, IPsec SA Proposal, or Simplified IPsec SA) are present in the SD-WAN Hybrid Tunnel.¶
The Extended Port Attribute Sub-TLV does not support NAT traversal scenarios involving IPv4/IPv6 translation (e.g., NAT64 or 6to4).¶
Trans NetworkID (Transport Network ID) (8 bits): An identifier assigned by the SD-WAN Controller to indicate the transport network that this WAN port belongs to. All values from 0 to 255 are valid.¶
RD ID: The Routing Domain ID is a globally unique identifier assigned to the routing domain associated with this WAN port. All values from 0 to 255 are valid.¶
Some SD-WAN deployments may define multiple levels, zones, or regions that are represented as logical domains. Operational policies may govern whether tunnels are allowed between nodes in different logical domains. For example, a hub node may be permitted to establish tunnels across domains, while spoke nodes may be restricted to communicating only within their own domain. The definition, distribution, and enforcement of such policies are outside the scope of this document.¶
Local IP: The local (or private) IP address of the WAN port.¶
Local Port: used by Remote SD-WAN edge node for establishing IPsec to this specific port.¶
Public IP: The IP address after the NAT. If NAT is not used, this field is set to all-zeros¶
Public Port: The Port after the NAT. If NAT is not used, this field is set to all-zeros.¶
If NAT is not used for the WAN port, both the Public IP and Public Port fields MUST be set to zero. If one field is set to zero and the other is non-zero, the Sub-TLV is considered malformed.¶
Extended Sub-Sub-TLV: for carrying additional information about the underlay networks.¶
If the Extended Port Attribute Sub-TLV is malformed (e.g., incorrect length, invalid address format, or unrecognized NAT type), it MUST be ignored per the procedures described in [RFC9012]. Other Sub-TLVs in the same Tunnel Encapsulation Attribute, if valid, MUST still be processed.¶
One Extended Sub-Sub-TLVs is specified in this document: Underlay Network Type Sub-Sub-TLV.¶
The Underlay Network Type Sub-Sub-TLV is an optional Sub-Sub-TLV used to advertise additional transport characteristics for the WAN port, including connection type, physical port type, and port bandwidth (e.g., LTE, DSL, Ethernet, and others). This information assists remote peers or controllers in selecting optimal underlay paths when multiple WAN ports are available. The Underlay Network Type Sub-Sub-TLV is only valid for the Tunnel Type SD-WAN Hybrid within the Extended Port Attribute Sub-TLV.¶
Underlay Network Type.¶
66 (IANA Assigned).¶
The encoding is shown in the figure below:¶
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UnderlayType | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Connection Type| Port Type | Port Speed |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Where:¶
An unsigned integer indicating the connection type for this WAN port. Only a single value is carried per instance. The following values are defined:¶
An unsigned integer indicating the physical port type of the WAN interface. Only a single value is carried per instance. The following values are defined:¶
Underlay Network Type Sub-Sub-TLV is a MALFORMED Sub-Sub-TLV if the fields do not fit the limits specified above. If a MALFORMED Sub-Sub-TLV is contained in the Extended Port Attribute Sub-TLV, then the Extended Port Attribute Sub-TLV is MALFORMED. Per [RFC9012], a MALFORMED Sub-TLV is ignored.¶
Client routes with NLRI of AFI/SAFI IPv4 Unicast (1/1), IPv6 (2/1), L3VPN v4 Unicast (1/128), and IPv6 L3VPN (2/128) that use the SD-WAN Hybrid Tunnel Type can be advertised using one of two mechanisms:¶
The Tunnel Encapsulation Attribute based approach, which includes all tunnel attributes within route advertisement, can simplify the processing at the receiving nodes. However, it may lead to significant BGP attribute overhead, particularly when multiple IPsec SAs are eligible to carry the same client route. In contrast, the Encapsulation Extended Community approach (the "barebones" method defined in [RFC9012]) combined with SD-WAN SAFI separates tunnel attributes from route Updates, enhancing flexibility and allowing tunnel properties to be reused across multiple client routes.¶
The SD-WAN Secure Links topology is supported using unicast IPv4 and IPv6 routes. L3VPN topologies, on the other hand, support the formation of Secure SD-WAN L3VPNs as described in [SD-WAN-BGP-USAGE] and MEF specifications [MEF 70.1] and [MEF 70.2].¶
When client routes are advertised using the Encapsulation Extended Community with the SD-WAN Hybrid Tunnel Type, as specified in [RFC9012], the Encapsulation Extended Community identifies the tunnel type, and the NextHop field in the BGP UPDATE serves as the Tunnel Egress Endpoint. Validation of the Tunnel Egress Endpoint follows the procedures defined in Sections 13 of [RFC9012], as applied to the NextHop.¶
The Color Extended Community (Color-EC) is used to associate a client route with its eligible underlay tunnels. The Color value in the client route identifies the set of underlay tunnels, previously advertised with the same Color via SD-WAN SAFI, that may be used to transport the traffic. This enables SD-WAN ingress nodes or controllers to apply path selection policies based on performance, cost, or service requirements.¶
In this approach, if a required underlay tunnel is unavailable, the associated route MUST NOT be installed in the forwarding table or used to forward traffic. The route MAY still exist in the BGP control plane but MUST be marked as unusable for forwarding until a valid secure tunnel is established.¶
When client routes are advertised using the Tunnel Encapsulation Attribute with the SD-WAN Hybrid Tunnel Type, the following procedures apply for validating the BGP UPDATE message:¶
When a client route is advertised with the Encapsulation Extended Community that identifies the SD-WAN Hybrid Tunnel Type, the route may also include a Color Extended Community (Color-EC). This combination allows the route to be carried over multiple underlay tunnels that were previously advertised, each with the same Color value.¶
The Color-EC serves as a correlation mechanism: all underlay tunnels that have been advertised (via SD-WAN SAFI) with the same Color value are considered eligible to carry the traffic for the client route. This approach supports flexible path selection and tunnel diversity while avoiding the need to enumerate each tunnel per route.¶
This model is especially useful when:¶
A site has multiple available IPsec tunnels or WAN links.¶
A centralized controller or ingress SD-WAN edge node must select the optimal tunnel for forwarding based on performance, policy, or service constraints.¶
The tunnel attributes, including IPsec parameters, NAT traversal info, and WAN port properties, are conveyed separately via SD-WAN SAFI updates. This keeps client route updates minimal, allowing multiple routes to reference the same tunnel attributes by using the Color-EC.¶
In a BGP-controlled SD-WAN network, the VPN ID distinguishes client VPNs and ensures route separation. It is conveyed in client route UPDATEs as follows:¶
For IPv4/IPv6 Unicast (AFI/SAFI = 1/1 or 2/1), the Route Target Extended Community SHOULD be included. The Route Target value is interpreted as the VPN ID. The Route Target is especially necessary when the SD-WAN edge node serves multiple VPNs on its client-facing interfaces. If all client routes belong to a single VPN and the association is unambiguous, the Route Target MAY be omitted.¶
For VPN-IPv4/VPN-IPv6 (AFI/SAFI = 1/128 or 2/128), the RD in the NLRI serves as the VPN ID.¶
In the data plane, SD-WAN traffic can traverse either an MPLS or IPsec segment within a SD-WAN Hybrid Tunnel. The method for conveying the VPN ID depends on the encapsulation:¶
MPLS Segments: When the Hybrid Tunnel uses MPLS transport, the MPLS label stack is used to identify the VPN per [RFC8277]. Security is assumed to be provided by the MPLS transport.¶
IPsec Segments: When traversing a public network with IPsec encryption: For GRE encapsulation within IPsec, the GRE Key field can carry the SD-WAN VPN ID; For VXLAN network virtualization overlays within IPsec, the VNI (Virtual Network Identifier) field is used to carry the VPN ID.¶
Underlay routes in a BGP-controlled SD-WAN network are advertised using the SD-WAN SAFI, with the Tunnel Encapsulation Attribute carrying a SD-WAN Hybrid Tunnel TLV. This TLV includes one or more Sub-TLVs that describe detailed tunnel attributes of the SD-WAN edge node's WAN ports, such as encapsulation types, NAT behavior, bandwidth, and IPsec parameters.¶
These underlay route advertisements carry the tunnel attributes needed for establishing SD-WAN Hybrid tunnels. Remote nodes use the SD-WAN Node ID carried in the SD-WAN SAFI to correlate client routes whose NextHop address matches the Node ID. This allows the receiving node to associate each client route with the appropriate set of tunnel attributes advertised by the corresponding SD-WAN edge node.¶
The SD-WAN Hybrid NLRI MUST be accompanied by the Tunnel Encapsulation Attribute, and MUST NOT be accompanied by an Encapsulation Extended Community.¶
The procedure for processing underlay routes follows the following steps:¶
As specified in Section 2.2.1, a Route Type 1 NLRI includes the tuple (Port-Local-ID, SD-WAN-Color, SD-WAN-Node-ID). The Port-Local-ID field MAY be set to zero to indicate that the NLRI applies to all WAN ports on the identified SD-WAN node, effectively representing tunnel attributes at the node level rather than a specific port.¶
When Port-Local-ID = 0, the receiving BGP speaker SHOULD apply local policy to determine how to associate client routes with underlay tunnels. This local policy may prefer tunnels from specific SD-WAN nodes, or choose among SD-WAN Colors based on administrative preference, link type, path performance, or service-level objectives. The exact selection logic is implementation-specific.¶
It is valid for multiple such node-level NLRIs to be received, each advertising different SD-WAN Colors for the same node. For example, the following three NLRIs may be received (within one or more UPDATE messages):¶
Port-Local-ID (0), SD-WAN-Color (10), SD-WAN-Node-ID (2.2.2.2),¶
Port-Local-ID (0), SD-WAN-Color (20), SD-WAN-Node-ID (2.2.2.2), and¶
Port-Local-ID (0), SD-WAN-Color (30), SD-WAN-Node-ID (2.2.2.2).¶
These indicate that node 2.2.2.2 supports multiple tunnel groups, each classified by a different SD-WAN Color. For example, these Colors may correspond to service tiers such as gold, silver, and bronze. The SD-WAN-Color field is used to correlate underlay tunnels with client routes that carry a matching Color Extended Community. If no match is found, the client route may not be forwarded over any SD-WAN tunnel.¶
An underlay route (SD-WAN NLRI) MAY only attach to one SD-WAN Hybrid Tunnel. If there are more than one SD-WAN Hybrid Tunnel TLV within a single Tunnel Encapsulation Attribute, the first is processed and the subsequent SD-WAN Hybrid Tunnel TLVs are ignored.¶
The Error handling for SD-WAN VPN support has two components: error handling for Tunnel Encapsulation signaling (Encapsulation Extended Community and Tunnel Encapsulation Attribute) and the SD-WAN NLRI. An SD-WAN NLRI, a Tunnel Encapsulation attribute MUST always accompany the SD-WAN NLRI.¶
The previous sections (3.4 and 3.5) provide the procedures for handling client routes and undelay routes.¶
The error handling for the tunnel encapsulation signaling (Encapsulation Extended Community and Tunnel Encapsulation Attribute) in this document follows the procedures specified in Section 13 of [RFC9012]. Unless otherwise stated, malformed or unrecognized Sub-TLVs MUST be handled as specified in [RFC9012]. This document defines new Sub-TLVs for Tunnel Type 25 (SD-WAN-Hybrid), but does not alter the validation behavior established in RFC 9012.¶
The Tunnel encapsulation signaled with the client routes indicates the Egress endpoint via Next Hop in the Encapsulation Extended Community or the Tunnel Encapsulation Attribute Sub-TLV for Tunnel Egress Endpoints. As indicated in the procedure in sections 3.4.2 and 3.5.2, the SD-WAN Hybrid Tunnel follows the validation Section 13 of [RFC9012].¶
The SD-WAN client routes associate some of the NLRIs that [RFC9012] associates with the Encapsulation Extended Community and the Tunnel Encapsulation Attribute using the validation specified in Section 13 of [RFC9012]. When the SD-WAN Hybrid Tunnel is associated with the SD-WAN NLRI, and all [RFC9012] validation rules in Section 13 are extended to apply to the SD-WAN NLRI.¶
[RFC9012] contains the necessary detail to specify validation for the new Sub-TLVs present for the SD-WAN Tunnel type. However, to aid users of this document the following recap of validation of [RFC9012] is provided below. The validation from Section 13 of [RFC9012] includes:¶
Invalid tunnel type MUST be treated if the TLV was not present.¶
A malformed sub-TLVs MUST be handled per Section 13 of [RFC9012]. If Tunnel Egress Endpoint is malformed, the entire TLV MUST be ignored. For security-sensitive attributes, such as those related to IPsec SA setup, malformed or invalid values MUST be discarded and MUST NOT be used in security association processing. The BGP UPDATE containing such attributes SHOULD still be processed if other attributes remain valid. Implementations SHOULD log the error for operational awareness and MAY trigger a session reset or rekeying if required by local policy. Unlike general BGP attributes, failure to process security-related information correctly could lead to misconfigurations or weakened security.¶
Multiple incidents of Tunnel Egress Endpoint Sub-TLV cause the first incident of these sub-TLVs to be utilized. Subsequent TLVs after the first one per type are ignored (per RFC9012), but propagated.¶
If a sub-TLV is meaningless for a tunnel type, the sub-TLV is ignored, but the sub-TLV is not considered malformed or removed from the Tunnel Attribute propagated with the NLRI.¶
For SD-WAN client routes with a Tunnel Encapsulation Attribute with a SD-WAN Hybrid Tunnel type TLV, the IPsec Sub-TLVs (IPsec SA ID, IPsec nonce, IPsec Public Key, IPsec Proposal, and Simplified IPsec SA) are meaningful, but MAY be rarely sent. Incorrect fields within any of these 5 TLVs. Per [RFC9012], a malformed sub-TLV is treated as an unrecognized sub-TLV.¶
For SD-WAN NLRI underlay routes, the Extended Port sub-TLV and the IPSec sub-TLVs (IPsec SA ID, IPsec nonce, IPsec Public Key, IPsec Proposal, and Simplified IPsec SA) are valid and meaningful. Incorrect fields within any of these 6 TLVs or Sub-Sub-TLVs within the TLVs SHOULD cause the sub-TLV to be treated as malformed sub-TLV. Per [RFC9012], a malformed sub-TLV is treated as an unrecognized sub-TLV.¶
If multiple instances of the IPsec nonce, IPsec Public Key, IPsec Proposal, and Simplified IPsec are received within a SD-WAN Tunnel TLV , only the first is processed. The second instance is ignored and not propagated. The IPsec SA ID MAY have multiple copies, but the IPsec SA Identifiers sent in the second sub-TLV MUST be different than any in the first IPsec SA ID sub-TLV.¶
If multiple instances of the Extended Port sub-TLV are received, the local policy MUST determine which is to be used.¶
The SD-WAN NLRI [AFI 1/SAFI = 74] utilizes a route type field to describe the format of the NLRI. This specification only allows an NLRI with a type value of 1. An NLRI with a type of field of another value is ignored and not processed. The implementation MAY log an error upon the reception of a type value outside of Route Type 1. Error handling for the SD-WAN NLRI also adheres to the BGP UPDATE error handling specified in [RFC7606].¶
The local policy configuration in the BGP peer receiving this NLRI MUST determine the validity of the route based on policy. Local configuration and policy MUST carefully constrain the SD-WAN-NLRI, tunnels, and IPsec security associations to create a "walled garden".¶
The SD-WAN NLRI (AFI=1/SAFI=74) MUST be paired with Tunnel Encapsulation attribute with a tunnel TLV for tunnel type SD-WAN-Hybrid. If the SD-WAN NLRI exist in an BGP UPDATE without a Tunnel Encapsulation Attribute with a tunnel TLV for tunnel type SD-WAN-Hybrid, the NLRI is considered malformed and Treat-as-withdraw approach (per RFC7606).¶
The SD-WAN NLRI SHOULD not be paired with an Encapsulation Extended Community. If an SD-WAN NLRI is paried with an Encapsulation Extended Community rather than a Tunnel Encapsulation Attribute, the SD-WAN NLRI is considered malformed and the Treat-as-withdraw approach (per [RFC7606]) SHOULD be used.¶
Unlike MPLS VPN whose PE nodes are all controlled by the network operators, SD-WAN edge nodes can be installed anywhere, in shopping malls, in 3rd party Cloud DCs [Net2Cloud], etc.¶
It is essential to ensure that advertisements from an SD-WAN edge node are legitimate. The RR, which maintains policy information about which SD-WAN nodes are authorized to communicate, MUST verify that the advertising BGP speaker is permitted to originate SD-WAN Hybrid Tunnel information before reflecting such routes to other peers.¶
It is critical that a SD-WAN Hybrid Tunnel forwards traffic in accordance with local policy, taking into account the client route attributes, tunnel ingress and egress endpoints, and the associated security parameters.¶
To maintain correctness and security, both the RR and BGP speakers SHOULD validate that the client routes and associated tunnel information are consistent with expected configurations. This includes verifying that:¶
Each SD-WAN node (e.g., a C-PE) can advertise its IPsec-related attributes to remote peers using Sub-TLVs within the Tunnel Encapsulation Attribute, in one of the following three forms, to support the establishment of IPsec SAs:¶
Identifiers of a pre-established IPsec SA, carried in IPsec SA ID Sub-TLV.¶
a simplified set of security parameters for setting up a IPsec SA, such as Transform type, IPsec Mode, AH/ESP Algorithms, rekey counter, 2 public keys, nonce, and duration, carried in the Simplified IPsec SA Sub-TLV.¶
A flexible representation of IPsec parameters, where the Nonce, Public Key, and SA Proposal are individually specified and carried in the IPsec SA Rekey Counter Sub-TLV, IPsec Public Key Sub-TLV, and IPsec SA Proposal Sub-TLV, respectively.¶
For existing IPsec SAs, an SD-WAN node that receives the advertisement can simply use one of the existing SAs to forward traffic for the associated client routes. If multiple SAs are available for a given client route, local policy on the receiving SD-WAN node MAY determine which SA is selected.¶
When a new IPsec SA is to be established using parameters carried in Sub-TLVs, such as the IPsec SA Rekey Counter Sub-TLV, IPsec Public Key Sub-TLV, and IPsec SA Proposal Sub-TLV, the receiving SD-WAN node MUST validate that the proposed IPsec transforms and algorithms are compatible with its local configuration. These attributes, received via the Tunnel Encapsulation Attribute, define the parameters for establishing the IPsec tunnel between local and remote WAN ports. This compatibility check is performed at the IPsec layer, not by BGP.¶
The C-PE devices do not attempt to negotiate IPsec SA parameters or transform sets with remote peers. Instead, the configurations must match as advertised. If there is a mismatch, either in the simple IPsec SA identifiers or in the detailed transform parameters, no tunnel is established. Implementations MAY discard incompatible proposals or log them for operational visibility.¶
This section provides an example illustrating how an IPsec SA is established over an SD-WAN Hybrid Tunnel. Assume an IPsec tunnel is to be created between port P2 (198.51.100.10) on C-PE1 and port P2 (192.0.2.1) on C-PE2.¶
To establish this tunnel, C-PE1 must advertise the following attributes required for setting up the IPsec SA:¶
NextHop: 198.51.100.10¶
SD-WAN Node ID: 1.1.1.1¶
SD-WAN-Site-ID: 1502¶
Tunnel Encap Attr (Type=SD-WAN) -¶
C-PE2 needs to advertise the following attributes for establishing the IPsec SA:¶
As there is no matching transform between the WAN ports P2 and P2 in C-PE1 and C-PE2, respectively, no IPsec Tunnel will be established.¶
The BGP-based signaling mechanisms described in this document are primarily intended to enable SD-WAN edge nodes to advertise underlay transport and tunnel parameters to their RR. These parameters, once received, can be monitored and validated using existing BGP monitoring tools such as BMP or route policy inspection frameworks. Operators SHOULD implement logging and alerting mechanisms for cases where inconsistent or malformed Sub-TLVs are received, as specified in Section 2.6. Misaligned parameters, such as mismatched IPsec SA IDs or invalid NAT indicators, should trigger operational alerts to aid troubleshooting. No new MIB modules or YANG models are introduced in this document, but implementations are expected to expose relevant state (e.g., tunnel type, advertised properties) via standard operational interfaces. The use of secure transport connections (e.g., BGP over IPsec/TLS) is RECOMMENDED to ensure manageability in untrusted environments.¶
This document defines BGP extensions for SD-WAN edge nodes to advertise their attributes for establishing IPsec SAs and underlay tunnel attributes, typically via a RR, which then propagates them to authorized SD-WAN peers. These BGP messages may contain sensitive information such as public keys, IPsec proposals, and nonces. In deployments where SD-WAN edge nodes communicate with the RR over public or untrusted networks, BGP MUST be run over a secure transport, such as TCP protected by IPsec or TLS. These secure channels protect all fields, including cryptographic attributes, from tampering or interception. Without such protection, the system may be vulnerable to spoofed tunnel attributes, unauthorized route injections, or replayed IPsec setup information.¶
However, in closed or "walled garden" deployments, where SD-WAN edge nodes and the RR (SD-WAN controller) are within a trusted, secured environment (e.g., a private MPLS backbone or physically secured enterprise network), the risk of interception or tampering is significantly reduced. In such cases, the use of secure transport is optional, and operators may choose to run BGP over standard TCP, based on their internal risk assessment.¶
Regardless of the transport used, BGP policy enforcement remains critical. The RR SHOULD apply strict filtering and policy controls to validate that only authorized SD-WAN edge nodes advertise specific Node IDs, Route Targets, or VPN identifiers. While route origin validation via RPKI helps, it does not cover SD-WAN-specific fields like Tunnel attributes or SA proposals. Local policies, when misconfigured, may introduce vulnerabilities; therefore, policy application points SHOULD be carefully audited.¶
Many of the general BGP security risks discussed here are also covered in [RFC4271], [RFC4272], and [RFC9012]. This document inherits those considerations and introduces no new cryptographic requirements beyond what is described for securing BGP transport and validating the correctness of SD-WAN tunnel attribute exchanges.¶
This specification does not define deployments across fully untrusted networks, but if such environments are used, strong transport security becomes a MUST, and additional validation mechanisms may be required to maintain SD-WAN tunnel and routing integrity.¶
IANA has assigned SAFI = 74 as the SD-WAN SAFI.¶
IANA is requested to assign a type from the BGP Tunnel Encapsulation Attribute Tunnel Types as follows [RFC8126]:¶
Value Description Reference ----- ------------ --------- 25 SD-WAN-Hybrid (this document)¶
IANA is requested to assign the following sub-Types in the BGP Tunnel Encapsulation Attribute Sub-TLVs registry:¶
Value Type Description Reference Section
----- ----------------------- ------------- -------
64 IPsec SA ID Sub-TLV This document 4.3.1
65 Extended Port Attribute Sub-TLV This document 4.3.6
66 Underlay Type Sub-Sub-TLV This document 4.3.6.1
67 IPsec SA Rekey Counter Sub-TLV This document 4.3.2
68 IPsec Public Key Sub-TLV This document 4.3.3
69 IPsec SA Proposal Sub-TLV This document 4.3.4
70 Simplified IPsec SA sub-TLV This document 4.3.5
¶
IANA is requested to create a new registry titled "SD-WAN Edge Discovery NLRI Route Types" under the "Border Gateway Protocol (BGP) Parameters" registry. The allocation policy for this registry shall be IETF Review (as defined in RFC 8126):¶
Value Description Reference ----- ------------ --------- 1 SD-WAN Tunnel Endpoint NLRI Route Type (this document) Values 2-255 are reserved for future assignments.¶
IANA is requested to create a new registry titled "SD-WAN Extended Port Encapsulation Types" under the BGP Tunnel Encapsulation Sub-TLV registries.¶
Value Type Description Reference
----- ----------------------- -------------
0 Reserved This document
1 GRE This document
2 VXLAN This document
3~255 Reserved for future
¶
IANA is requested to create a new registry titled "SD-WAN Extended Port Connection Types" under the BGP Tunnel Encapsulation Sub-TLV registries.¶
Value Type Description Reference
----- ----------------------- -------------
0 Reserved This document
1 Wired This document
2 WIFI This document
3 LTE This document
4 5G This document
5~255 Unassigned
255 Reserved for Experimental Use
¶
IANA is requested to create a new registry titled "SD-WAN Extended Port Physical Port Types" under the BGP Tunnel Encapsulation Sub-TLV registries.¶
Value Type Description Reference
----- ----------------------- -------------
0 Reserved This document
1 Ethernet This document
2 Fiber Cable This document
3 Coax Cable This document
4 Cellular This document
5~255 Unassigned
255 Reserved for Experimental Use
¶
Acknowledgements to Wang Haibo, Shunwan Zhuang, Hao Weiguo, and ShengCheng for implementation contribution. Many thanks to Yoav Nir, Graham Bartlett, Jim Guichard, John Scudder, and Donald Eastlake for their review and suggestions.¶
Below is a list of other contributing authors:¶