Skip to main content

BGP Usage for SD-WAN Overlay Networks
draft-ietf-bess-bgp-sdwan-usage-15

Document Type Active Internet-Draft (bess WG)
Authors Linda Dunbar , Ali Sajassi , John Drake , Basil Najem
Last updated 2023-09-27 (Latest revision 2023-09-17)
Replaces draft-dunbar-bess-bgp-sdwan-usage
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Document shepherd Matthew Bocci
Shepherd write-up Show Last changed 2023-06-29
IESG IESG state IESG Evaluation
Action Holder
Consensus boilerplate Unknown
Telechat date On agenda of 2023-10-05 IESG telechat
Has enough positions to pass.
Responsible AD Andrew Alston
Send notices to matthew.bocci@nokia.com
IANA IANA review state IANA OK - No Actions Needed
draft-ietf-bess-bgp-sdwan-usage-15
Network Working Group                                         L. Dunbar
Internet Draft                                                Futurewei
Intended status: Informational                               A. Sajassi
Expires: March 17, 2024                                        Cisco
                                                               J. Drake
                                                                Juniper
                                                               B. Najem
                                                            Bell Canada
                                                     September 17, 2023
                   BGP Usage for SD-WAN Overlay Networks
                    draft-ietf-bess-bgp-sdwan-usage-15

Abstract
   The document discusses the usage and applicability of BGP as the
   control plane for multiple SD-WAN scenarios. The document aims to
   demonstrate how the BGP-based control plane is used for large-scale
   SD-WAN overlay networks with little manual intervention.

   SD-WAN edge nodes are commonly interconnected by multiple types of
   underlay networks owned and managed by different network providers.

Status of this Memo
   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79. This document may not be modified,
   and derivative works of it may not be created, except to publish it
   as an RFC and to translate it into languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

xxx, et al.             Expires March 17, 2024                 [Page 1]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on March 17, 2009.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Table of Contents

   1. Introduction...................................................3
   2. Conventions used in this document..............................4
   3. Use Case Scenario Description and Requirements.................5
      3.1. Requirements..............................................5
         3.1.1. Supporting SD-WAN Segmentation.......................5
         3.1.2. Client Service Requirement...........................6
         3.1.3. SD-WAN Traffic Segmentation..........................6
         3.1.4. Zero Touch Provisioning..............................7
         3.1.5. Constrained Propagation of SD-WAN Edge Properties....8
      3.2. Scenario #1: Homogeneous Encrypted SD-WAN.................9
      3.3. Scenario #2: Differential Encrypted SD-WAN...............10
      3.4. Scenario #3: Private VPN PE based SD-WAN.................12
   4. Provisioning Model............................................13
      4.1. Client Service Provisioning Model........................13
      4.2. Policy Configuration.....................................14
      4.3. IPsec related parameters Provisioning....................14
   5. BGP Controlled SD-WAN.........................................14
      5.1. Why BGP as Control Plane for SD-WAN?.....................14
      5.2. BGP Walk Through for Homogeneous Encrypted SD-WAN........15
      5.3. BGP Walk Through for Differential Encrypted SD-WAN.......17
      5.4. BGP Walk Through for Application Flow-Based Segmentation.18
      5.5. Benefit of Using Recursive Next Hop Resolution...........20
   6. SD-WAN Forwarding Model.......................................20

Dunbar, et al.          Expires March 17, 2024                 [Page 2]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

      6.1. Forwarding Model for Homogeneous Encrypted SD-WAN........21
         6.1.1. Network and Service Startup Procedures..............21
         6.1.2. Packet Walk-Through.................................21
      6.2. Forwarding Model for Hybrid Underlay SD-WAN..............22
         6.2.1. Network and Service Startup Procedures..............22
         6.2.2. Packet Walk-Through.................................22
      6.3. Forwarding Model for PE based SD-WAN.....................24
         6.3.1. Network and Service Startup Procedures..............24
         6.3.2. Packet Walk-Through.................................24
   7. Manageability Considerations..................................25
   8. Security Considerations.......................................25
   9. IANA Considerations...........................................25
   10. References...................................................25
      10.1. Normative References....................................26
      10.2. Informative References..................................26
   11. Acknowledgments..............................................27

1. Introduction

   Software Defined Wide Area Network (SD-WAN) optimizes the transport
   of IP Packets over multiple underlay connectivity services. Here are
   some of the main characteristics of "SD-WAN" networks:

     - Transport Augmentation, referring to utilizing paths over
       different underlay networks. There are often multiple parallel
       overlay paths between any two SD-WAN edges; some are private
       networks over which traffic can traverse with or without
       encryption; others require encryption, e.g., over untrusted
       public networks.
     - Instead of all traffic hauled to Corporate HQ for centralized
       policy control, direct Internet breakout from remote branch
       offices is allowed.
     - Some traffic can be forwarded by edge nodes, based on their
       application identifiers instead of destination IP addresses, by
       placing the traffic onto specific overlay paths based on the
       application-specific policies.
     - The traffic forwarding can also be based on specific performance
       criteria (e.g., packet delay, packet loss, jitter) to provide
       better application performance by choosing the underlay that
       meets or exceeds the specified policies.

   [Net2Cloud-Problem] describes the network-related problems relating
   to connecting enterprises' branch offices to dynamic workloads in
   different Cloud Data Centers (DC). SD-WAN has been positioned as a

Dunbar, et al.          Expires March 17, 2024                 [Page 3]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   flexible way to solve those issues; however, this can create
   significant scaling issues when hundreds or thousands of nodes need
   to be interconnected by SD-WAN overlay networks.

   This document describes using BGP as a control plane for SD-WAN
   overlay networks and services. BGP for SD-WAN overlay is a different
   layer from the underlay networks' BGP control plane instances.

2. Conventions used in this document

   Cloud DC:   Third party data centers that host applications and
               workloads owned by different organizations or tenants.

   Controller: Used interchangeably with SD-WAN controller to manage
               SD-WAN overlay path creation/deletion and monitor the
               path conditions between sites.

   CPE:        Customer Premise Equipment

   CPE-Based VPN: Virtual Private Secure network formed among CPEs.
               This differentiates from more commonly used PE-based
               VPNs [RFC4364].

   Homogeneous Encrypted SD-WAN: A SD-WAN network in which all traffic
               to/from the SD-WAN edges are carried by IPsec tunnels
               regardless of underlay networks. I.e., the client
               traffic is carried by IPsec tunnel even over MPLS
               private networks.

   ISP:        Internet Service Provider

   NSP:        Network Service Provider. NSP usually provides more
               advanced network services, such as MPLS VPN, private
               leased lines, or managed Secure WAN connections, often
               within a private, trusted domain. In contrast, an ISP
               usually provides plain Internet services over public
               untrusted domains.

   PE:         Provider Edge

Dunbar, et al.          Expires March 17, 2024                 [Page 4]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   SD-WAN Edge Node: An edge node, which can be physical or virtual,
               maps the attached clients' traffic to the wide area
               network (WAN) overlay tunnels.

   SD-WAN:     Software Defined Wide Area Network is an overlay network
               that optimizes the transport of IP packets over multiple
               underlays, forwarding traffic based on application
               policies, some of which act on application identifiers
               recognized at ingress.

   SD-WAN IPsec SA: IPsec Security Association between two SD-WAN ports
               or nodes.

   SD-WAN over Hybrid Networks: SD-WAN over Hybrid Networks typically
               have edge nodes utilizing bandwidth resources from
               different types of underlay networks, some being private
               networks and others being public Internet.

   WAN Port:   A Port or Interface facing an ISP or Network Service
               Provider (NSP), with an address allocated by the ISP or
               the NSP.

   C-PE:       SD-WAN Edge node, which can be Customer Premises
               Equipment (CPE) for customer-managed SD-WAN, or Provider
               Edge (PE) for provider-managed SD-WAN services.

   ZTP:        Zero Touch Provisioning

3. Use Case Scenario Description and Requirements

   This section describes some essential requirements for SD-WAN
   networks and several SD-WAN scenarios used by the subsequent
   sections to explain how the BGP control plane is applied.

3.1. Requirements

3.1.1. Supporting SD-WAN Segmentation

   "SD-WAN Segmentation" is a frequently used term in SD-WAN
   deployment, referring to policy-driven network partitioning. An SD-
   WAN segment is a virtual private network (SD-WAN VPN) consisting of

Dunbar, et al.          Expires March 17, 2024                 [Page 5]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   a set of edge nodes interconnected by tunnels, such as IPsec tunnels
   and MPLS VPN tunnels.

   This document assumes that SD-WAN VPN configuration on PE devices
   will, as with MPLS VPN, make use of VRFs. Additionally, it assumes
   that one SD-WAN VPN can be mapped to one or multiple virtual
   topologies governed by the SD-WAN controller's policies.

   When using BGP for SD-WAN, the Client Route UPDATE is the same as
   MPLS VPN. Route Target in the BGP Extended Community can be used to
   differentiate the routes belonging to different SD-WAN VPNs.

   As SD-WAN is an overlay network arching over multiple types of
   networks, MPLS L2VPN/L3VPN or pure L2 underlay can continue using
   the VPN ID, VN-ID, or VLAN in the data plane to differentiate
   packets belonging to different SD-WAN VPNs. For packets carried by
   an IPsec tunnel, the IPsec tunnel's inner encapsulation header can
   have the SD-WAN VPN Identifier to distinguish the packets belonging
   to different SD-WAN VPNs.

3.1.2. Client Service Requirement

   The client interface of SD-WAN edges can be IP or Ethernet-based.

   For Ethernet-based client interfaces, SD-WAN edge should support
   VLAN-based service interfaces (EVPN Instances), VLAN bundle service
   interfaces, or VLAN-Aware bundling service interfaces. EVPN service
   requirements apply to client traffic, as described in Section 3.1 of
   RFC8388.

   For IP-based client interfaces, L3VPN service requirements are
   applicable.

3.1.3. SD-WAN Traffic Segmentation

   SD-WAN Traffic Segmentation enables the separation of the traffic
   based on the business and the security needs of different user
   groups and/or application requirements. Each user group and/or
   application may need different isolated topologies and/or policies
   to fulfill the business requirements.

   For example, a retail business requires the point-of-sales (PoS)
   application to be on a different topology from other applications.
   The PoS application is routed only to the payment processing entity
   at a hub site; other applications can be routed to all other sites.

Dunbar, et al.          Expires March 17, 2024                 [Page 6]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   The traffic from the PoS application follows a tree topology in the
   figure below, whereas other traffic can follow a multipoint-to-
   multipoint topology.

                              +--------+
              Payment traffic |Payment |
                +------+----+-+gateway +------+----+-----+
               /      /     | +----+---+      |     \     \
              /      /      |      |          |      \     \
           +-+--+  +-+--+  +-+--+  |   +-+--+  +-+--+  +-+--+
           |Site|  |Site|  |Site|  |   |Site|  |Site|  |Site|
           | 1  |  |  2 |  | 3  |  |   |4   |  |  5 |  | 6  |
           +--+-+  +--+-+  +--|-+  |   +--|-+  +--|-+  +--|-+
              |       |       |    |      |       |       |
            ==+=======+=======+====+======+=======+=======+===
            Multi-point connection for non-payment traffic

   Another example is an enterprise that wants to isolate the traffic
   from different departments, with each department having its unique
   topology and policy. The HR department may need to access specific
   applications that are not accessible by the engineering department.
   Also, contractors may have limited access to the enterprise
   resources.

3.1.4. Zero Touch Provisioning

   SD-WAN zero-touch provisioning (ZTP) allows devices to be configured
   and provisioned centrally. When an SD-WAN edge is installed at a
   remote location, ZTP automates follow-up steps, including updates to
   the OS, software version, and configuration, before client traffic
   is forwarded. The ZTP can bootstrap a remote SD-WAN edge and
   establish a secure connection to the local SD-WAN Controller, making
   it convenient to add or delete an SD-WAN edge node (virtual or
   physical). ZTP for a remote SD-WAN edge usually includes the
   following steps:

     - The SD-WAN edge's customer information and its device
     identifier, such as the device series number, are added to the SD-
     WAN Central Controller.

     - Upon power-up, the SD-WAN edge can establish the transport layer
     secure connection (such as TLS, DTLS) [BCP195] to its controller,
     whose URL (or IP address) can be preconfigured on the edge device
     by manufacture default, external USB or secure Email given to the
     installer.

Dunbar, et al.          Expires March 17, 2024                 [Page 7]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     - The SD-WAN Controller authenticates the ZTP request from the
     remote SD-WAN edge with its configurations. Once the
     authentication is successful, it can designate a local network
     controller near the SD-WAN edge to pass down the initial
     configurations via the secure TLS/DTLS secure channel. The local
     network controller manages and monitors the communication policies
     for traffic to/from the edge node.

3.1.5. Constrained Propagation of SD-WAN Edge Properties

   One SD-WAN edge node may only be authorized to communicate with a
   small number of other SD-WAN edge nodes. In this circumstance, the
   property of the SD-WAN edge node cannot be propagated to other nodes
   that are not authorized to communicate. But a remote SD-WAN edge
   node, upon powering up, may not have the right policies to know
   which peers are authorized to communicate. Therefore, SD-WAN
   deployment needs to have a central point to distribute the
   properties of an SD-WAN edge node to its authorized peers.

   BGP is well suited for this purpose. RFC4684 has specified the
   procedure to constrain the distribution of BGP UPDATE to only a
   subset of nodes. Each edge node informs the Route-Reflector (RR)
   [RFC4456] on its interested SD-WAN VPNs. The RR only propagates the
   BGP UPDATE from an edge to others within the same SD-WAN VPN.

   As the connection between an SD-WAN edge and its RR can be over an
   insecure network, an SD-WAN edge must establish a secure transport
   layer connection (TLS, DTLS, etc.) to its designated RR upon power-
   up. The BGP UPDATE messages must be sent over the secure channel
   (TLS, DTLS, etc.) to the RR.

Dunbar, et al.          Expires March 17, 2024                 [Page 8]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

                              +---+
                 Peer Group 1 |RR |   Peer Group 2
                +======+====+=+   +======+====+=====+
               /      /     | +---+      |     \     \
              /      /      |            |      \     \
           +-+--+  +-+--+  +-+--+      +-+--+  +-+--+  +-+--+
           |C-PE|  |C-PE|  |C-PE|      |C-PE|  |C-PE|  |C-PE|
           | 1  |  |  2 |  | 3  |      |4   |  |  5 |  | 6  |
           +----+  +----+  +----+      +----+  +----+  +----+
                Tenant 1                   Tenant 2
          Figure 1: Peer Groups managed by RR

   Tenant separation is achieved by the SD-WAN VPN identifiers
   represented in the control plane and data plane, respectively.

3.2. Scenario #1: Homogeneous Encrypted SD-WAN

   Homogeneous Encrypted SD-WAN refers to an SD-WAN network with edge
   nodes encrypting all traffic over the WAN underlay to other edge
   nodes, regardless of whether the underlay is private or public. For
   lack of better terminology, we call this Homogeneous Encrypted SD-
   WAN throughout this document.

   Here are some typical scenarios for using Homogeneous Encryption:

   -  A small branch office connecting to its HQ offices via the
   Internet. All traffic to/from this small branch office must be
   encrypted, usually achieved by IPsec Tunnels [RFC6071].

   -  A store in a shopping mall may need to securely connect to its
   applications in one or more Cloud DCs via the Internet. A common way
   of achieving this is to establish IPsec SAs to the Cloud DC gateway
   to carry the sensitive data to/from the store.

   As described in [SECURE-EVPN], the granularity of the IPsec SAs for
   Homogeneous Encryption can be per site, per subnet, per tenant, or
   per address. Once the IPsec SA is established for a specific
   subnet/tenant/site, all traffic to/from the subnet/tenant/site is
   encrypted.

Dunbar, et al.          Expires March 17, 2024                 [Page 9]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

                                     +---+
                      +--------------|RR |------------+
                     /  Untrusted    +-+-+             \
                    /                                   \
                   /                                     \
     +----+  +---------+                             +------+  +----+
     | CN3|--|         P1-----+ -------------+------ P1     |--| CN3|
     +----+  | C-PE1   P2-----+              |       | C-PE2|  +----+
     +----+  |         P3-----+     Wide     +------ P2     |  +----+
     | CN2|--|         |      |     area     +------ P3     |--| CN1|
      +-+--+  +---------+      |   network    |       +------+  +-+--+
        \                     |              |                  /
         \   +---------+      | all packets  |       +------+  /
          +--|         P1-----+ encrypted    +------ P1     |-+
              | C-PE3   P2-----+     by       |       | C-PE4|
     +----+  |         P3-----+ IPsec SAs    +------ P2     |  +----+
     | CN1|--|         P4-----+--------------+       |      |--| CN2|
     +----+  +---------+                             +------+  +----+

   CN: Client Networks, which is same as Tenant Networks used by NVo3

                 Figure 2: Homogeneous Encrypted SD-WAN

   One of the properties of Homogeneous Encryption is that the SD-WAN
   Local Network Controller, e.g., RR in BGP-controlled SD-WAN, might
   be connected to C-PEs via an untrusted public network, therefore,
   requiring a secure connection between RR and C-PEs (TLS, DTLS,
   etc.).

   Homogeneous Encrypted SD-WAN has some properties similar to the
   commonly deployed IPsec VPN, albeit the IPsec VPN is usually point-
   to-point among a small number of nodes and with heavy manual
   configuration for IPsec between nodes. In contrast, an SD-WAN
   network can have many edge nodes and a central controller to manage
   the configurations on the edge nodes.

   Existing private VPNs (e.g., MPLS based) can use Homogeneous
   Encrypted SD-WAN to extend over the public network to remote sites
   to which the VPN operator does not own or lease infrastructural
   connectivity, as described in [SECURE-EVPN].

3.3. Scenario #2: Differential Encrypted SD-WAN

   The Differential Encrypted SD-WAN refers to an SD-WAN network in
   which traffic over the existing VPN is forwarded natively without
   encryption, and the traffic over the Public Internet is encrypted.
   Differential Encrypted SD-WAN is over hybrid private VPN and public
   Internet underlays. Since IPsec requires additional processing power

Dunbar, et al.          Expires March 17, 2024                [Page 10]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   and the encrypted traffic over the Internet does not have the
   premium SLA commonly offered by Private VPNs, especially over a long
   distance, it is more desirable for traffic over a private VPN to be
   forwarded without encryption.

   One C-PE might have the Internet-facing WAN ports managed by
   different ISPs/NSPs with the WAN ports' addresses assigned by the
   corresponding ISPs/NSPs. Clients might have policies to specify:

 1) Some flows can only be forwarded over private VPNs.
 2) Some flows can be forwarded over either private VPNs or the public
    Internet. The packets over the public Internet are encrypted.
 3) Some flows, especially Internet-bound browsing ones, can be handed
    off to the Internet without any encryption.

   Suppose a flow traversing multiple segments, such as A<->B<->C<->D,
   has Policy 2) above. The flow can cross different underlays in
   different segments, such as over Private underlay between A<->B
   without encryption or over the public Internet between B<->C
   protected by an IPsec SA.

   As shown in the figure below, C-PE-1 has two different types of
   interfaces (A1 to Internet and A2 & A3 to VPN). The C-PE's loopback
   address and the attached client addresses may or may not be visible
   to the ISPs/NSPs. The WAN ports' addresses can be allocated by the
   service providers or dynamically assigned (e.g., by DHCP).

Dunbar, et al.          Expires March 17, 2024                [Page 11]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

                                       +---+
                        +--------------|RR |----------+
                       /  Untrusted    +-+-+           \
                      /                                 \
                     /                                   \
     +----+  +---------+  packets encrypted over     +------+  +----+
     | CN3|--|         A1-----+ Untrusted    +------ B1     |--| CN1|
     +----+  | C-PE1   A2-\                          | C-PE2|  +----+
     +----+  |         A3--+--+              +---+---B2     |  +----+
     | CN2|--|         |   |PE+--------------+PE |---B3     |--| CN3|
     +----+  +---------+   +--+   trusted    +---+   +------+  +----+
                              |      WAN     |
     +----+  +---------+   +--+   packets    +---+   +------+  +----+
     | CN1|--|         C1--|PE| go natively  |PE |-- D1     |--| CN1|
     +----+  | C-PE3   C2--+--+ without encry+---+   | C-PE4|  +----+
             |         |      +--------------+       |      |
             |         |                             |      |
     +----+  |         |      without encrypt over   |      |  +----+
     | CN2|--|         C3--+---- Untrusted  --+------D2     |--| CN2|
     +----+  +---------+                             +------+  +----+

     CN: Client Network
                 Figure 3: SD-WAN with Hybrid Underlays

     Also, the connection between C-PEs and their Controller (RR) might
     be via the untrusted public network. It is necessary to encrypt
     the communication between RR and C-PEs, by TLS, DTLS, etc.

     There could be multiple SD-WAN edges (C-PEs) sharing common
     property, such as a geographic location. Some applications over
     SD-WAN may need to traverse specific geographic areas for various
     reasons, such as to comply with regulatory rules, to utilize
     specific value-added services, or others.

     Services may not be congruent, i.e., the packets from A-> B may
     traverse one underlay network, and the packets from B -> A may go
     over a different underlay.

3.4. Scenario #3: Private VPN PE based SD-WAN

   This scenario refers to the existing VPN (e.g., EVPN or IPVPN) being
   expanded by adding extra ports facing the untrusted Internet for PEs
   to offload low-priority traffic when the VPN paths are congested.

Dunbar, et al.          Expires March 17, 2024                [Page 12]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   Throughout this document, this scenario is also called Internet
   Offload for Private VPN, or PE-based SD-WAN.

   Here are some differences from the Hybrid Underlay scenario (Section
   3.3):

       - For MPLS-based VPN, PEs would have MPLS as payload
          encapsulated within the IPsec tunnel egressing the Internet
          WAN ports, MPLS-in-IP/GRE-in-IPsec.
       - The BGP RR is connected to PEs in the same way as VPN, i.e.,
          via the trusted network.

   PE-based SD-WAN can be used by VPN service providers to temporarily
   increase bandwidth between sites when not sure if the demand will
   sustain for an extended period or as a temporary solution before the
   permanent infrastructure is built or leased.

                                   +---+
                           +======>|PE2|
                         //        +---+
                        //          ^
                       //           || VPN
                      //     VPN    v
                      ++--+        ++-+       +---+
                      |PE1| <====> |RR| <===> |PE3|
                      +-+-+        +--+       +-+-+
                        |                       |
                        +--- Public Internet -- +
                                 Offload

          Figure 4: Additional Internet paths added to the VPN

4. Provisioning Model

4.1. Client Service Provisioning Model

   Client service provisioning can follow the same approach as MPLS
   VRFs. A client VPN can establish the communication policy by
   specifying the Route Targets to be imported and exported.
   Alternatively, traditional Match and Action ACLs can identify the
   specific routes allowed or denied to or from the client VPN.

Dunbar, et al.          Expires March 17, 2024                [Page 13]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   When an SD-WAN edge node is dedicated to one client with a single
   virtual network, all prefixes attached to the client port(s) on the
   edge node can be considered to be inside a single VRF, and the RR
   can manage the policies for import/export policies for that VRF.

4.2. Policy Configuration

   One of the characteristics of an SD-WAN service is that packets can
   be forwarded over multiple types of underlays. Policies are needed
   to govern which underlay paths can carry an application flow, as
   described by Section 8 of MEF70.1. An Application Flow consists of
   packets that match specific criteria. For example, client-prefix-x
   can only be mapped to MPLS topology.

4.3. IPsec related parameters Provisioning

   SD-WAN edge nodes must negotiate the supported IPsec encryption
   algorithms (AES256, AES192, AES128, etc.), the hash algorithm (SHA2
   512, SHA2 384, SHA2256, etc.), and the DH groups to establish IPsec
   tunnels between them. Each SD-WAN edge may have the default values
   assigned to them for the respective attributes, or alternatively,
   retrieve the values for those attributes from its controller to
   minimize the configuration. For a BGP-controlled SD-WAN, BGP UPDATE
   messages can propagate each node's IPsec-related attribute values
   for peers to choose the common values supported, traditionally done
   by IPsec IKEv2 [RFC7296].

5. BGP Controlled SD-WAN

5.1. Why BGP as Control Plane for SD-WAN?

   For an SD-WAN network with a small number of nodes, the traditional
   hub and spoke model utilizing Next Hop Resolution Protocol (NHRP) or
   Dynamic Smart VPN (DSVPN)/Dynamic Multipoint VPN (DMVPN) protocol
   has been found to work reasonably well. DSVPN/DMVPN has a hub node
   (or controller) managing the edge nodes, including local & public
   addresses and tunnel identifiers mapping. However, for a sizeable
   SD-WAN network, say more than 100 nodes with different underlays,
   the traditional approach becomes very messy, complex, and error-
   prone.

   Here are some of the compelling reasons for using BGP:

   -  Simplified peer authentication process:

     With a secure management channel established between an edge node
     and an RR, the RR can perform peer authentication on behalf of the

Dunbar, et al.          Expires March 17, 2024                [Page 14]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     edge node. The RR has policies on peer communication and the
     built-in capability to constrain the propagation of the UPDATE
     messages to the authorized edge nodes [RFC4684].

   - Scalable IPsec tunnel management

     When multiple IPsec tunnels are established between two pairwise
     edge nodes, BGP Tunnel Attribute Update can associate multiple
     IPsec tunnels with the client routes. In a traditional IPsec VPN,
     separate routing protocols must run in parallel in each IPsec
     Tunnel if the client routes can be load shared among the IPsec
     tunnels.

   - Simplified IPsec tunnel traffic selection configurations

     The IPsec tunnel's traffic selector or admission control can be
     inherently realized by specifying importing/exporting the Route
     Targets representing the SD-WAN VPNs.

5.2. BGP Walk Through for Homogeneous Encrypted SD-WAN

   For the BGP-controlled Homogeneous Encrypted SD-WAN, a C-PE can
   advertise its attached client routes and the properties of the IPsec
   SA in one BGP UPDATE message.

   In the figure below, the BGP UPDATE message from C-PE2 to RR can
   have the client routes encoded in the MP-NLRI Path Attribute and the
   IPsec Tunnel associated information encoded in the Tunnel-Encap
   [RFC9012] Path Attributes as described in the [SECURE-EVPN].

Dunbar, et al.          Expires March 17, 2024                [Page 15]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

                                  +---+
                        +---------|RR |----------+
                       / Untrusted+---+           \
                      /                            \
                     /                              \
             +---------+                       +---------+
           --+         |-----------------------|         |-192.0.2.4/30
             |         |                       | C-PE2   |- VLAN = 15
             | C-PE1   |                     +-|192.0.2.2|
           --|192.0.2.1|                     | |         |-192.0.2.8/30
             +---------+                     | +---------+
                                             |
                                             |
                                             |
             +---------+                     |
           --|         |---------------------+
             |         |
             | C-PE3   |
           --|192.0.2.3|
             +---------+
                 Figure 5: Homogeneous Encrypted SD-WAN

   Alternatively, the C-PE2 can use two separate BGP UPDATE messages to
   reduce the size of the BGP UPDATE messages, especially for IPsec
   tunnels terminated at edge nodes or WAN ports, as IPsec SA tunnels
   have many attributes which can change at different frequencies than
   clients' routes updates, such as IPsec SA keys periodical changes.

   When using two separate BGP UPDATE messages, which is described by
   Section 4 and 8 of [RFC9012], UPDATE U1 has its Nexthop to the node
   loopback address and is recursively resolved to the IPsec SA tunnel
   detailed attributes advertised by the UPDATE U2 for the Node
   Loopback address.

   Here are the details of the UPDATE messages:

     - Suppose that a given packet "C" destined towards the client
       addresses attached to C-PE2 (e.g., prefix 192.0.2.4/30) can be
       carried by any IPsec tunnels terminated at C-PE2.
     - The path along which "C" is to be forwarded is determined by BGP
       UPDATE U1.
     - UPDATE U1 does not have a Tunnel Encapsulation attribute.
     - UPDATE U1 can include the Encapsulation Extended Community with
       the option to have the Color Extended Community.
     - The address of the next-hop of UPDATE U1 is router C-PE2.

Dunbar, et al.          Expires March 17, 2024                [Page 16]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     - UPDATE U2 has a Tunnel Encapsulation attribute to describe the
       IPsec SA detailed attributes.

   UPDATE U1:

     - MP-NLRI Path Attribute:
         192.0.2.4/30
         192.0.2.8/30
     - Nexthop: 192.0.2.2 (C-PE2)
     - Encapsulation Extended Community: TYPE = IPsec

   UPDATE U2:
     - MP-NLRI Path Attribute:
         192.0.2.2 (C-PE2)
     - Tunnel Encapsulation Path Attributes (as described in the
     [SECURE-EVPN]) for IPsec SA detailed attributes, including the WAN
     address to be used as the IP address of the IPsec encrypted
     packets.

   If different client routes attached to C-PE2 need to be reached by
   separate IPsec tunnels, the Color-Extended-Community [RFC9012] is
   used to associate routes with the tunnels. See Section 8 of
   [RFC9012].

   Suppose C-PE2 does not have a policy on the authorized peers for the
   specific client routes. Then, the RR then needs to check the client
   routes policies to constrain the BGP UPDATE messages propagation
   only to the remote authorized edge nodes.

5.3. BGP Walk Through for Differential Encrypted SD-WAN

   In this scenario, some client routes can be forwarded over any one
   of the tunnels terminating at the edge node. Some client routes can
   only be forwarded over specific tunnels (such as only MPLS VPN).

   An edge node can use the Color Extended Community (Section 4 & 8 of
   [RFC9012]) in its BGP UPDATE message to associate the client routes
   with the specific tunnels.

Dunbar, et al.          Expires March 17, 2024                [Page 17]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   For example, in Figure 5 above, suppose that Route 192.0.2.4/30 can
   be carried by either MPLS or IPsec and Route 192.0.2.8/30 can only
   be carried by MPLS; C-PE2 can use the following UPDATE messages:

   UPDATE #1a for Route 192.0.2.4/30:

     - MP-NLRI Path Attribute:
         192.0.2.4/30
         Nexthop: 192.0.2.2 (C-PE2)
     - Encapsulation Extended Community: TYPE = SD-WAN-Hybrid
     - Color Extended Community: RED

   UPDATE #1b for Route 192.0.2.8/30:
     - MP-NLRI Path Attribute:
         192.0.2.8/30
         Nexthop: 192.0.2.2 (C-PE2)
     - Encapsulation Extended Community: TYPE = MPLS-in-GRE
     - Color Extended Community: YELLOW

   UPDATE #2a: for IPsec tunnels terminated at the node:
     - MP-NLRI Path Attribute:
         192.0.2.2 (C-PE2)
     - Tunnel Encapsulation Path Attributes: TYPE=SD-WAN-Hybrid
      Including the information about the WAN ports for receiving IPsec
      encrypted packets, the IPsec properties, etc.
     - Color Extended Community: RED

   UPDATE #2b: for MPLS-in-GRE terminated at the node:
     - MP-NLRI Path Attribute:
         192.0.2.2 (C-PE2)
     - Tunnel Encapsulation Path Attributes: TYPE=SD-WAN-Hybrid
     - Color Extended Community: YELLOW

   SD-WAN-Hybrid Tunnel Type is specified by [SD-WAN-EDGE-Discovery].

5.4. BGP Walk Through for Application Flow-Based Segmentation

   Suppose an application flow is identified by source or destination
   IP addresses. Application Flow-based Segmentation described in 3.1.2
   can be realized by constraining the BGP UPDATE messages, such that
   only the nodes that meet the criteria of the application flow

Dunbar, et al.          Expires March 17, 2024                [Page 18]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   receive these updates. The following BGP Update messages can be
   advertised to ensure that the Payment Application only communicates
   with the Payment Gateway shown in Figure 6:

   BGP UPDATE #1a from C-PE2 to RR for the P2P topology that is only
   propagated to Payment GW node:

      - MP-NLRI Path Attribute:
            - 192.0.2.9/30
            - Nexthop: 192.0.2.2
      - Encapsulation extended community: TYPE = IPsec
      - Color Extended Community: BLUE

   BGP UPDATE #1b from C-PE2 to RR is propagated to C-PE1 & C-PE3 for
   the routes to be reached by C-PE1 and C-PE3:

      - MP-NLRI Path Attribute:
            - 192.0.2.4/30
            - 192.0.2.8/30
            - Nexthop:192.0.2.2
       - Encapsulation extended community: TYPE =IPsec
       - Color Extended Community: RED

   BGP UPDATE #2a for the detailed IPsec attributes for IPsec tunnels
   terminated at C-PE2 192.0.2.2 is propagated to C-PE1 & C-PE3.

     - MP-NLRI Path Attribute:
         192.0.2.2 (C-PE2)
     - Tunnel Encapsulation Path Attributes: TYPE=IPsec (for all IPsec
     SAs)
     - Color Extended Community: RED

   UPDATE #2b for the IPsec SA to the Payment GW is only propagated to
   Payment GW:
     - MP-NLRI Path Attribute:
         192.0.2.2 (C-PE2)
     - Tunnel Encapsulation Path Attributes: TYPE=IPsec (for the IPsec
     SA to Payment GW).
     - Color Extended Community: Blue

Dunbar, et al.          Expires March 17, 2024                [Page 19]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

                                  +-------+
                                  |Payment|
                         +------->|  GW   |<----+
                        /         +-------+      \
                       /        Blue Tunnel       \
                      /for Payment App:192.0.2.9/30\
                     /                              \
             +------/--+                      +------\--+
           --|-----+   |                      |       +-| 192.0.2.9/30
             |         |     Red Tunnels      |         |
           --| C-PE1   |----------------------|         |-192.0.2.4/30
             |192.0.2.1|                      |  C-PE2  |
           --|         |----------------------|192.0.2.2|-192.0.2.8/30
             |         |                      |         |
             +---------+                     +|         |- VLAN=25;
                                            / |         |192.0.2.10/30
             +---------+                   /  +---------+
           --|         |------------------+
             | C-PE3   |                 /
             |192.0.2.3|                /
           --|         |---------------+
             +---------+
            Figure 6: Application Based SD-WAN Segmentation

5.5. Benefit of Using Recursive Next Hop Resolution

   Using the Recursive Next Hop Resolution described in Section 8 of
   [RFC9012], the clients' route UPDATE messages become very compact,
   and any attribute changes of the underlay network tunnels, such as
   IPsec key refreshing, can be advertised independently of the client
   route update. This method is handy when the underlay tunnels are
   IPsec based, which requires periodic message exchange for the
   pairwise re-keying process.

6. SD-WAN Forwarding Model

   This section describes how client traffic is forwarded in BGP
   Controlled SD-WAN for the use cases described in Section 3.

   The procedures described in Section 6 of RFC8388 are applicable for
   the SD-WAN client traffic. Like the BGP-based VPN/EVPN client routes
   UPDATE message, Route Target can distinguish routes from different
   clients.

Dunbar, et al.          Expires March 17, 2024                [Page 20]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

6.1. Forwarding Model for Homogeneous Encrypted SD-WAN

6.1.1. Network and Service Startup Procedures

   A single IPsec security association (SA) protects data in one
   direction. In the Homogeneous Encrypted SD-WAN Scenario, two SAs
   must be present to secure traffic in both directions between two C-
   PE nodes, two client ports, or two prefixes. Using Figure 2 of
   Section 3.2 as an example, for client CN2 attached to C-PE1, C-PE3,
   and C-PE4 to have a full-mesh connection, six one-directional IPsec
   SAs must be established: C-PE1 <-> C-PE3; C-PE1 <-> C-PE4; C-PE3 <->
   C-PE4.

   SD-WAN services to clients can be IP-based or Ethernet-based. An SD-
   WAN edge can learn client routes from the client-facing ports via
   OSPF, RIP, BGP, or static configuration for its IP-based services.
   For Layer-2 SD-WAN services, the relevant EVPN parameters, such as
   the ESI (Ethernet Segment Identifier), EVI, and CE-VID (Customer
   Edge Virtual Instance Identifier) to EVI mapping, can be configured
   similarly to EVPN described in RFC8388.

   Instead of running IGP within each IPsec tunnel done by the
   traditional IPsec VPN, BGP RR can propagate UPDATE messages of the
   client routes attached to an SD-WAN edge node to its authorized
   peers.

   In addition, the BGP-RR (SD-WAN Controller) facilitates the IPsec SA
   establishment and rekey management as described in [SECURE-EVPN].
   The controller manages how clients' routes are associated with
   individual IPsec SA. Therefore, it is no longer necessary to
   manually configure the IPsec tunnel's endpoint addresses on each SD-
   WAN edge node and set up policies for the allowed client prefixes.

6.1.2. Packet Walk-Through

   For unicast packets forwarding:

     An IPsec SA terminated at a C-PE node can have multiple client
     routes multiplexed in the IPsec SA (or tunnel). Packets to/from
     the client prefixes are encapsulated in an inner tunnel, such as
     GRE or VxLAN. Different client traffic can be differentiated by a
     unique value in the inner encapsulation key or ID field. The GRE
     or VxLAN tunnel is encapsulated by an outer IP header whose
     destination & source addresses are the C-PE nodes loopback
     addresses and most likely has the Protocol-code = ESP (50).

     C-PE Node-based IPsec tunnel is inherently protected when the C-PE
     has multiple WAN ports to different underlay paths. As shown in

Dunbar, et al.          Expires March 17, 2024                [Page 21]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     Figure 2, when one of the underlay paths fails, the IPsec traffic
     can be forwarded to or received from a different physical port.

     When a C-PE receives an IPsec encrypted packet from its WAN ports,
     it decrypts the packet and forwards the inner packet to the client
     port based on the inner packet's destination address.

   For multicast packets forwarding:

     IPsec was created to be a security protocol between two and only
     two devices, so multicast service using IPsec is problematic. An
     IPsec peer encrypts a packet so that only one other IPsec peer can
     successfully perform the de-encryption. A straightforward way to
     forward a multicast packet for the Homogeneous Encrypted SD-WAN is
     to encapsulate the multicast packet in separate unicast IPsec SA
     tunnels. More optimized forwarding multicast packets for the
     Homogeneous Encrypted SD-WAN is out of the scope of this document.

6.2. Forwarding Model for Hybrid Underlay SD-WAN

   In this scenario, as shown in Figure 3 of Section 3.3, traffic
   forwarded over the trusted VPN paths can be native (i.e.,
   unencrypted). The traffic forwarded over untrusted networks need to
   be protected by IPsec SA.

6.2.1. Network and Service Startup Procedures

   Infrastructure setup: The proper MPLS infrastructure must be
   configured among the edge nodes, i.e., the C-PE1/C-PE2/C-PE3/C-PE4
   of Figure 3. The IPsec SA between WAN ports or nodes must be set up
   as well. IPsec SA related attributes on edge nodes can be
   distributed by BGP UPDATE messages as described in Section 5.

   There could be policies governing how flows can be forwarded, as
   specified by MEF70.1.  For example, "Private-only" indicates that
   the flows can only traverse the MPLS VPN underlay paths.

6.2.2. Packet Walk-Through

   For unicast packets forwarding:

     Upon receiving a packet from a client port, if the packet belongs
     to a flow that can only be forwarded over the MPLS VPN, the
     forwarding processing is the same as the MPLS VPN. Otherwise, the
     C-PE node can make the local decision in choosing the least cost
     path, including the prior established MPLS paths and IPsec

Dunbar, et al.          Expires March 17, 2024                [Page 22]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     Tunnels, to forward the packet. Packets forwarded over the trusted
     MPLS VPN can be native without any additional encryption, while
     the packets sent over the untrusted networks need to be encrypted
     by IPsec SA.

     For a C-PE with multiple WAN ports provided by different ISPs,
     separate IPsec SAs can be established for the different WAN ports.
     In this case, the C-PE have multiple IPsec tunnels in addition to
     the MPLS path to choose from to forward the packets from the
     client ports.

     If the IPsec SA is chosen, the packet is encapsulated by the IPsec
     header and encrypted by the IPsec SA before forwarding it to the
     WAN.

     For packets received from an MPLS path, processing is the same as
     MPLS VPN.

     For IPsec SA encrypted packets received from the WAN ports, the
     packets are decrypted, and the inner payload is decapsulated and
     forwarded per the forwarding table of the C-PE. For all packets
     from the Internet-facing WAN ports, the additional anti-DDoS
     mechanism has to be enabled to prevent potential attacks from the
     Internet-facing ports. Control Plane should not learn routes from
     the Internet-facing WAN ports.

                                       +---+
                        +--------------|RR |----------+
                       /               +-+-+           \
                      /                                 \
                     /                                   \
     +----+  +---------+  packets encrypted over    +---------+  +----+
     | CN3|--|         A1-----+ Untrusted    +----- B1        |--| CN1|
     +----+  | C-PE-a  A2-----+              +------B2 C-PE-b |  +----+
             |192.0.2.1|                            |192.0.2.2|
     +----+  |         |   +--+              +---+  |         |  +----+
     | CN2|--|         A3  |PE+--------------+PE |--B3        |--| CN3|
     +----+  +---------+   +--+   trusted    +---+  +---------+  +----+
                              |     VPN      |
                              +--------------+
          Figure 8: SD-WAN with Hybrid Underlays

   For multicast packets forwarding:

     For multicast traffic, MPLS multicast [RFC6513, RFC6514, or
     RFC7988] can be used to forward multicast traffic.

Dunbar, et al.          Expires March 17, 2024                [Page 23]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

     If IPsec tunnels are chosen for a multicast packet, the packet is
     encapsulated and encrypted by multiple separate IPsec tunnels to
     the desired destinations.

6.3. Forwarding Model for PE based SD-WAN

6.3.1. Network and Service Startup Procedures

   In this scenario, all PEs have secure interfaces facing the clients
   and facing the MPLS backbone, with some PEs having extra ports to
   the untrusted public Internet. The public Internet paths are for
   offloading low priority traffic when the MPLS paths get congested.
   The PEs are already connected to their RRs, and the configurations
   for the clients and policies are already established.

6.3.2. Packet Walk-Through

   For PEs to offload some MPLS packets to the Internet path, each MPLS
   packet is wrapped by an outer IP header as MPLS-in-IP or MPLS-in-GRE
   [RFC4023]. The outer IP address can be an interface address or the
   PE's loopback address.

   When IPsec Tunnel mode is used to protect an MPLS-in-IP packet, the
   entire MPLS-in-IP packet is placed after the IPsec tunnel header.

   When IPsec transport mode is used to protect the MPLS packet, the
   MPLS-in-IP packet's IP header becomes the outer IP header of the
   IPsec packet, followed by an IPsec header, and then followed by the
   MPLS label stack. The IPsec header must set the payload type to MPLS
   by using the IP protocol number specified in section 3 of RFC4023.

   If IPsec transport mode is applied to an MPLS-in-GRE packet, the GRE
   header follows the IPsec header.

   The IPsec SA's endpoints should not be the client-facing interface
   addresses unless the traffic to/from those clients always goes
   through the IPsec SA even when the MPLS backbone has enough capacity
   to transport the traffic.

   When the PEs' Internet-facing ports are behind the NAT [RFC3715], an
   outer UDP field can be added outside the encrypted payload
   [RFC3948]. Three UDP ports must be open on the PEs: UDP port 4500
   (used for NAT traversal), UDP port 500 (used for IKE), and IP
   protocol 50 (ESP). IPsec IKE (Internet Key Exchange) between the two
   PEs would be over the NAT [RFC3947] as well.

Dunbar, et al.          Expires March 17, 2024                [Page 24]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   Upon receiving a packet from a client port, the forwarding
   processing is the same as the MPLS VPN. If the MPLS backbone path to
   the destination is deemed congested, the IPsec tunnel towards the
   target PEs is used to encrypt the MPLS-in-IP packet.

   Upon receiving a packet from the Internet-facing WAN port, the
   packet is decrypted, and the inner MPLS payload is extracted to be
   sent to the MPLS VPN engine.

   Same as Scenario #2, the additional anti-DDoS mechanism must be
   enabled to prevent potential attacks from the Internet-facing port.
   Control Plane should not learn routes from the Internet-facing WAN
   ports.

7. Manageability Considerations

     BGP-controlled SD-WAN utilizes the BGP RR to facilitate the routes
     and underlay properties distribution among the authorized edge
     nodes. With RR having the preconfigured policies about the
     authorized peers, the peer-wise authentications of the IPsec IKE
     (Internet Key Exchange) are significantly simplified.

8. Security Considerations

   Adding an Internet-facing WAN port to a C-PE can introduce the
   following security risks:

   1) Potential DDoS attacks from the Internet-facing ports.

   2) Potential risk of illegal traffic being injected via the
   Internet-facing WAN ports.

   Therefore, the additional anti-DDoS mechanism must be enabled on all
   Internet-facing ports to prevent potential attacks from those ports.
   Control Plane should not learn any routes from the Internet-facing
   WAN ports.

9. IANA Considerations

       No Action is needed.

10. References

Dunbar, et al.          Expires March 17, 2024                [Page 25]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

10.1. Normative References

   [BCP195]  RFC8996, RFC9325.

   [RFC3715] B. Aboba, W. Dixon, "IPsec-Network Address Translation
             (NAT) Compatibility Requirements", March 2004.

   [RFC3947] T. Kivinen, et al, "Negotiation of NAT Traversal in the
             IKE", Jan. 2005.

   [RFC3948] A. Huttunen, et al, "UDP Encapsulation of IPsec ESP
             Packets", Jan 2005.

   [RFC4023] T. Worster, Y. Rekhter, E. Rosen, "Encapsulating MPLS in
             IP or Generic Routing Encapsulation (GRE)", March 2005.

   [RFC4364] E. Rosen, Y. Rekhter, "BGP/MPLS IP Virtual Private
             networks (VPNs)", Feb 2006.

   [RFC4456] T. Bates, E. Chen, R. Chandra, "BGP Route Reflection: An
             Alternative to Full Mesh Internal BGP (IBGP)", April 2006.

   [RFC4684] P. Marques, et al, "Constrained Route Distribution for
             BGP/MPLS IP VPNs", November 2006.

   [RFC6071] S. Frankel, S. Krishan, "IP Security (IPsec) and Internet
             Key Exchange (IKE) Document Roadmap", Feb 2011.

   [RFC7296] C. Kaufman, et al, "Internet Key Exchange Protocol Version
             2 (IKEv2)", Oct 2014.

   [RFC9012] K.Patel, et al "The BGP Tunnel Encapsulation Attribute",
             RFC9012, April 2021.

10.2. Informative References

   [SD-WAN-EDGE-Discovery] L. Dunbar, S. Hares, R. Raszuk, K. Majumdar,
             "BGP UPDATE for SD-WAN Edge Discovery", draft-ietf-idr-
             sdwan-edge-discovery-10, June 2023.

Dunbar, et al.          Expires March 17, 2024                [Page 26]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

   [SECURE-EVPN] A. Sajassi, et al, "Secure EVPN", draft-ietf-bess-
             secure-evpn-00, Work-in-progress, June 2023.

   [Net2Cloud-Problem] L. Dunbar and A. Malis, "Seamless Interconnect
             Underlay to Cloud Overlay Problem Statement", draft-ietf-
             rtgwg-net2cloud-problem-statement-26, April 2023.

   [MEF70.1] SD-WAN Service Attributes and Service Framework, Nov 2021.

11. Acknowledgments

   Acknowledgements to Andrew Alston, Adrian Farrel, Jim Guichard, Joel
   Halpern, John Scudder, Darren Dukes, Andy Malis, Donald Eastlake,
   and Victo Sheng for their review and contributions.

   This document was prepared using 2-Word-v2.0.template.dot.

Dunbar, et al.          Expires March 17, 2024                [Page 27]
Internet-Draft           BGP Usage for SD-WAN        September 17, 2023

Authors' Addresses

   Linda Dunbar
   Futurewei
   Email: ldunbar@futurewei.com

   James Guichard
   Futurewei
   Email: james.n.guichard@futurewei.com

   Ali Sajassi
   Cisco
   Email: sajassi@cisco.com

   John Drake
   Juniper
   Email: jdrake@juniper.net

   Basil Najem
   Bell Canada
   Email: basil.najem@bell.ca

Contributor's Addresses

   David Carrel
   Graphiant
   Email: carrel@graphiant.com

   Ayan Banerjee
   Cisco
   Email: ayabaner@cisco.com

Dunbar, et al.          Expires March 17, 2024                [Page 28]