BGP IPsec Tunnel Encapsulation Attribute
RFC 5566
Network Working Group L. Berger
Request for Comments: 5566 LabN
Category: Standards Track R. White
E. Rosen
Cisco Systems
June 2009
BGP IPsec Tunnel Encapsulation Attribute
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
The BGP Encapsulation Subsequent Address Family Identifier (SAFI)
provides a method for the dynamic exchange of encapsulation
information and for the indication of encapsulation protocol types to
be used for different next hops. Currently, support for Generic
Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TPv3), and
IP in IP tunnel types are defined. This document defines support for
IPsec tunnel types.
Berger, et al. Standards Track [Page 1]
RFC 5566 BGP IPsec Tunnel Encapsulation June 2009
Table of Contents
1. Introduction ....................................................2
1.1. Conventions Used in This Document ..........................2
2. Tunnel Encapsulation Types ......................................3
3. Use of IPsec Tunnel Types .......................................3
4. IPsec Tunnel Authenticator sub-TLV ..............................4
4.1. Use of the IPsec Tunnel Authenticator sub-TLV ..............5
5. Security Considerations .........................................5
6. IANA Considerations .............................................6
7. References ......................................................7
7.1. Normative References .......................................7
7.2. Informative References .....................................7
8. Acknowledgments .................................................8
1. Introduction
The BGP [RFC4271] Encapsulation Subsequent Address Family Identifier
(SAFI) allows for the communication of tunnel information and for the
association of this information to a BGP next hop. The Encapsulation
SAFI can be used to support the mapping of prefixes to next hops and
tunnels of the same address family, IPv6 prefixes to IPv4 next hops
and tunnels using [RFC4798], and IPv4 prefixes to IPv6 next hops and
tunnels using [RFC5549]. The Encapsulation SAFI can also be used to
support the mapping of VPN prefixes to tunnels when VPN prefixes are
advertised per [RFC4364] or [RFC4659]. [RFC5565] provides useful
context for the use of the Encapsulation SAFI.
The Encapsulation SAFI is defined in [RFC5512]. [RFC5512] also
defines support for the GRE [RFC2784], L2TPv3 [RFC3931], and IP in IP
[RFC2003] tunnel types. This document builds on [RFC5512] and
defines support for IPsec tunnels. Support is defined for IP
Authentication Header (AH) in tunnel mode [RFC4302] and for IP
Encapsulating Security Payload (ESP) in tunnel mode [RFC4303]. The
IPsec architecture is defined in [RFC4301]. Support for IP in IP
[RFC2003] and MPLS-in-IP [RFC4023] protected by IPsec Transport Mode
is also defined.
The Encapsulation Network Layer Reachability Information (NLRI)
Format is not modified by this document.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Berger, et al. Standards Track [Page 2]
RFC 5566 BGP IPsec Tunnel Encapsulation June 2009
2. Tunnel Encapsulation Types
Per [RFC5512], tunnel type is indicated in the Tunnel Encapsulation
attribute. This document defines the following tunnel type values:
- Transmit tunnel endpoint: Tunnel Type = 3
- IPsec in Tunnel-mode: Tunnel Type = 4 [RFC4302], [RFC4303]
- IP in IP Tunnel with IPsec Transport Mode: Tunnel Type = 5
Show full document text