| Internet-Draft | BGP Sec Sync | July 2026 |
| Xu, et al. | Expires 6 January 2027 | [Page] |
This document defines a new BGP Address Family, termed the Secure Session Synchronization Address Family, allowing BGP speakers to exchange stateful firewall, NAT, and IPSec session information across distributed nodes. This architecture facilitates zero-packet-loss failover and seamless path protection for Secure SD-WAN, SASE, and SSE multi-POP deployments, entirely bypassing the scalability limits of traditional layer-2 synchronization protocols.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern Secure SD-WAN and Secure Access Service Edge (SASE/SSE) architectures rely heavily on dynamic, stateful packet inspection deployed on edge Customer Premises Equipment (CPE) and distributed Cloud Points of Presence (POPs). When link failures or node outages trigger a data-plane switchover, traffic is rerouted to an alternate gateway node.¶
However, traditional routing protocols only synchronize Layer 3 reachability. The underlying stateful security contexts—such as TCP sequence numbers, NAT translation bindings, and IPSec anti-replay windows—are lost during the transition. This mismatch forces edge clients to re-establish hundreds of thousands of concurrent active sessions, leading to substantial packet drops, broken flows, and severe application degradation.¶
Existing state synchronization mechanisms (e.g., dedicated single-hop sync links) are bounded by proprietary protocols and cannot scale across multi-hop wide area networks (WANs) or mesh topologies.¶
This document leverages BGP's proven database scalability by introducing a novel Address Family dedicated to carrying session states as control-plane attributes. Using BGP Route Reflectors (RRs) and Route Target (RT) filtering constraints, session states can be selectively and efficiently broadcasted to eligible backup peers, enabling hitless stateful cross-POP/site failovers.¶
To transport secure session states without interfering with existing unicast routing structures, this document requests a new Address Family Identifier (AFI) and Subsequent Address Family Identifier (SAFI) from IANA:¶
BGP speakers MUST negotiate Capability Advertisements [RFC5492] for AFI=TBD1 / SAFI=TBD2 during the BGP session initialization phase.¶
The Secure Session Network Layer Reachability Information (NLRI) is carried inside BGP UPDATE messages using MP_REACH_NLRI and MP_UNREACH_NLRI attributes [RFC4760]. The unique "key" that identifies a discrete network session is structured within the NLRI as follows:¶
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (2 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Route Distinguisher |
| (8 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP Version | Protocol | Reserved |
| (1=IPv4,2=IPv6| (TCP, UDP) | 0x00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source IP Address |
| (4 octets or 16 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination IP Address |
| (4 octets or 16 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
¶
Route Distinguisher (RD): An 8-octet identifier used to isolate overlapping IP spaces belonging to distinct VRFs or enterprise tenants sharing the same multi-tenant SASE fabric.¶
Protocol: Matches the IP packet header protocol field (e.g., 6 for TCP, 17 for UDP).¶
Source / Destination IPs and Ports: Defines the strict 5-tuple identifying the communication flow.¶
Dynamic session parameters that fluctuate over time MUST NOT be encoded inside the static NLRI key. Instead, they MUST be advertised via a new optional, non-transitive BGP attribute named the **Secure Session Attribute**. This attribute is composed of individual TLVs:¶
Because data-plane session allocations happen at scales multiple orders of magnitude higher than standard infrastructure routing updates, implementations MUST strictly comply with the following control-plane dampening rules to maintain BGP process stability:¶
A BGP speaker MUST NOT generate a BGP UPDATE message for every individual TCP packet or state transition (e.g., handshaking phase).¶
The generation of an MP_REACH_NLRI for a TCP session MUST be deferred until the local security engine verifies the session has successfully entered the `ESTABLISHED` state.¶
BGP speakers running this address family MUST implement a mandatory coalescing timer (suggested default: 200 milliseconds).¶
Newly established sessions captured within this window MUST be aggregated and transmitted in bulk within a single BGP UPDATE message, effectively dampening packet processing stress on the BGP peer.¶
When an active session naturally times out or intercepts an explicit teardown sequence (TCP FIN or RST), the originating node MUST queue an MP_UNREACH_NLRI to withdraw the session key from the network.¶
Backup nodes receiving this withdrawal MUST purge the matching entry from their shadow forwarding tables.¶
Transporting exact firewall session tables over BGP means that if an unauthorized entity eavesdrops on the control-plane data, they gain access to the entire active topology and session matrix of the network. Therefore, sessions utilizing this address family MUST enforce transport-layer encryption mechanisms such as TLS [RFC8205] or IPsec protection for the BGP peering sessions.¶
This document requests IANA to allocate an AFI value of TBD1 for the "Secure Session Space" and a SAFI value of TBD2 for "Session State Synchronization".¶
The following people made significant contributions to this document:¶
To be added.¶
The authors would like to acknowledge the review and inputs from xxx.¶