SD-WAN Headers
Site local traffic is given a MPLS label to identify the VPN.
Then the site data in encapsulated in IPsec for privacy.
Then the IPsec is encapsulated in UDP so it can be load balanced nicely.
Encryption is AES-256-GCM.
IP Encapsulation of MPLS is via RFC 4023.
UDP encapsulation of IPSec is via RFC 3948.
RFC 3948 style IPsec encapsulation of UDP.
UDP
This service doesn’t provide strong authentication.
┌──────────────────────────────┐
│ Outer IP Header │
├──────────────────────────────┤
│ UDP Header │
├───────────────┬──────────────┤
│ ESP Header │ Sequence │
│ SPI │ Number │
├────────────┬──┴──┬───┬───────┤
│ MPLS Label │ EXP │ S │ TTL │
├────────────┴─────┴───┴───────┤
│ Inner IP Header │
├──────────────────────────────┤
│ Inner TCP Header │
├──────────────────────────────┤
│ Payload Data │
├─────────────────┬────────────┤
│ Add to ESP │ ESP Next │
│ Trailer Padding │ Header │
│ (always 0) │ │
└─────────────────┴────────────┘
ESP/UDP encapsulation
This is a version of ESP that’s been extended to provide authentication.
┌──────────────────────────────┐
│ Outer IP Header │
├──────────────────────────────┤
│ UDP Header │
├───────────────┬──────────────┤
│ ESP Header │ Sequence │
│ SPI │ Number │
├─────────────┬─┴───┬───┬──────┤
│ MPLS Label │ EXP │ S │ TTL │
├─────────────┴─────┴───┴──────┤
│ Inner IP Header │
├──────────────────────────────┤
│ Inner TCP Header │
├──────────────────────────────┤
│ Payload Data │
├─────────────────┬────────────┤
│ Add to ESP │ ESP Next │
│ Trailer Padding │ Header │
│ (always 0) │ │
├─────────────────┴────────────┤
│ ICV Checksum │
└──────────────────────────────┘
References
Cisco - SD-WAN Security Configuration Guide, IOS XE 17.x - Security Overview