| Internet-Draft | Underlay for IPsec Transport | January 2026 |
| Willman | Expires 3 August 2026 | [Page] |
This document specifies CONDUIT, a tunnel fabric management protocol for tactical and enterprise networks operating over heterogeneous Wide Area Network (WAN) links. CONDUIT automates the lifecycle management of IPsec tunnels, monitors tunnel health through active probing, and publishes quality metrics to enable Segment Routing over IPv6 (SRv6) based traffic engineering.¶
CONDUIT follows a strict separation of concerns: it manages the underlay tunnel fabric while delegating all traffic engineering decisions to SRv6. This architecture simplifies network operations, enables rapid adaptation to changing WAN conditions, and leverages standard SRv6 capabilities including Flexible Algorithm (Flex-Algo) and Topology-Independent Loop-Free Alternate (TI-LFA).¶
The protocol is fully programmable via gRPC and mandates compliance with Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) cryptographic requirements.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern tactical and enterprise networks increasingly operate over diverse Wide Area Network (WAN) links with varying characteristics:¶
Satellite Communications (SATCOM): Both Geostationary (GEO) with approximately 600ms round-trip latency and Low Earth Orbit (LEO) with 20-40ms latency, limited bandwidth, and weather sensitivity.¶
Line-of-Sight (LOS) Radio: Low latency, high mobility, but terrain-dependent coverage.¶
Cellular Networks (LTE/5G): Variable quality, broad coverage, but may traverse untrusted infrastructure.¶
High Frequency (HF) Radio: Very low bandwidth but extended range with atmospheric effects.¶
Wired Connections: When available at fixed installations.¶
Managing IPsec tunnels across these heterogeneous links presents significant operational challenges:¶
Links appear and disappear as network elements move or environmental conditions change.¶
Link quality varies dramatically and unpredictably.¶
Multiple paths to each destination may exist simultaneously.¶
Failover must complete within sub-second timeframes to maintain voice and command-and-control (C2) applications.¶
All traffic must be encrypted using approved cryptographic algorithms.¶
Existing approaches typically couple tunnel management with traffic engineering decisions, creating unnecessary complexity and limiting interoperability with standard routing protocols.¶
CONDUIT adheres to a strict separation of concerns:¶
SRv6 Traffic Engineering Layer: Responsible for all path selection decisions, including Flexible Algorithm computation, fast reroute via TI-LFA, traffic class steering, and load balancing across equal-cost paths.¶
CONDUIT Tunnel Fabric Layer: Responsible for tunnel lifecycle management (creation, maintenance, deletion), health monitoring through active probing, metric publication to enable SRv6-based decisions, and IPsec security association management.¶
This separation ensures that CONDUIT does not duplicate functionality available in standard SRv6 implementations while providing essential tunnel management capabilities that SRv6 requires but does not natively provide.¶
The following quantitative goals guide CONDUIT's design:¶
| Parameter | Requirement |
|---|---|
| Tunnel Scale | Support for 1000+ tunnels per node |
| Failover Detection | Less than 500ms to detect tunnel failure |
| Metric Publish Rate | 1 Hz default, 10 Hz burst capability |
| Cryptographic Suite | Full CNSA 2.0 compliance |
| API Coverage | 100% of functionality accessible via gRPC |
| Probe Overhead | Less than 1% of available bandwidth |
This document specifies:¶
Tunnel lifecycle management procedures¶
Health monitoring through active probing¶
Metric calculation and publishing mechanisms¶
Control protocol message formats¶
Integration requirements for SRv6-based traffic engineering¶
Cryptographic requirements for CNSA 2.0 compliance¶
This document does not specify:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A device implementing the CONDUIT protocol.¶
A remote node with which tunnels are established.¶
A Wide Area Network interface, either physical or virtual,¶
capable of carrying IP traffic to remote peers.¶
An IPsec-protected communication path between two WAN¶
interfaces on different nodes.¶
The complete set of tunnels managed by a CONDUIT node.¶
A measurement packet transmitted through a tunnel to assess¶
its quality characteristics.¶
A quantitative measure of tunnel quality, such as latency,¶
jitter, or packet loss.¶
The SRv6 locator block assigned to a node, typically a /48¶
IPv6 prefix.¶
Commercial National Security Algorithm Suite¶
Equal-Cost Multi-Path¶
Encapsulating Security Payload¶
Flexible Algorithm¶
Geostationary Earth Orbit¶
gRPC Remote Procedure Call¶
Hash-based Message Authentication Code¶
Interior Gateway Protocol¶
Internet Key Exchange¶
Low Earth Orbit¶
Line-of-Sight¶
Mutual Transport Layer Security¶
Round-Trip Time¶
Security Association¶
Security Parameter Index¶
Shared Risk Link Group¶
Segment Routing over IPv6¶
Traffic Engineering¶
TI-LFA: Topology-Independent Loop-Free Alternate¶
A CONDUIT deployment consists of the following components:¶
SDN Controller (Optional): Provides centralized policy management, SRv6 policy configuration, and network-wide optimization. Communicates with CONDUIT nodes via gRPC.¶
SRv6 Data Plane: Executes traffic engineering decisions using standard SRv6 mechanisms including IS-IS or OSPFv3 with SRv6 extensions, Flexible Algorithm for constraint-based path computation, and TI-LFA for sub-50ms fast reroute.¶
CONDUIT Daemon: Manages the tunnel fabric, comprising the Tunnel Lifecycle Manager for creating and deleting tunnels, Health Monitor for probing tunnel quality, Metric Publisher for feeding metrics to SRv6/IGP, and the gRPC API Server for external control.¶
IKEv2/IPsec Subsystem: Handles cryptographic operations and security association management. CONDUIT interfaces with this subsystem but does not implement cryptographic operations directly.¶
WAN Interfaces: Physical or virtual interfaces connecting to various transport networks.¶
CONDUIT creates tunnels between WAN interfaces according to the configured tunnel policy. In a full mesh configuration with N local WANs and M remote WANs to a given peer, CONDUIT establishes up to N x M tunnels.¶
For example, consider a node with three WAN interfaces (SATCOM, LOS Radio, and LTE) connecting to a peer also having three WAN interfaces. A full mesh fabric would comprise nine tunnels:¶
SATCOM to SATCOM¶
SATCOM to LOS¶
SATCOM to LTE¶
LOS to SATCOM¶
LOS to LOS¶
LOS to LTE¶
LTE to SATCOM¶
LTE to LOS¶
LTE to LTE¶
Each tunnel becomes a distinct interface visible to the SRv6 data plane and IGP. The IGP sees multiple adjacencies to the same peer, each with potentially different metrics based on tunnel quality.¶
CONDUIT explicitly delegates the following functions to SRv6:¶
| Function | Mechanism |
|---|---|
| Path Selection | SRv6 Flex-Algo, IGP SPF computation |
| Traffic Classification | SRv6 Policy color matching |
| Load Balancing | IGP ECMP across equal-metric tunnels |
| Fast Reroute | TI-LFA pre-computed backup paths |
| QoS Marking | SRv6 Traffic Class field |
CONDUIT is responsible for:¶
| Function | Mechanism |
|---|---|
| Tunnel Creation | Automatic based on WAN availability |
| Tunnel Deletion | Automatic when WAN becomes unavailable |
| Health Monitoring | Active probing with configurable rates |
| Metric Calculation | RTT, jitter, loss measurement |
| Metric Publishing | Interface metrics, IGP TE extensions |
| IPsec SA Management | Via IKEv2 with CNSA 2.0 parameters |
CONDUIT implementations MUST comply with the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) as specified by the National Security Agency for protection of classified information.¶
Implementations intended for use in environments not requiring CNSA 2.0 compliance MAY support additional algorithms but MUST default to CNSA 2.0 algorithms and MUST provide configuration options to enforce CNSA 2.0-only operation.¶
The following algorithms are REQUIRED:¶
| Function | Algorithm | Parameters |
|---|---|---|
| Symmetric Encryption | AES-256-GCM | 256-bit key, 96-bit IV, 128-bit authentication tag |
| Key Exchange | ECDH | P-384 curve (secp384r1) |
| Digital Signature | ECDSA | P-384 curve (secp384r1) |
| Hash Function | SHA-384 | 384-bit output |
| Message Authentication | HMAC-SHA-384 [RFC4868] | 384-bit output |
| Pseudo-Random Function (IKEv2) | HMAC-SHA-384 | Per [RFC4868] |
| Key Derivation | HKDF-SHA-384 | Per [RFC5869] |
CONDUIT implementations MUST reject configuration of the following algorithms and MUST NOT negotiate their use:¶
AES with key sizes less than 256 bits (AES-128, AES-192)¶
Triple DES (3DES) and DES¶
SHA-1 and SHA-256 for authentication or integrity¶
MD5¶
RSA with key sizes less than 3072 bits¶
Diffie-Hellman groups with less than 3072-bit modulus¶
ECDH or ECDSA with curves smaller than P-384¶
ChaCha20-Poly1305 (not approved for CNSA)¶
Implementations MUST generate a configuration error and refuse to operate if prohibited algorithms are specified.¶
CONDUIT implementations MUST configure IPsec with the following parameters:¶
IKEv2 Parameters:¶
Version: IKEv2 only (version 1 MUST NOT be used)¶
Encryption: AES-256-GCM with 16-octet ICV (aes256gcm16)¶
PRF: HMAC-SHA-384 (prf-hmac-sha384)¶
Diffie-Hellman Group: 20 (384-bit random ECP, P-384)¶
Authentication: ECDSA with SHA-384 using P-384 certificates¶
ESP (Child SA) Parameters:¶
Encryption: AES-256-GCM with 16-octet ICV¶
Extended Sequence Numbers: Enabled¶
Traffic Selectors: As required for overlay traffic¶
Lifetime Parameters:¶
Node certificates MUST meet the following requirements:¶
Format: X.509 version 3¶
Key Algorithm: ECDSA with P-384 curve¶
Signature Algorithm: ecdsa-with-SHA384¶
Key Usage: digitalSignature, keyAgreement¶
Extended Key Usage: serverAuth, clientAuth, IPsecIKE¶
Certificate Authority certificates MUST use ECDSA with P-384 and SHA-384 signatures.¶
Certificate validation MUST include revocation checking via CRL or OCSP when network connectivity permits.¶
The gRPC API MUST be protected using TLS with the following configuration:¶
Minimum Version: TLS 1.3 (TLS 1.2 and earlier MUST NOT be used)¶
Cipher Suite: TLS_AES_256_GCM_SHA384 only¶
Certificate Type: ECDSA with P-384 curve¶
Client Authentication: Required (mutual TLS)¶
Implementations MUST reject TLS connections that do not meet these requirements.¶
Each tunnel exists in one of the following states:¶
A peer has been discovered but tunnel establishment has¶
not begun. Entry: peer discovery. Exit: initiate IKEv2.¶
IKEv2 negotiation is in progress. Entry: IKEv2¶
initiation. Exit: IKE_SA and CHILD_SA established, or timeout/ failure.¶
The tunnel is operational and probes are succeeding¶
within acceptable thresholds. Entry: successful IKEv2 completion or recovery from DEGRADED. Exit: metrics degrade, probe failures accumulate, or rekey initiated.¶
The tunnel is operational but metrics exceed preferred¶
thresholds. Entry: metrics exceed degradation thresholds. Exit: metrics recover or probe failures accumulate.¶
Security association rekeying is in progress. Entry:¶
rekey initiated (time or volume based). Exit: rekey success or failure.¶
The tunnel has failed and is not currently usable. Entry:¶
consecutive probe failures exceed threshold or IKE failure. Exit: probes succeed or WAN becomes unavailable.¶
The tunnel is marked for removal. Entry: WAN unavailable¶
or administrative deletion. Exit: cleanup complete.¶
State transitions MUST be reported via the gRPC API event stream and SHOULD be logged for operational visibility.¶
CONDUIT supports three fabric modes:¶
Create tunnels for all combinations of local and remote¶
WAN interfaces. This mode maximizes path diversity but increases resource consumption.¶
Create tunnels only between designated primary WAN¶
interfaces on each node. This mode minimizes resource consumption but limits path diversity.¶
Apply a rule-based policy to determine which tunnel¶
combinations to establish. Rules may specify:¶
The tunnel policy SHOULD be configurable via the gRPC API and SHOULD support runtime modification without service interruption.¶
Tunnel interfaces SHOULD be named according to the following convention to facilitate operational identification:¶
Where:¶
<peer> is a short identifier for the remote node¶
<local_wan> is a short identifier for the local WAN interface¶
<remote_wan> is a short identifier for the remote WAN interface¶
Example names:¶
When operating in full mesh mode, the number of tunnels T to a single peer is:¶
T = L x R¶
Where L is the number of local WAN interfaces and R is the number of remote WAN interfaces on the peer.¶
Total = sum(L x R_i) for each peer i Implementations MUST support configurable limits on:¶
When limits would be exceeded, implementations SHOULD prioritize tunnel creation based on configured policy and WAN type preferences.¶
CONDUIT monitors tunnel health through active probing. Each tunnel is independently probed to measure:¶
| Metric | Unit | Collection Method |
|---|---|---|
| Round-Trip Time | Microseconds | Timestamp echo |
| Jitter | Microseconds | [RFC3550] algorithm |
| Packet Loss | Percentage | Sequence tracking |
| Availability | Percentage | Probe success rate |
CONDUIT probe packets use the following format:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Magic (0x434E4454) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + TX Timestamp (64-bit) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + RX Timestamp (64-bit) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + HMAC-SHA-384 + | (384 bits) | + + | | + + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Padding (variable) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Field descriptions:¶
Fixed value 0x434E4454 ("CNDT" in ASCII). Used to¶
identify CONDUIT probe packets.¶
Protocol version. This specification defines¶
version 1.¶
Probe type:¶
Reserved for future use. MUST be set to zero on¶
transmission and ignored on receipt.¶
Monotonically increasing sequence number¶
used for loss detection and RTT matching.¶
Transmission timestamp in microseconds since¶
the Unix epoch. Set by the sender.¶
Reception timestamp in microseconds since¶
the Unix epoch. Set by the responder in reply packets; zero in request packets.¶
Message authentication code computed over¶
all preceding fields. Provides probe authenticity and integrity.¶
Optional padding to achieve desired probe size¶
for bandwidth estimation or MTU testing.¶
RTT = T_local_rx - T_local_tx¶
Where T_local_rx is the local time when the reply was received and T_local_tx is the local time when the request was sent.¶
For more accurate one-way delay measurement when nodes have synchronized clocks:¶
OWD_forward = T_remote_rx - T_local_tx OWD_reverse = T_local_rx - T_remote_tx¶
D(i) = (R(i) - R(i-1)) - (S(i) - S(i-1)) J(i) = J(i-1) + (|D(i)| - J(i-1)) / 16 Where:¶
The default window size is 100 probes. Implementations SHOULD make this configurable.¶
The base probe interval is configurable, with a default of 100ms.¶
The effective probe interval SHOULD be adjusted based on tunnel state:¶
| State | Multiplier | Rationale |
|---|---|---|
| Established | 1.0 | Normal monitoring |
| Degraded | 0.5 | Increased monitoring of troubled tunnel |
| Recovering | 0.25 | Rapid assessment during recovery |
| Down | 2.0 | Reduced load on failed path |
To prevent probe synchronization across tunnels, implementations SHOULD add random jitter of +/- 10% to each probe interval.¶
Tunnel state transitions are triggered by threshold crossings:¶
Degraded Thresholds:¶
RTT increases by more than 50% above baseline¶
Packet loss exceeds 1%¶
Jitter increases by more than 100% above baseline¶
Down Thresholds:¶
Thresholds SHOULD be configurable via the gRPC API.¶
CONDUIT publishes tunnel metrics through multiple mechanisms to enable SRv6-based traffic engineering:¶
| Method | Target | Use Case |
|---|---|---|
| Interface Metrics | Operating system | Simple deployments |
| IGP TE Extensions | IS-IS / OSPF | Distributed TE |
| gRPC Streaming | SDN Controller | Centralized TE |
| Flex-Algo Affinity | IGP Flex-Algo | Constraint-based TE |
Implementations MUST support interface metric publishing. Implementations SHOULD support IGP TE extensions and gRPC streaming.¶
CONDUIT calculates an interface metric from tunnel quality measurements using the following formula:¶
Metric = Latency_component + Loss_component + Jitter_component Where:¶
Latency_component = RTT_ms (1 ms = 1 metric unit)¶
Loss_component = Loss% x 100 (1% loss = 100 metric units)¶
Jitter_component = Jitter_ms x 10 (1 ms jitter = 10 metric units)¶
The resulting metric MUST be clamped to the range 1-65535.¶
Example calculations:¶
| Tunnel Type | RTT | Loss | Jitter | Metric |
|---|---|---|---|---|
| GEO SATCOM | 600 ms | 0.1% | 10 ms | 710 |
| LOS Radio | 5 ms | 0% | 0.5 ms | 10 |
| LTE Cellular | 50 ms | 0.5% | 5 ms | 150 |
The SRv6 data plane, seeing these metrics, will naturally prefer the LOS tunnel (metric 10) over LTE (metric 150) over SATCOM (metric 710) when computing shortest paths.¶
When IGP TE metric publishing is enabled, CONDUIT advertises the following per-tunnel attributes:¶
TE Metric: Calculated as described in Section 7.2¶
Maximum Link Bandwidth: Configured WAN bandwidth¶
Available Bandwidth: Estimated available capacity¶
Unidirectional Link Delay: Measured one-way delay per [RFC8570]¶
Unidirectional Delay Variation: Measured jitter per [RFC8570]¶
Shared Risk Link Groups: Assigned SRLG values¶
Administrative Group: For Flex-Algo affinity matching¶
For IS-IS, these attributes are advertised using the extensions defined in [RFC8570]. For OSPF, the equivalent extensions from [RFC7471] apply.¶
CONDUIT assigns tunnels to Flexible Algorithm groups based on measured characteristics and configured constraints.¶
A Flex-Algo definition specifies:¶
Algorithm ID: An integer in the range 128-255¶
Metric Type: IGP metric, minimum delay, or TE metric¶
Constraints: Maximum delay, minimum bandwidth, SRLG exclusions¶
CONDUIT evaluates each tunnel against each Flex-Algo definition and sets the appropriate affinity bits in IGP advertisements.¶
Example Flex-Algo definitions for tactical networks:¶
Flex-Algo 128 (Low Latency):¶
Flex-Algo 129 (High Bandwidth):¶
Flex-Algo 130 (Resilient):¶
Metric Type: IGP¶
Constraint: Exclude SRLG "satcom"¶
Use: Critical C2 requiring terrestrial diversity¶
With these definitions, the SRv6 data plane automatically steers voice traffic over low-latency tunnels (LOS radio), video over high- bandwidth tunnels (possibly ECMP across multiple), and critical C2 over tunnels not sharing SATCOM failure modes.¶
Shared Risk Link Groups identify tunnels that share common failure modes. CONDUIT assigns SRLG values based on:¶
WAN Type: All tunnels using SATCOM share a "satcom" SRLG¶
Physical Path: Tunnels using the same physical link share an SRLG¶
Provider: Tunnels using the same carrier share an SRLG¶
Geographic: Tunnels transiting the same geographic area may share an SRLG¶
SRLG assignment enables SRv6 TI-LFA to compute backup paths that avoid shared failure modes and Flex-Algo to exclude entire failure domains.¶
CONDUIT control messages are transported via UDP. Two ports are used:¶
Control messages are transmitted through established IPsec tunnels when available. For initial peer discovery before tunnel establishment, messages may be sent via the underlying WAN with HMAC authentication.¶
All CONDUIT control messages share a common header:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Node ID + | (64 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Timestamp (64 bits) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + HMAC-SHA-384 + | (384 bits) | + + | | + + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Field descriptions:¶
Protocol version. This specification defines¶
version 1.¶
Message type as defined in Section 8.3.¶
Message-specific flags.¶
Total message length in octets, including header.¶
Reserved (16 bits): Reserved for future use. MUST be zero.¶
Unique identifier of the sending node.¶
Per-peer monotonically increasing¶
counter for anti-replay protection.¶
Message creation time in microseconds since¶
Unix epoch.¶
Message authentication code computed over¶
the entire message with the HMAC field set to zero.¶
Total header size: 72 octets.¶
| Value | Name | Description |
|---|---|---|
| 0x01 | HELLO | Peer discovery and WAN advertisement |
| 0x02 | HELLO_ACK | Response to HELLO |
| 0x03 | WAN_UPDATE | WAN availability change notification |
| 0x04 | TUNNEL_STATE | Tunnel state change notification |
| 0x05 | KEEPALIVE | Peer liveness check |
| 0x06 | KEEPALIVE_ACK | Response to KEEPALIVE |
| 0x0F | ERROR | Error notification |
The HELLO message is used for peer discovery and WAN capability advertisement:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num WANs | Reserved | Capabilities | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hold Time (sec) | Max Tunnels | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + SRv6 Locator (48 bits) + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ WAN Descriptors ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Field descriptions:¶
Number of WAN Descriptors following.¶
Bitmask of supported capabilities.¶
Time in seconds the receiver should consider¶
the sender reachable without further messages.¶
Maximum tunnels this node can establish to¶
a single peer.¶
The node's SRv6 locator prefix.¶
Each WAN interface is described by a WAN Descriptor:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WAN ID | WAN Type | State | Addr Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Bandwidth (Kbps) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MTU | Typical Latency (ms) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + IPv6 Address (if flag set) + | (128 bits) | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Address (if flag set) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SRLG ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ WAN Type values:¶
| Value | Name | Typical Characteristics |
|---|---|---|
| 0x01 | SATCOM_GEO | 600ms RTT, 2-10 Mbps |
| 0x02 | SATCOM_LEO | 30ms RTT, 50-200 Mbps |
| 0x03 | LOS_RADIO | 5ms RTT, 10-100 Mbps |
| 0x04 | TROPOSCATTER | 10ms RTT, 5-20 Mbps |
| 0x05 | HF_RADIO | 50ms RTT, 9.6-64 Kbps |
| 0x06 | CELLULAR_LTE | 30ms RTT, 10-100 Mbps |
| 0x07 | CELLULAR_5G | 10ms RTT, 100-1000 Mbps |
| 0x08 | WIRE_ETHERNET | 1ms RTT, 1-100 Gbps |
| 0x09 | WIRE_FIBER | 1ms RTT, 1-100 Gbps |
| 0x0A | WIFI | 5ms RTT, 50-500 Mbps |
Address Flags:¶
All CONDUIT control messages MUST be authenticated using HMAC- SHA-384.¶
AUTH_KEY = HKDF-SHA-384(
IKM = SK_d,
salt = "CONDUIT-v1-auth",
info = Node_ID_local || Node_ID_remote,
length = 48
)
¶
For initial HELLO messages before IKEv2 SA establishment, a pre- shared key MAY be used. Unauthenticated HELLO messages MUST NOT be accepted in production deployments.¶
Each CONDUIT tunnel is presented to the SRv6 data plane as a distinct interface. From the perspective of IS-IS or OSPFv3, each tunnel represents a separate adjacency to the peer node.¶
This design enables:¶
Independent metrics per tunnel based on measured quality¶
ECMP load balancing across multiple tunnels to the same peer¶
Flex-Algo differentiation based on tunnel characteristics¶
TI-LFA backup path computation considering tunnel diversity¶
For example, a node with three tunnels to a peer (via SATCOM, LOS, and LTE) would advertise three adjacencies in IS-IS, each with its own metric. The IGP SPF computation naturally prefers lower-metric paths.¶
CONDUIT evaluates each tunnel against configured Flex-Algo definitions and assigns appropriate affinities.¶
A tunnel qualifies for a Flex-Algo if:¶
Measured delay is less than the maximum delay constraint (if specified)¶
Configured bandwidth meets the minimum bandwidth constraint (if specified)¶
Tunnel SRLG membership does not intersect with excluded SRLGs (if specified)¶
Assignment is dynamic: as tunnel metrics change, Flex-Algo membership is re-evaluated and IGP advertisements are updated accordingly.¶
Example assignment for a deployment with three Flex-Algos:¶
| Tunnel | Algo 128 (Low Lat) | Algo 129 (High BW) | Algo 130 (Resilient) |
|---|---|---|---|
| SATCOM (600ms) | Excluded | Included | Excluded |
| LOS Radio (5ms) | Included | Included | Included |
| LTE (50ms) | Included | Included | Included |
The SATCOM tunnel is excluded from Flex-Algo 128 (delay exceeds 100ms threshold) and Flex-Algo 130 (SRLG "satcom" is excluded).¶
With CONDUIT providing tunnel metrics and Flex-Algo assignments, traffic steering is accomplished through standard SRv6 mechanisms:¶
SRv6 Policy Color: Traffic matching a policy with a specific color is steered to paths computed using the associated Flex-Algo¶
DSCP Mapping: DSCP values can be mapped to SRv6 policy colors¶
BGP Communities: BGP communities can signal desired Flex-Algo¶
Example mapping for tactical traffic:¶
| Traffic Type | DSCP | SR Color | Flex-Algo |
|---|---|---|---|
| Voice | EF (46) | 100 | 128 (Low Latency) |
| Video | AF41 (34) | 200 | 129 (High BW) |
| Critical C2 | CS6 (48) | 300 | 130 (Resilient) |
| Best Effort | BE (0) | 0 | Default (SPF) |
CONDUIT supports high availability through active-standby or active- active node pairs sharing a virtual IP address.¶
In active-standby mode:¶
Primary node handles all tunnel management and peer communication¶
Standby node maintains synchronized state and pre-established tunnels¶
Failover occurs when primary failure is detected¶
In active-active mode:¶
The following state is synchronized between HA peers:¶
| Data | Sync Method | Purpose |
|---|---|---|
| Peer List | Periodic + Event | Both nodes know all peers |
| Tunnel State | Event-driven | Enable fast failover |
| Metrics | Periodic (1 Hz) | Consistent path costs |
| Configuration | Event-driven | Policy consistency |
IKEv2 Security Associations are NOT synchronized. Each node maintains independent SAs with peers. This simplifies implementation and avoids complexities of SA state transfer.¶
Upon detecting primary node failure:¶
Standby assumes the virtual IP address¶
Standby's pre-established tunnels become active¶
SRv6 reconverges via TI-LFA (sub-50ms for pre-computed backups)¶
Traffic flows through standby's tunnels¶
Target failover time is less than 3 seconds for complete recovery, with TI-LFA providing sub-50ms forwarding continuity for traffic with pre-computed backup paths.¶
CONDUIT exposes all functionality through a gRPC API comprising three services:¶
Primary interface for tunnel management,¶
including node configuration, WAN interface management, peer discovery and management, tunnel lifecycle operations, tunnel policy configuration, and metric publishing configuration.¶
Provides access to operational metrics, including¶
current tunnel metrics, real-time metric streaming, historical metric queries, and fabric statistics.¶
Manages HA operations, including HA status¶
and configuration, synchronization status, and manual failover triggers.¶
The complete Protocol Buffer definitions for these services are available in a companion document.¶
All gRPC connections MUST use mutual TLS (mTLS) with certificates meeting the requirements of Section 4.5.¶
Implementations SHOULD support role-based access control (RBAC) for API authorization. Recommended roles include:¶
CONDUIT's security relies on the strength of its cryptographic foundations. The mandatory use of CNSA 2.0 algorithms provides protection appropriate for classified information.¶
Key security properties:¶
CONDUIT addresses the following threats:¶
| Threat | Mitigation |
|---|---|
| Probe Spoofing | HMAC-SHA-384 authentication on all probes |
| Replay Attacks | Sequence numbers and timestamp validation |
| Man-in-the-Middle | IPsec with certificate-based auth |
| Unauthorized API | Mutual TLS with certificate validation |
| Tunnel Manipulation | Authenticated control protocol messages |
| Denial of Service | Rate limiting on control plane |
Deployments SHOULD implement the following operational security measures:¶
Certificates should be rotated at least annually¶
Private keys should be stored in hardware security modules (HSM) where available¶
All tunnel state changes should be logged for audit purposes¶
Rate limiting should be applied to control plane message processing¶
Network segmentation should isolate CONDUIT management traffic¶
This document requests allocation of two UDP ports:¶
| Port | Name | Description |
|---|---|---|
| 4794 | conduit-control | CONDUIT control messages |
| 4795 | conduit-probe | CONDUIT probe packets |
This document requests creation of a "CONDUIT WAN Types" registry with the following initial values:¶
+-------+----------------+-------------------------+ | Value | Name | Reference | +-------+----------------+-------------------------+ | 0x00 | Reserved | This document | | 0x01 | SATCOM_GEO | This document | | 0x02 | SATCOM_LEO | This document | | 0x03 | LOS_RADIO | This document | | 0x04 | TROPOSCATTER | This document | | 0x05 | HF_RADIO | This document | | 0x06 | CELLULAR_LTE | This document | | 0x07 | CELLULAR_5G | This document | | 0x08 | WIRE_ETHERNET | This document | | 0x09 | WIRE_FIBER | This document | | 0x0A | WIFI | This document | | 0x0B-0xEF | Unassigned | | | 0xF0-0xFF | Private Use | This document | +-------+----------------+-------------------------+ New values in the range 0x0B-0xEF require Standards Action.¶
The following table provides typical characteristics for each WAN type. Actual values vary based on specific equipment, configuration, and environmental conditions.¶
| WAN Type | Latency | Bandwidth | Notes |
|---|---|---|---|
| SATCOM_GEO | 600ms | 2-10 Mbps | Weather sensitive |
| SATCOM_LEO | 20-40ms | 50-200 Mbps | Handover during orbit |
| LOS_RADIO | 5ms | 10-100 Mbps | Terrain dependent |
| TROPOSCATTER | 10ms | 5-20 Mbps | Over-horizon capability |
| HF_RADIO | 50ms | 9.6-64 Kbps | Atmospheric effects |
| CELLULAR_LTE | 30ms | 10-100 Mbps | Coverage dependent |
| CELLULAR_5G | 10ms | 100-1000 Mbps | Limited coverage |
| WIRE_ETHERNET | <1ms | 1-100 Gbps | Fixed installations |
| WIRE_FIBER | <1ms | 1-100 Gbps | Fixed installations |
| WIFI | 5ms | 50-500 Mbps | Short range |
The authors thank the members of the tactical networking community for their input on operational requirements and deployment considerations.¶