Optimizing IPSec for hierarchical SD-WAN

What is claimed is: 1. A method performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers, the method comprising: originating a SD-WAN system route for advertising reachability to the SD-WAN edge router, the SD-WAN system route comprising an encryption key associated with the SD-WAN edge router; and transmitting the SD-WAN system route to one or more SD-WAN border routers. 2. The method of claim 1 , further comprising: receiving a packet destined for the SD-WAN edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the SD-WAN edge router, and wherein the encryption key associated with the SD-WAN edge router is unaltered in transit across the one or more SD-WAN border routers; and decrypting the packet. 3. The method of claim 1 , wherein the SD-WAN system route comprises a SD-WAN Overlay Management Protocol (OMP) route. 4. The method of claim 1 , wherein the encryption key associated with the SD-WAN edge router comprises an Internet Protocol Security (IPSec) Encapsulating Security Payload (ESP) protocol encryption key. 5. The method of claim 1 , wherein the SD-WAN edge router is communicably coupled to one or more of the plurality of border routers via one or more Internet Protocol Security (IPSec) tunnels. 6. A method performed by a software defined wide area network (SD-WAN) border router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers, the method comprising: receiving a first SD-WAN system route for advertising reachability to an SD-WAN edge router, the first SD-WAN system route comprising an encryption key associated with the SD-WAN edge router; allocating a local label for the SD-WAN edge router; originating a second SD-WAN system route for advertising reachability to the SD-WAN edge router, the second SD-WAN system route comprising the local label for the SD-WAN edge router, the encryption key associated with the SD-WAN edge router, and an authentication key associated with the SD-WAN border router; and transmitting the second SD-WAN system route to one or more SD-WAN border routers or edge routers. 7. The method of claim 6 , further comprising: receiving a packet destined for the SD-WAN edge router from one of the one or more SD-WAN border routers or edge routers, wherein the packet is at least partially encrypted with the encryption key associated with the SD-WAN edge router and the packet comprises a local transport label, and wherein the encryption key associated with the SD-WAN edge router is unaltered in transit across the one or more SD-WAN border routers; authenticating the packet using the authentication key associated with the SD-WAN border router; updating one or more of a local transport label, source address, and destination address associated with the packet; and forwarding the packet to one of the one or more SD-WAN border routers or edge routers based on the local transport label without decrypting the packet. 8. The method of claim 6 , wherein the second SD-WAN system route comprises a SD-WAN Overlay Management Protocol (OMP) route. 9. The method of claim 6 , wherein the encryption key associated with the SD-WAN edge router comprises an Internet Protocol Security (IPSec) Encapsulating Security Payload (ESP) protocol encryption key. 10. The method of claim 6 , wherein the authentication key associated with the SD-WAN border router comprises an Internet Protocol Security (IPSec) Security Authentication Header (AH) protocol authentication key. 11. The method of claim 6 , wherein the SD-WAN border router is communicably coupled to the one or more border routers or edge routers via one or more Internet Protocol Security (IPSec) tunnels. 12. A software defined wide area network (SD-WAN) system comprising a first edge router communicably coupled to a first border router: the first edge router comprising a memory comprising instructions and a hardware processor, wherein the first edge router, when executing its instructions at its hardware processor, is configured to: originate a first SD-WAN system route for advertising reachability to the first edge router, the first SD-WAN system route comprising an encryption key associated with the first edge router; and transmit the first SD-WAN system route to the first border router; and the first border router comprising a memory comprising instructions and a hardware processor, wherein the first border router, when executing its instructions at its hardware processor, is configured to: receive the first SD-WAN system route for advertising reachability to the first edge router; allocate a local label for the first edge router; originate a second SD-WAN system route for advertising reachability to the first edge router, the second SD-WAN system route comprising the local label for the first edge router, the encryption key associated with the first edge router, and an authentication key associated with the first border router; and transmit the second SD-WAN system route to one or more SD-WAN border routers or edge routers. 13. The SD-WAN system of claim 12 , wherein the first edge router is further configured to: receive a packet destined for the first edge router from the first border router, wherein the packet is at least partially encrypted with the encryption key associated with the first edge router, and wherein the encryption key associated with the first edge router is unaltered in transit across the one or more SD-WAN border routers; and decrypt the packet. 14. The SD-WAN system of claim 12 , wherein the first border router is further configured to: receive a packet destined for the first edge router from one of one or more SD-WAN border routers or edge routers, wherein the packet is at least partially encrypted with the encryption key associated with the first edge router and the packet comprises a local transport label; authenticate the packet using the authentication key associated with the first border router; update one or more of a local transport label, source address, and destination address associated with the packet; and forward the packet to one of the one or more SD-WAN border routers or edge routers based on the local transport label without decrypting the packet. 15. The SD-WAN system of claim 12 , wherein the first SD-WAN system route comprises a SD-WAN Overlay Management Protocol (OMP) route. 16. The SD-WAN system of claim 12 , wherein the encryption key associated with the first edge router comprises an Internet Protocol Security (IPSec) Encapsulating Security Payload (ESP) protocol encryption key. 17. The SD-WAN system of claim 12 , wherein the authentication key associated with the first border router comprises an Internet Protocol Security (IPSec) Security Authentication Header (AH) protocol authentication key. 18. The SD-WAN system of claim 12 , wherein the first edge router is communicably coupled to the first border router via an Internet Protocol Security (IPSec) tunnel. 19. The SD-WAN system of claim 12 , wherein the first edge router is further configured to: encrypt a packet for transmission to a second edge router, wherein the packet is encrypted with an encryption key associated with the second edge router received via a system route originated from the second edge router; and transmit the packet to the first border router.