How are BMC/OOB credentials passed from Region to Rack controllers?

I am looking at using a MAAS region controller in a different network segment than one of our rack controllers. The security requirements for the subnets of these new rack controllers are high and anything that may contain credentials of any kind must be encrypted.

How are credentials for accessing out-of-band/baseboard-management-controllers secured between the Region Controller and the Rack Controller?

Are they encrypted at all? If not, would it be possible to setup SSL tunneling between these racks and the region to ensure it is encrypted?