draft-ietf-ipsecme-labeled-ipsec-00.txt   draft-ietf-ipsecme-labeled-ipsec-01.txt 
Network P. Wouters Network P. Wouters
Internet-Draft Red Hat Internet-Draft Red Hat
Intended status: Standards Track S. Prasad Updates: 7296 (if approved) S. Prasad
Expires: September 11, 2019 Technical University of Munich Intended status: Standards Track Technical University of Munich
March 10, 2019 Expires: January 9, 2020 July 8, 2019
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-00 draft-ietf-ipsecme-labeled-ipsec-01
Abstract Abstract
This document defines two new Traffic Selector (TS) Types for This document defines a new Traffic Selector (TS) Type for Internet
Internet Key Exchange version 2 to add support for Mandatory Access Key Exchange version 2 to add support for negotiating Mandatory
Control (MAC) security labels, also known as "Labeled IPsec". The Access Control (MAC) security labels as a traffic selector of the
two new TS Types are TS_IPV4_ADDR_RANGE_SECLABEL and Security Policy Database (SPD). Security Labels for IPsec are also
TS_IPV6_ADDR_RANGE_SECLABEL, which are identical to their non- known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
seclabel namesakes except for the addition of a variable length consists of a variable length opaque field specifying the security
opaque field specifying the security label. These new Traffic label. This document updates the IKEv2 TS negotiation specified in
Selector Types facilitate negotiating security labels as an RFC 7296 Section 2.9.
additional selector of the Security Policy Database to further
restrict the type of traffic allowed to be send and received over the
IPsec SA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 11, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Traffic Selector negotiation . . . . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3
3. SECLABEL Traffic Selector . . . . . . . . . . . . . . . . . . 3 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 3
4. Traffic Selector matching . . . . . . . . . . . . . . . . . . 5 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security label. A security label is comprised of a set of security
attributes. The security labels along with a system authorization attributes. The security labels along with a system authorization
policy determine access. Rules within the system authorization policy determine access. Rules within the system authorization
policy determine whether the access will be granted based on the policy determine whether the access will be granted based on the
security attributes of the subject and object. security attributes of the subject and object.
skipping to change at page 2, line 47 skipping to change at page 2, line 48
Traditionally, security labels used by Multilevel Systems (MLS) are Traditionally, security labels used by Multilevel Systems (MLS) are
comprised of a sensitivity level (or classification) field and a comprised of a sensitivity level (or classification) field and a
compartment (or category) field, as defined in [FIPS188] and compartment (or category) field, as defined in [FIPS188] and
[RFC5570]. As MAC systems evolved, other MAC models gained in [RFC5570]. As MAC systems evolved, other MAC models gained in
popularity. For example, SELinux, a Flux Advanced Security Kernel popularity. For example, SELinux, a Flux Advanced Security Kernel
(FLASK) implementation, has security labels represented as colon- (FLASK) implementation, has security labels represented as colon-
separated ASCII strings composed of values for identity, role, and separated ASCII strings composed of values for identity, role, and
type. The security labels are often referred to as security type. The security labels are often referred to as security
contexts. contexts.
This document specifies two new Traffic Selector Types for IKEv2 that Traffic Selector (TS) payloads specify the selection criteria for
can be used to negotiate security labels as additional selectors for packets that will be forwarded over the newly set up IPsec SA as
the Security Policy Database (SPD) to further restrict the type of enforced by the Security Policy Database (SPD, see [RFC4301]). This
traffic allowed to be send and received over the IPsec SA. document updates the Traffic Selector negotiation specified in
Section 2.9 of [RFC7296].
Traffic Selector (TS) payloads allow endpoints to communicate some of
the information from their SPD to their peers. These must be
communicated to IKE from the SPD. TS payloads specify the selection
criteria for packets that will be forwarded over the newly set up SA.
Section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296]
illustrates the Traffic Selector negotiation procedure.
Two TS payloads appear in each of the messages in the exchange that
creates a Child SA pair. Each TS payload contains one or more
Traffic Selectors. Currently, each Traffic Selector consists of an
address range (IPv4 or IPv6), a port range, and an IP protocol ID.
However, a security context or a label is missing. Therefore this
document extends the section 2.9 in the Internet Key Exchange
protocol version 2 [RFC7296] to add support for a new traffic
selector type which would be used to negotiate the security label or
context.
Negotiating and verifying the security context or label in the new TS This document specifies a new Traffic Selector Type TS_SECLABEL for
types will act as an additional criteria that has to match along with IKEv2 that can be used to negotiate security labels as additional
the previously mentioned Traffic Selectors. selectors for the Security Policy Database (SPD) to further restrict
the type of traffic allowed to be sent and received over the IPsec
SA.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
captials, as shown here.
2. Traffic Selector negotiation 1.2. Traffic Selector clarification
The negotiation of Traffic Selectors is specified in Section 2.9 of The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296]. The initiating IKE peer sends a Traffic Selector payload [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and
for the initiator side (TSi) and a Traffic Selector payload for the TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is
responder side (TSr). The TSi and TSr payloads contain a list of one specified in Section 3.13 of [RFC7296]. However, the term Traffic
or more Traffic Selectors (TS). The responder picks one TS from the Selector is used to denote the traffic selector payloads and
TSi list and one TS from the TSr list and returns these in their own individual traffic selectors of that payload. Sometimes the exact
TSi/TSr payloads to the initiator in the IKE response as confirmation meaning can only be learned from context or if the item is written in
of the chosen traffic selectors. [RFC7296] defines two TS Types, plural ("Traffic Selectors" or "TSs"). This section clarifies these
TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE. These TS payloads contain terms as follows:
the TS Type, IP protocol ID, Selector Length, Start and End Port and
Start and End Address.
3. SECLABEL Traffic Selector A Traffic Selector (no acronym) is one selector for traffic of a
specific Traffic Selector Type (TS_TYPE). For example a Traffic
Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
network 198.51.100.0/24 covering all ports, is denoted as (17, 0,
198.51.100.0-198.51.100.255)
This document defines two new TS Types, TS_IPV4_ADDR_RANGE_SECLABEL A Traffic Selector payload (TS) is a set of one or more Traffic
and TS_IPV6_ADDR_RANGE_SECLABEL. In addition to the above mentioned Selectors of the same or different TS_TYPEs, but MUST include at
selectors, it contains a single new opaque Security Label selector. least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For
example, the above Traffic Selector by itself in a TS payload is
denotated as TS((17, 0, 198.51.100.0-198.51.100.255))
2. TS_SECLABEL Traffic Selector Type
This document defines a new TS Type, TS_SECLABEL that contains a
single new opaque Security Label.
2.1. TS_SECLABEL payload format
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| TS Type |IP Protocol ID*| Selector Length | | TS Type | Reserved | Selector Length |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| Start Port* | End Port* |
+-------------------------------+-------------------------------+
| |
~ Starting Address* ~
| |
+---------------------------------------------------------------+
| |
~ Ending Address* ~
| |
+---------------------------------------------------------------+
| | | |
~ Security Label* ~ ~ Security Label* ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 1: Labeled IPsec Traffic Selector Figure 1: Labeled IPsec Traffic Selector
*Note: All fields other than TS Type and Selector Length depend on *Note: All fields other than TS Type and Selector Length depend on
the TS Type. The fields shown are for TS Types [TBD] and [TBD], the the TS Type. The fields shown is for TS Type TS_SECLABEL, the
two values this document defines. selector this document defines.
o TS Type (one octet) - Specifies the type of Traffic Selector.
o IP protocol ID (1 octet) - Value specifying an associated IP o TS Type (one octet) - Set to [TBD] for TS_SECLABEL,
protocol ID (such as UDP, TCP, and ICMP). A value of zero means
that the protocol ID is not relevant to this Traffic Selector --
the SA can carry all protocols.
o Selector Length (2 octets, unsigned integer) - Specifies the o Selector Length (2 octets, unsigned integer) - Specifies the
length of this Traffic Selector substructure including the header. length of this Traffic Selector substructure including the header.
o Start Port (2 octets, unsigned integer) - Value specifying the o Security Label - An opaque byte stream of at least one octet.
smallest port number allowed by this Traffic Selector. For
protocols for which port is undefined (including protocol 0), or
if all ports are allowed, this field MUST be zero. ICMP and
ICMPv6 Type and Code values, as well as Mobile IP version 6
(MIPv6) mobility header (MH) Type values, are represented in this
field as specified in Section 4.4.1.1 of [RFC4301]. ICMP Type and
Code values are treated as a single 16-bit integer port number,
with Type in the most significant eight bits and Code in the least
significant eight bits. MIPv6 MH Type values are treated as a
single 16-bit integer port number, with Type in the most
significant eight bits and the least significant eight bits set to
zero.
o End Port (2 octets, unsigned integer) - Value specifying the 2.2. TS_SECLABEL properties
largest port number allowed by this Traffic Selector. For
protocols for which port is undefined (including protocol 0), or
if all ports are allowed, this field MUST be 65535. ICMP and
ICMPv6 Type and Code values, as well as MIPv6 MH Type values, are
represented in this field as specified in Section 4.4.1.1 of
[RFC4301]. ICMP Type and Code values are treated as a single
16-bit integer port number, with Type in the most significant
eight bits and Code in the least significant eight bits. MIPv6 MH
Type values are treated as a single 16-bit integer port number,
with Type in the most significant eight bits and the least
significant eight bits set to zero.
o Starting Address - The smallest address included in this Traffic The TS_SECLABEL Traffic Selector Type does not support narrowing or
Selector (length determined by TS Type). wildcards. It MUST be used as an exact match value.
o Ending Address - The largest address included in this Traffic The Security Label contents are opague to the IKE implementation.
Selector (length determined by TS Type). That is, the IKE implementation might not have any knowledge of the
meaning of this selector, other than as a type and opaque value to
pass to the SPD.
o Security Label - An opaque byte stream of at least one octet. A zero length Security Label MUST NOT be used. If a received TS
payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
Label, that specific Traffic Selector MUST be ignored. If no other
Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label.
4. Traffic Selector matching If multiple Security Labels are allowed for a given IP protocol,
start and end address/port match, multiple TS_SECLABEL can be
included in a TS payload.
Matching of the IP protocol, start and end address, and start and end If the Security Label traffic selector is optional from a
port is performed the same way as for the TS_IPV4_ADDR_RANGE and configuration point of view, the initiator will have to choose which
TS_IPV6_ADDR_RANGE TS types. Additionally, the Security Label is TS payload to attempt first. If it includes the Security Label and
compared for an exact match as well. Label matching is done by receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation
comparing the opaque bytestream. without that Security Label .
The Security Label in the TSi and TSr MUST be identical. If the A responder that selected a TS with TS_SECLABEL MUST use the Security
responder's policy does not allow it to accept any part of the Label for all selector operations on the resulting IPsec SA. It MUST
proposed Traffic Selector including the Security Label, it MUST NOT select a TS_set with a TS_SECLABEL without using the specified
ignore the TS and look for another matching TS in the list. If no Security Label, even if it deems the Security Label optional, as the
list entry matches, a TS_UNACCEPTABLE Notify message is returned. initiator TS_set with TS_SECLABEL means the initiator mandates using
that Security Label.
A zero length Security Label MUST NOT be sent. If the SPD policy 3. Traffic Selector negotiation
contains no Security Label selectors, the TS Types
TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL should
not be used and TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE should be
used instead. Any received Traffic Selector with a zero length
Security Label MUST be ignored, and if no valid TS can be selected,
an TS_UNACCEPTABLE Error Notify message is returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label.
If multiple Security Labels are allowed for a given IP protocol, This document updates the [RFC7296] specification as follows:
start and end address/port match, multiple
TS_IPV4_ADDR_RANGE_SECLABEL or TS_IPV6_ADDR_RANGE_SECLABEL Traffic
Selectors must be included that only differ in the Security Label.
Narrowing of Traffic Selectors applies to TS_IPV4_ADDR_RANGE_SECLABEL Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
and TS_IPV6_ADDR_RANGE_SECLABEL as well, but the Security Label TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
itself is not interpreted and cannot itself be narrowed. It MUST be
matched exactly. Rekey of an IPsec SA MUST only use identical
Traffic Selectors, which means the same TS Type and selectors MUST be
used. This guarantees that a Security Label once negotiated, remains
part of the IPsec SA after a rekey.
5. Security Considerations Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs,
such as TS_SECLABEL.
A responder MUST create its TS response by selecting one of each
TS_TYPE present in the offered TS by the initiator. If it cannot
select one of each TS_TYPE, it MUST return a TS_UNAVAILABLE Error
Notify payload.
If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or
TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the
initiator SHOULD first try to negotiate the Child SA with the TS
payload including the optional TS_TYPE. Upon receiving
TS_UNAVAILABLE, it SHOULD attempt a new Child SA negotiation using
the same TS but without the optional TS_TYPE.
Some TS_TYPE's support narrowing, where the responder is allowed to
select a subset of the original TS. Narrowing MUST NOT result in an
empty selector for that TS_TYPE.
3.1. Example TS negotiation
An initiator could send:
TSi = ((17,0,192.0.2.0-192.0.2.255),
(0,0,198.51.0-198.51.255),
TS_SECLABEL1, TS_SECLABEL2)
TSr = ((17,0,203.0.113.0-203.0.113.255),
(0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1, TS_SECLABEL2)
Figure 2: initiator TS payloads example
The responder could answer with the following example:
TSi = ((0,0,198.51.0-198.51.255),
TS_SECLABEL1)
TSr = (((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1)
Figure 3: responder TS payloads example
3.2. Considerations for using multiple TS_TYPEs in a TS
It would be unlikely that the traffic for TSi and TSr would have a
different Security Label, but this specification does allow this to
be specified. If the initiator does not support this, and wants to
prevent the responder from picking different labels for the TSi / TSr
payloads, it should attempt a Child SA negotiation with only the
first Security Label first, and upon failure retry a new Child SA
negotiation with only the second Security Label.
If different IP ranges can only use different specific Security
Labels, than these should be negotiated in two different Child SA
negotiations. If in the example above, the initiator only allows
192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2,
than it MUST NOT combine these two ranges and security labels into
one Child SA negotiation.
Narrowing of Traffic Selectors currenrtly only applies only to
TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE and not to TS_SECLABEL as
the Security Label itself is not interpreted and cannot itself be
narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST
only use identical Traffic Selectors, which means the same TS Type
and selectors MUST be used. This guarantees that a Security Label
once negotiated, remains part of the IPsec SA after a rekey.
4. Security Considerations
It is assumed that the Security Label can be matched by the IKE It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE implementation to its own configured value, even if the IKE
implemention itself cannot interpret the Security Label value. implemention itself cannot interpret the Security Label value.
6. IANA Considerations 5. IANA Considerations
This document defines two new entries in the IKEv2 Traffic Selector This document defines two new entries in the IKEv2 Traffic Selector
Types registry: Types registry:
Value TS Type Reference Value TS Type Reference
----- --------------------------- ----------------- ----- --------------------------- -----------------
TBD TS_IPV4_ADDR_RANGE_SECLABEL [this document] TBD TS_SECLABEL [this document]
TBD TS_IPV6_ADDR_RANGE_SECLABEL [this document]
Figure 2 Figure 4
7. Acknowledgements 6. Acknowledgements
A large part of the introduction text was taken verbatim from A large part of the introduction text was taken verbatim from
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Part of the Traffic Selector description is Quigley and J. Lu.
reproduced from [RFC7296].
8. References 7. References
8.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
8.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[draft-jml-ipsec-ikev2-security-label] [draft-jml-ipsec-ikev2-security-label]
Latten, J., Quigley, D., and J. Lu, "Security Label Latten, J., Quigley, D., and J. Lu, "Security Label
Extension to IKE", draft-wouters-edns-tcp-keeaplive (work Extension to IKE", draft-wouters-edns-tcp-keeaplive (work
in progress), January 2011. in progress), January 2011.
[FIPS188] NIST, "National Institute of Standards and Technology, [FIPS188] NIST, "National Institute of Standards and Technology,
"Standard Security Label for Information Transfer"", "Standard Security Label for Information Transfer"",
Federal Information Processing Standard (FIPS) Publication Federal Information Processing Standard (FIPS) Publication
188, September 1994. 188, September 1994.
 End of changes. 36 change blocks. 
159 lines changed or deleted 186 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/