| draft-ietf-ipsecme-labeled-ipsec-01.txt | draft-ietf-ipsecme-labeled-ipsec-02.txt | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft Red Hat | Internet-Draft S. Prasad | |||
| Updates: 7296 (if approved) S. Prasad | Updates: 7296 (if approved) Red Hat | |||
| Intended status: Standards Track Technical University of Munich | Intended status: Standards Track November 4, 2019 | |||
| Expires: January 9, 2020 July 8, 2019 | Expires: May 7, 2020 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-01 | draft-ietf-ipsecme-labeled-ipsec-02 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 9, 2020. | This Internet-Draft will expire on May 7, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 3 | 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 3 | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | ||||
| 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | |||
| 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | |||
| 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 5 | 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 7 | 7.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| In computer security, Mandatory Access Control usually refers to | In computer security, Mandatory Access Control usually refers to | |||
| systems in which all subjects and objects are assigned a security | systems in which all subjects and objects are assigned a security | |||
| label. A security label is comprised of a set of security | label. A security label is comprised of a set of security | |||
| attributes. The security labels along with a system authorization | attributes. The security labels along with a system authorization | |||
| policy determine access. Rules within the system authorization | policy determine access. Rules within the system authorization | |||
| policy determine whether the access will be granted based on the | policy determine whether the access will be granted based on the | |||
| skipping to change at page 3, line 45 ¶ | skipping to change at page 3, line 45 ¶ | |||
| Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP | Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP | |||
| network 198.51.100.0/24 covering all ports, is denoted as (17, 0, | network 198.51.100.0/24 covering all ports, is denoted as (17, 0, | |||
| 198.51.100.0-198.51.100.255) | 198.51.100.0-198.51.100.255) | |||
| A Traffic Selector payload (TS) is a set of one or more Traffic | A Traffic Selector payload (TS) is a set of one or more Traffic | |||
| Selectors of the same or different TS_TYPEs, but MUST include at | Selectors of the same or different TS_TYPEs, but MUST include at | |||
| least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For | least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For | |||
| example, the above Traffic Selector by itself in a TS payload is | example, the above Traffic Selector by itself in a TS payload is | |||
| denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) | denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) | |||
| 1.3. Traffic Selector update | ||||
| The negotiation of Traffic Selectors is specified in Section 2.9 of | ||||
| [RFC7296] and states that the TSi/TSr payloads MUST contain at least | ||||
| one Traffic Selector type. This document updates the text to mean | ||||
| that the TSi/TSr payloads MUST contain at least one Traffic Selector | ||||
| of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic | ||||
| Selector types can be defined that are complimentary to these Traffic | ||||
| Selector Types and cannot be selected on their own without | ||||
| TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. The below defined | ||||
| TS_SECLABEL Traffic Selector Type is an example of this. | ||||
| 2. TS_SECLABEL Traffic Selector Type | 2. TS_SECLABEL Traffic Selector Type | |||
| This document defines a new TS Type, TS_SECLABEL that contains a | This document defines a new TS Type, TS_SECLABEL that contains a | |||
| single new opaque Security Label. | single new opaque Security Label. | |||
| 2.1. TS_SECLABEL payload format | 2.1. TS_SECLABEL payload format | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +---------------+---------------+-------------------------------+ | +---------------+---------------+-------------------------------+ | |||
| skipping to change at page 4, line 35 ¶ | skipping to change at page 4, line 44 ¶ | |||
| o Selector Length (2 octets, unsigned integer) - Specifies the | o Selector Length (2 octets, unsigned integer) - Specifies the | |||
| length of this Traffic Selector substructure including the header. | length of this Traffic Selector substructure including the header. | |||
| o Security Label - An opaque byte stream of at least one octet. | o Security Label - An opaque byte stream of at least one octet. | |||
| 2.2. TS_SECLABEL properties | 2.2. TS_SECLABEL properties | |||
| The TS_SECLABEL Traffic Selector Type does not support narrowing or | The TS_SECLABEL Traffic Selector Type does not support narrowing or | |||
| wildcards. It MUST be used as an exact match value. | wildcards. It MUST be used as an exact match value. | |||
| If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | ||||
| Selector of type TS_IPV4_ADDR_RANGE or TS_IPV4_ADDR_RANGE MUST also | ||||
| be present in that TSi/TSr. | ||||
| The Security Label contents are opague to the IKE implementation. | The Security Label contents are opague to the IKE implementation. | |||
| That is, the IKE implementation might not have any knowledge of the | That is, the IKE implementation might not have any knowledge of the | |||
| meaning of this selector, other than as a type and opaque value to | meaning of this selector, other than as a type and opaque value to | |||
| pass to the SPD. | pass to the SPD. | |||
| A zero length Security Label MUST NOT be used. If a received TS | A zero length Security Label MUST NOT be used. If a received TS | |||
| payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | |||
| Label, that specific Traffic Selector MUST be ignored. If no other | Label, that specific Traffic Selector MUST be ignored. If no other | |||
| Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | |||
| TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | |||
| Security Label MUST NOT be interpreted as a wildcard security label. | Security Label MUST NOT be interpreted as a wildcard security label. | |||
| If multiple Security Labels are allowed for a given IP protocol, | If multiple Security Labels are allowed for a given IP protocol, | |||
| start and end address/port match, multiple TS_SECLABEL can be | start and end address/port match, multiple TS_SECLABEL can be | |||
| included in a TS payload. | included in a TS payload. | |||
| If the Security Label traffic selector is optional from a | If the Security Label traffic selector is optional from a | |||
| configuration point of view, the initiator will have to choose which | configuration point of view, the initiator will have to choose which | |||
| TS payload to attempt first. If it includes the Security Label and | TS payload to attempt first. If it includes the Security Label and | |||
| receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation | receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation | |||
| without that Security Label . | without that Security Label. | |||
| A responder that selected a TS with TS_SECLABEL MUST use the Security | A responder that selected a TS with TS_SECLABEL MUST use the Security | |||
| Label for all selector operations on the resulting IPsec SA. It MUST | Label for all selector operations on the resulting IPsec SA. It MUST | |||
| NOT select a TS_set with a TS_SECLABEL without using the specified | NOT select a TS_set with a TS_SECLABEL without using the specified | |||
| Security Label, even if it deems the Security Label optional, as the | Security Label, even if it deems the Security Label optional, as the | |||
| initiator TS_set with TS_SECLABEL means the initiator mandates using | initiator TS_set with TS_SECLABEL means the initiator mandates using | |||
| that Security Label. | that Security Label. | |||
| 3. Traffic Selector negotiation | 3. Traffic Selector negotiation | |||
| skipping to change at page 8, line 27 ¶ | skipping to change at page 8, line 34 ¶ | |||
| <https://www.rfc-editor.org/info/rfc5570>. | <https://www.rfc-editor.org/info/rfc5570>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Wouters | Paul Wouters | |||
| Red Hat | Red Hat | |||
| Email: pwouters@redhat.com | Email: pwouters@redhat.com | |||
| Sahana Prasad | Sahana Prasad | |||
| Technical University of Munich | Red Hat | |||
| Email: sahana.prasad07@gmail.com | Email: sahana@redhat.com | |||
| End of changes. 11 change blocks. | ||||
| 11 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||