draft-ietf-ipsecme-labeled-ipsec-01.txt   draft-ietf-ipsecme-labeled-ipsec-02.txt 
Network P. Wouters Network P. Wouters
Internet-Draft Red Hat Internet-Draft S. Prasad
Updates: 7296 (if approved) S. Prasad Updates: 7296 (if approved) Red Hat
Intended status: Standards Track Technical University of Munich Intended status: Standards Track November 4, 2019
Expires: January 9, 2020 July 8, 2019 Expires: May 7, 2020
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-01 draft-ietf-ipsecme-labeled-ipsec-02
Abstract Abstract
This document defines a new Traffic Selector (TS) Type for Internet This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD). Security Labels for IPsec are also Security Policy Database (SPD). Security Labels for IPsec are also
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
consists of a variable length opaque field specifying the security consists of a variable length opaque field specifying the security
label. This document updates the IKEv2 TS negotiation specified in label. This document updates the IKEv2 TS negotiation specified in
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2020. This Internet-Draft will expire on May 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 3 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 3
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4
2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4
2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4
3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5
3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 5 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6
3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . 7
7.2. Informative References . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security label. A security label is comprised of a set of security
attributes. The security labels along with a system authorization attributes. The security labels along with a system authorization
policy determine access. Rules within the system authorization policy determine access. Rules within the system authorization
policy determine whether the access will be granted based on the policy determine whether the access will be granted based on the
skipping to change at page 3, line 45 skipping to change at page 3, line 45
Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
network 198.51.100.0/24 covering all ports, is denoted as (17, 0, network 198.51.100.0/24 covering all ports, is denoted as (17, 0,
198.51.100.0-198.51.100.255) 198.51.100.0-198.51.100.255)
A Traffic Selector payload (TS) is a set of one or more Traffic A Traffic Selector payload (TS) is a set of one or more Traffic
Selectors of the same or different TS_TYPEs, but MUST include at Selectors of the same or different TS_TYPEs, but MUST include at
least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For
example, the above Traffic Selector by itself in a TS payload is example, the above Traffic Selector by itself in a TS payload is
denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) denotated as TS((17, 0, 198.51.100.0-198.51.100.255))
1.3. Traffic Selector update
The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296] and states that the TSi/TSr payloads MUST contain at least
one Traffic Selector type. This document updates the text to mean
that the TSi/TSr payloads MUST contain at least one Traffic Selector
of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic
Selector types can be defined that are complimentary to these Traffic
Selector Types and cannot be selected on their own without
TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. The below defined
TS_SECLABEL Traffic Selector Type is an example of this.
2. TS_SECLABEL Traffic Selector Type 2. TS_SECLABEL Traffic Selector Type
This document defines a new TS Type, TS_SECLABEL that contains a This document defines a new TS Type, TS_SECLABEL that contains a
single new opaque Security Label. single new opaque Security Label.
2.1. TS_SECLABEL payload format 2.1. TS_SECLABEL payload format
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
skipping to change at page 4, line 35 skipping to change at page 4, line 44
o Selector Length (2 octets, unsigned integer) - Specifies the o Selector Length (2 octets, unsigned integer) - Specifies the
length of this Traffic Selector substructure including the header. length of this Traffic Selector substructure including the header.
o Security Label - An opaque byte stream of at least one octet. o Security Label - An opaque byte stream of at least one octet.
2.2. TS_SECLABEL properties 2.2. TS_SECLABEL properties
The TS_SECLABEL Traffic Selector Type does not support narrowing or The TS_SECLABEL Traffic Selector Type does not support narrowing or
wildcards. It MUST be used as an exact match value. wildcards. It MUST be used as an exact match value.
If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
Selector of type TS_IPV4_ADDR_RANGE or TS_IPV4_ADDR_RANGE MUST also
be present in that TSi/TSr.
The Security Label contents are opague to the IKE implementation. The Security Label contents are opague to the IKE implementation.
That is, the IKE implementation might not have any knowledge of the That is, the IKE implementation might not have any knowledge of the
meaning of this selector, other than as a type and opaque value to meaning of this selector, other than as a type and opaque value to
pass to the SPD. pass to the SPD.
A zero length Security Label MUST NOT be used. If a received TS A zero length Security Label MUST NOT be used. If a received TS
payload contains a TS_TYPE of TS_SECLABEL with a zero length Security payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
Label, that specific Traffic Selector MUST be ignored. If no other Label, that specific Traffic Selector MUST be ignored. If no other
Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label. Security Label MUST NOT be interpreted as a wildcard security label.
If multiple Security Labels are allowed for a given IP protocol, If multiple Security Labels are allowed for a given IP protocol,
start and end address/port match, multiple TS_SECLABEL can be start and end address/port match, multiple TS_SECLABEL can be
included in a TS payload. included in a TS payload.
If the Security Label traffic selector is optional from a If the Security Label traffic selector is optional from a
configuration point of view, the initiator will have to choose which configuration point of view, the initiator will have to choose which
TS payload to attempt first. If it includes the Security Label and TS payload to attempt first. If it includes the Security Label and
receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation
without that Security Label . without that Security Label.
A responder that selected a TS with TS_SECLABEL MUST use the Security A responder that selected a TS with TS_SECLABEL MUST use the Security
Label for all selector operations on the resulting IPsec SA. It MUST Label for all selector operations on the resulting IPsec SA. It MUST
NOT select a TS_set with a TS_SECLABEL without using the specified NOT select a TS_set with a TS_SECLABEL without using the specified
Security Label, even if it deems the Security Label optional, as the Security Label, even if it deems the Security Label optional, as the
initiator TS_set with TS_SECLABEL means the initiator mandates using initiator TS_set with TS_SECLABEL means the initiator mandates using
that Security Label. that Security Label.
3. Traffic Selector negotiation 3. Traffic Selector negotiation
skipping to change at page 8, line 27 skipping to change at page 8, line 34
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
Authors' Addresses Authors' Addresses
Paul Wouters Paul Wouters
Red Hat Red Hat
Email: pwouters@redhat.com Email: pwouters@redhat.com
Sahana Prasad Sahana Prasad
Technical University of Munich Red Hat
Email: sahana.prasad07@gmail.com Email: sahana@redhat.com
 End of changes. 11 change blocks. 
11 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/