--- 1/draft-ietf-ipsecme-labeled-ipsec-01.txt	2019-11-04 12:13:24.798973479 -0800
+++ 2/draft-ietf-ipsecme-labeled-ipsec-02.txt	2019-11-04 12:13:24.818973987 -0800
@@ -1,19 +1,19 @@
 
 Network                                                       P. Wouters
-Internet-Draft                                                   Red Hat
-Updates: 7296 (if approved)                                    S. Prasad
-Intended status: Standards Track          Technical University of Munich
-Expires: January 9, 2020                                    July 8, 2019
+Internet-Draft                                                 S. Prasad
+Updates: 7296 (if approved)                                      Red Hat
+Intended status: Standards Track                        November 4, 2019
+Expires: May 7, 2020
 
             Labeled IPsec Traffic Selector support for IKEv2
-                  draft-ietf-ipsecme-labeled-ipsec-01
+                  draft-ietf-ipsecme-labeled-ipsec-02
 
 Abstract
 
    This document defines a new Traffic Selector (TS) Type for Internet
    Key Exchange version 2 to add support for negotiating Mandatory
    Access Control (MAC) security labels as a traffic selector of the
    Security Policy Database (SPD).  Security Labels for IPsec are also
    known as "Labeled IPsec".  The new TS type is TS_SECLABEL, which
    consists of a variable length opaque field specifying the security
    label.  This document updates the IKEv2 TS negotiation specified in
@@ -27,21 +27,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on January 9, 2020.
+   This Internet-Draft will expire on May 7, 2020.
 
 Copyright Notice
 
    Copyright (c) 2019 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -49,32 +49,33 @@
    to this document.  Code Components extracted from this document must
    include Simplified BSD License text as described in Section 4.e of
    the Trust Legal Provisions and are provided without warranty as
    described in the Simplified BSD License.
 
 Table of Contents
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
      1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
      1.2.  Traffic Selector clarification  . . . . . . . . . . . . .   3
-   2.  TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . .   3
+     1.3.  Traffic Selector update . . . . . . . . . . . . . . . . .   3
+   2.  TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . .   4
      2.1.  TS_SECLABEL payload format  . . . . . . . . . . . . . . .   4
      2.2.  TS_SECLABEL properties  . . . . . . . . . . . . . . . . .   4
    3.  Traffic Selector negotiation  . . . . . . . . . . . . . . . .   5
-     3.1.  Example TS negotiation  . . . . . . . . . . . . . . . . .   5
+     3.1.  Example TS negotiation  . . . . . . . . . . . . . . . . .   6
      3.2.  Considerations for using multiple TS_TYPEs in a TS  . . .   6
    4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
    5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
    6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
    7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
      7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
-     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
+     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8
 
 1.  Introduction
 
    In computer security, Mandatory Access Control usually refers to
    systems in which all subjects and objects are assigned a security
    label.  A security label is comprised of a set of security
    attributes.  The security labels along with a system authorization
    policy determine access.  Rules within the system authorization
    policy determine whether the access will be granted based on the
@@ -127,20 +128,32 @@
    Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
    network 198.51.100.0/24 covering all ports, is denoted as (17, 0,
    198.51.100.0-198.51.100.255)
 
    A Traffic Selector payload (TS) is a set of one or more Traffic
    Selectors of the same or different TS_TYPEs, but MUST include at
    least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.  For
    example, the above Traffic Selector by itself in a TS payload is
    denotated as TS((17, 0, 198.51.100.0-198.51.100.255))
 
+1.3.  Traffic Selector update
+
+   The negotiation of Traffic Selectors is specified in Section 2.9 of
+   [RFC7296] and states that the TSi/TSr payloads MUST contain at least
+   one Traffic Selector type.  This document updates the text to mean
+   that the TSi/TSr payloads MUST contain at least one Traffic Selector
+   of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic
+   Selector types can be defined that are complimentary to these Traffic
+   Selector Types and cannot be selected on their own without
+   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.  The below defined
+   TS_SECLABEL Traffic Selector Type is an example of this.
+
 2.  TS_SECLABEL Traffic Selector Type
 
    This document defines a new TS Type, TS_SECLABEL that contains a
    single new opaque Security Label.
 
 2.1.  TS_SECLABEL payload format
 
                            1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +---------------+---------------+-------------------------------+
@@ -162,20 +175,24 @@
    o  Selector Length (2 octets, unsigned integer) - Specifies the
       length of this Traffic Selector substructure including the header.
 
    o  Security Label - An opaque byte stream of at least one octet.
 
 2.2.  TS_SECLABEL properties
 
    The TS_SECLABEL Traffic Selector Type does not support narrowing or
    wildcards.  It MUST be used as an exact match value.
 
+   If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
+   Selector of type TS_IPV4_ADDR_RANGE or TS_IPV4_ADDR_RANGE MUST also
+   be present in that TSi/TSr.
+
    The Security Label contents are opague to the IKE implementation.
    That is, the IKE implementation might not have any knowledge of the
    meaning of this selector, other than as a type and opaque value to
    pass to the SPD.
 
    A zero length Security Label MUST NOT be used.  If a received TS
    payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
    Label, that specific Traffic Selector MUST be ignored.  If no other
    Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
    TS_UNACCEPTABLE Error Notify message MUST be returned.  A zero length
@@ -336,13 +353,13 @@
               <https://www.rfc-editor.org/info/rfc5570>.
 
 Authors' Addresses
 
    Paul Wouters
    Red Hat
 
    Email: pwouters@redhat.com
 
    Sahana Prasad
-   Technical University of Munich
+   Red Hat
 
-   Email: sahana.prasad07@gmail.com
+   Email: sahana@redhat.com