draft-ietf-ipsecme-labeled-ipsec-03.txt   draft-ietf-ipsecme-labeled-ipsec-04.txt 
Network P. Wouters Network P. Wouters
Internet-Draft S. Prasad Internet-Draft S. Prasad
Updates: 7296 (if approved) Red Hat Updates: 7296 (if approved) Red Hat
Intended status: Standards Track July 13, 2020 Intended status: Standards Track October 30, 2020
Expires: January 14, 2021 Expires: May 3, 2021
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-03 draft-ietf-ipsecme-labeled-ipsec-04
Abstract Abstract
This document defines a new Traffic Selector (TS) Type for Internet This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD). Security Labels for IPsec are also Security Policy Database (SPD). Security Labels for IPsec are also
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
consists of a variable length opaque field specifying the security consists of a variable length opaque field specifying the security
label. This document updates the IKEv2 TS negotiation specified in label. This document updates the IKEv2 TS negotiation specified in
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 14, 2021. This Internet-Draft will expire on May 3, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3
1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 3 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4
2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4
2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4
3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5
3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6
3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security label. A security label is comprised of a set of security
attributes. The security labels along with a system authorization attributes. The security labels along with a system authorization
policy determine access. Rules within the system authorization policy determine access. Rules within the system authorization
policy determine whether the access will be granted based on the policy determine whether the access will be granted based on the
security attributes of the subject and object. security attributes of the subject and object.
skipping to change at page 3, line 19 skipping to change at page 3, line 23
selectors for the Security Policy Database (SPD) to further restrict selectors for the Security Policy Database (SPD) to further restrict
the type of traffic allowed to be sent and received over the IPsec the type of traffic allowed to be sent and received over the IPsec
SA. SA.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
captials, as shown here. capitals, as shown here.
1.2. Traffic Selector clarification 1.2. Traffic Selector clarification
The negotiation of Traffic Selectors is specified in Section 2.9 of The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and
TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is
specified in Section 3.13 of [RFC7296]. However, the term Traffic specified in Section 3.13 of [RFC7296]. However, the term Traffic
Selector is used to denote the traffic selector payloads and Selector is used to denote the traffic selector payloads and
individual traffic selectors of that payload. Sometimes the exact individual traffic selectors of that payload. Sometimes the exact
meaning can only be learned from context or if the item is written in meaning can only be learned from context or if the item is written in
skipping to change at page 3, line 43 skipping to change at page 3, line 47
A Traffic Selector (no acronym) is one selector for traffic of a A Traffic Selector (no acronym) is one selector for traffic of a
specific Traffic Selector Type (TS_TYPE). For example a Traffic specific Traffic Selector Type (TS_TYPE). For example a Traffic
Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
network 198.51.100.0/24 covering all ports, is denoted as (17, 0, network 198.51.100.0/24 covering all ports, is denoted as (17, 0,
198.51.100.0-198.51.100.255) 198.51.100.0-198.51.100.255)
A Traffic Selector payload (TS) is a set of one or more Traffic A Traffic Selector payload (TS) is a set of one or more Traffic
Selectors of the same or different TS_TYPEs, but MUST include at Selectors of the same or different TS_TYPEs, but MUST include at
least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For
example, the above Traffic Selector by itself in a TS payload is example, the above Traffic Selector by itself in a TS payload is
denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) denoted as TS((17, 0, 198.51.100.0-198.51.100.255))
1.3. Traffic Selector update 1.3. Traffic Selector update
The negotiation of Traffic Selectors is specified in Section 2.9 of The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296] and states that the TSi/TSr payloads MUST contain at least [RFC7296] and states that the TSi/TSr payloads MUST contain at least
one Traffic Selector type. This document updates the text to mean one Traffic Selector type. This document updates the text to mean
that the TSi/TSr payloads MUST contain at least one Traffic Selector that the TSi/TSr payloads MUST contain at least one Traffic Selector
of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic
Selector types can be defined that are complimentary to these Traffic Selector types can be defined that are complimentary to these Traffic
Selector Types and cannot be selected on their own without Selector Types and cannot be selected on their own without
skipping to change at page 5, line 21 skipping to change at page 5, line 28
TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label. Security Label MUST NOT be interpreted as a wildcard security label.
If multiple Security Labels are allowed for a given IP protocol, If multiple Security Labels are allowed for a given IP protocol,
start and end address/port match, multiple TS_SECLABEL can be start and end address/port match, multiple TS_SECLABEL can be
included in a TS payload. included in a TS payload.
If the Security Label traffic selector is optional from a If the Security Label traffic selector is optional from a
configuration point of view, the initiator will have to choose which configuration point of view, the initiator will have to choose which
TS payload to attempt first. If it includes the Security Label and TS payload to attempt first. If it includes the Security Label and
receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation
without that Security Label. without that Security Label.
A responder that selected a TS with TS_SECLABEL MUST use the Security A responder that selected a TS with TS_SECLABEL MUST use the Security
Label for all selector operations on the resulting IPsec SA. It MUST Label for all selector operations on the resulting IPsec SA. It MUST
NOT select a TS_set with a TS_SECLABEL without using the specified NOT select a TS_set with a TS_SECLABEL without using the specified
Security Label, even if it deems the Security Label optional, as the Security Label, even if it deems the Security Label optional, as the
initiator TS_set with TS_SECLABEL means the initiator mandates using initiator TS_set with TS_SECLABEL means the initiator mandates using
that Security Label. that Security Label.
3. Traffic Selector negotiation 3. Traffic Selector negotiation
skipping to change at page 5, line 43 skipping to change at page 5, line 50
This document updates the [RFC7296] specification as follows: This document updates the [RFC7296] specification as follows:
Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs,
such as TS_SECLABEL. such as TS_SECLABEL.
A responder MUST create its TS response by selecting one of each A responder MUST create its TS response by selecting one of each
TS_TYPE present in the offered TS by the initiator. If it cannot TS_TYPE present in the offered TS by the initiator. If it cannot
select one of each TS_TYPE, it MUST return a TS_UNAVAILABLE Error select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error
Notify payload. Notify payload.
If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or
TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the
initiator SHOULD first try to negotiate the Child SA with the TS initiator SHOULD first try to negotiate the Child SA with the TS
payload including the optional TS_TYPE. Upon receiving payload including the optional TS_TYPE. Upon receiving
TS_UNAVAILABLE, it SHOULD attempt a new Child SA negotiation using TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using
the same TS but without the optional TS_TYPE. the same TS but without the optional TS_TYPE.
Some TS_TYPE's support narrowing, where the responder is allowed to Some TS_TYPE's support narrowing, where the responder is allowed to
select a subset of the original TS. Narrowing MUST NOT result in an select a subset of the original TS. Narrowing MUST NOT result in an
empty selector for that TS_TYPE. empty selector for that TS_TYPE.
3.1. Example TS negotiation 3.1. Example TS negotiation
An initiator could send: An initiator could send:
skipping to change at page 7, line 5 skipping to change at page 7, line 12
first Security Label first, and upon failure retry a new Child SA first Security Label first, and upon failure retry a new Child SA
negotiation with only the second Security Label. negotiation with only the second Security Label.
If different IP ranges can only use different specific Security If different IP ranges can only use different specific Security
Labels, than these should be negotiated in two different Child SA Labels, than these should be negotiated in two different Child SA
negotiations. If in the example above, the initiator only allows negotiations. If in the example above, the initiator only allows
192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2,
than it MUST NOT combine these two ranges and security labels into than it MUST NOT combine these two ranges and security labels into
one Child SA negotiation. one Child SA negotiation.
Narrowing of Traffic Selectors currenrtly only applies only to The mechanism of narrowing of Traffic Selectors with
TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE and not to TS_SECLABEL as TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to
the Security Label itself is not interpreted and cannot itself be TS_SECLABEL as the Security Label itself is not interpreted and
narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST cannot itself be narrowed. It MUST be matched exactly. Rekey of an
only use identical Traffic Selectors, which means the same TS Type IPsec SA MUST only use identical Traffic Selectors, which means the
and selectors MUST be used. This guarantees that a Security Label same TS Type and selectors MUST be used. This guarantees that a
once negotiated, remains part of the IPsec SA after a rekey. Security Label once negotiated, remains part of the IPsec SA after a
rekey.
4. Security Considerations 4. Security Considerations
It is assumed that the Security Label can be matched by the IKE It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE implementation to its own configured value, even if the IKE
implemention itself cannot interpret the Security Label value. implementation itself cannot interpret the Security Label value.
A packet that matches an SPD entry for all components except the
Security Label would be treated as "not matching". If no other SPD
entries match, the (mis-labeled) traffic might end up being
transmitted in the clear. It is presumed that other Mandatory Access
Control methods are in place to prevent mis-labeled traffic from
reaching the IPsec subsystem, or that the IPsec subsystem itself
would install a REJECT/DISCARD rule in the SPD to prevent unlabeled
traffic otherwise matching a labeled security SPD rule from being
transmitted without IPsec protection.
5. IANA Considerations 5. IANA Considerations
This document defines two new entries in the IKEv2 Traffic Selector This document defines two new entries in the IKEv2 Traffic Selector
Types registry: Types registry:
Value TS Type Reference Value TS Type Reference
----- --------------------------- ----------------- ----- --------------------------- -----------------
TBD TS_SECLABEL [this document] TBD TS_SECLABEL [this document]
Figure 4 Figure 4
6. Acknowledgements 6. Implementation Status
[Note to RFC Editor: Please remove this section and the reference to
[RFC6982] before publication.]
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
Authors are requested to add a note to the RFC Editor at the top of
this section, advising the Editor to remove the entire section before
publication, as well as the reference to [RFC7942].
6.1. Libreswan
Organization: The Libreswan Project
Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/
Description: A Proof of Concept branch is available for interop
testing.
Level of maturity: Alpha
Coverage: Implements the entire draft using SElinux based labels
Licensing: GPLv2
Implementation experience: TBD
Contact: Libreswan Development: swan-dev@libreswan.org
7. Acknowledgements
A large part of the introduction text was taken verbatim from A large part of the introduction text was taken verbatim from
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Quigley and J. Lu.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References 8.2. Informative References
[draft-jml-ipsec-ikev2-security-label] [draft-jml-ipsec-ikev2-security-label]
Latten, J., Quigley, D., and J. Lu, "Security Label Latten, J., Quigley, D., and J. Lu, "Security Label
Extension to IKE", draft-wouters-edns-tcp-keeaplive (work Extension to IKE", draft-wouters-edns-tcp-keeaplive (work
in progress), January 2011. in progress), January 2011.
[FIPS188] NIST, "National Institute of Standards and Technology, [FIPS188] NIST, "National Institute of Standards and Technology,
"Standard Security Label for Information Transfer"", "Standard Security Label for Information Transfer"",
Federal Information Processing Standard (FIPS) Publication Federal Information Processing Standard (FIPS) Publication
188, September 1994. 188, September 1994.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982,
DOI 10.17487/RFC6982, July 2013,
<https://www.rfc-editor.org/info/rfc6982>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>.
Authors' Addresses Authors' Addresses
Paul Wouters Paul Wouters
Red Hat Red Hat
Email: pwouters@redhat.com Email: pwouters@redhat.com
Sahana Prasad Sahana Prasad
Red Hat Red Hat
 End of changes. 17 change blocks. 
27 lines changed or deleted 97 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/