| draft-ietf-ipsecme-labeled-ipsec-04.txt | draft-ietf-ipsecme-labeled-ipsec-05.txt | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft S. Prasad | Internet-Draft Aiven | |||
| Updates: 7296 (if approved) Red Hat | Updates: 7296 (if approved) S. Prasad | |||
| Intended status: Standards Track October 30, 2020 | Intended status: Standards Track Red Hat | |||
| Expires: May 3, 2021 | Expires: 5 November 2021 4 May 2021 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-04 | draft-ietf-ipsecme-labeled-ipsec-05 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 3, 2021. | This Internet-Draft will expire on 5 November 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Simplified BSD License text | |||
| include Simplified BSD License text as described in Section 4.e of | as described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Simplified BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | |||
| 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 | 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | |||
| 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | |||
| 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | |||
| 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| In computer security, Mandatory Access Control usually refers to | In computer security, Mandatory Access Control usually refers to | |||
| systems in which all subjects and objects are assigned a security | systems in which all subjects and objects are assigned a security | |||
| label. A security label is comprised of a set of security | label. A security label is comprised of a set of security | |||
| skipping to change at page 4, line 34 ¶ | skipping to change at page 4, line 34 ¶ | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +---------------+---------------+-------------------------------+ | +---------------+---------------+-------------------------------+ | |||
| | TS Type | Reserved | Selector Length | | | TS Type | Reserved | Selector Length | | |||
| +---------------+---------------+-------------------------------+ | +---------------+---------------+-------------------------------+ | |||
| | | | | | | |||
| ~ Security Label* ~ | ~ Security Label* ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| Figure 1: Labeled IPsec Traffic Selector | Figure 1: Labeled IPsec Traffic Selector | |||
| *Note: All fields other than TS Type and Selector Length depend on | *Note: All fields other than TS Type and Selector Length depend on | |||
| the TS Type. The fields shown is for TS Type TS_SECLABEL, the | the TS Type. The fields shown is for TS Type TS_SECLABEL, the | |||
| selector this document defines. | selector this document defines. | |||
| o TS Type (one octet) - Set to [TBD] for TS_SECLABEL, | * TS Type (one octet) - Set to [TBD] for TS_SECLABEL, | |||
| o Selector Length (2 octets, unsigned integer) - Specifies the | * Selector Length (2 octets, unsigned integer) - Specifies the | |||
| length of this Traffic Selector substructure including the header. | length of this Traffic Selector substructure including the header. | |||
| o Security Label - An opaque byte stream of at least one octet. | * Security Label - An opaque byte stream of at least one octet. | |||
| 2.2. TS_SECLABEL properties | 2.2. TS_SECLABEL properties | |||
| The TS_SECLABEL Traffic Selector Type does not support narrowing or | The TS_SECLABEL Traffic Selector Type does not support narrowing or | |||
| wildcards. It MUST be used as an exact match value. | wildcards. It MUST be used as an exact match value. | |||
| If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | |||
| Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also | Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also | |||
| be present in that TSi/TSr. | be present in that TSi/TSr. | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 7, line 46 ¶ | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document defines two new entries in the IKEv2 Traffic Selector | This document defines two new entries in the IKEv2 Traffic Selector | |||
| Types registry: | Types registry: | |||
| Value TS Type Reference | Value TS Type Reference | |||
| ----- --------------------------- ----------------- | ----- --------------------------- ----------------- | |||
| TBD TS_SECLABEL [this document] | TBD TS_SECLABEL [this document] | |||
| Figure 4 | Figure 4 | |||
| 6. Implementation Status | 6. Implementation Status | |||
| [Note to RFC Editor: Please remove this section and the reference to | [Note to RFC Editor: Please remove this section and the reference to | |||
| [RFC6982] before publication.] | [RFC6982] before publication.] | |||
| This section records the status of known implementations of the | This section records the status of known implementations of the | |||
| protocol defined by this specification at the time of posting of this | protocol defined by this specification at the time of posting of this | |||
| Internet-Draft, and is based on a proposal described in [RFC7942]. | Internet-Draft, and is based on a proposal described in [RFC7942]. | |||
| The description of implementations in this section is intended to | The description of implementations in this section is intended to | |||
| assist the IETF in its decision processes in progressing drafts to | assist the IETF in its decision processes in progressing drafts to | |||
| skipping to change at page 8, line 30 ¶ | skipping to change at page 8, line 30 ¶ | |||
| and feedback that have made the implemented protocols more mature. | and feedback that have made the implemented protocols more mature. | |||
| It is up to the individual working groups to use this information as | It is up to the individual working groups to use this information as | |||
| they see fit". | they see fit". | |||
| Authors are requested to add a note to the RFC Editor at the top of | Authors are requested to add a note to the RFC Editor at the top of | |||
| this section, advising the Editor to remove the entire section before | this section, advising the Editor to remove the entire section before | |||
| publication, as well as the reference to [RFC7942]. | publication, as well as the reference to [RFC7942]. | |||
| 6.1. Libreswan | 6.1. Libreswan | |||
| Organization: The Libreswan Project | Organization: The Libreswan Project | |||
| Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ | Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ | |||
| Description: A Proof of Concept branch is available for interop | Description: Implementation has been released as part of libreswan | |||
| testing. | version 4.4. | |||
| Level of maturity: Alpha | Level of maturity: beta | |||
| Coverage: Implements the entire draft using SElinux based labels | Coverage: Implements the entire draft using SElinux based labels | |||
| Licensing: GPLv2 | Licensing: GPLv2 | |||
| Implementation experience: TBD | Implementation experience: No interop testing has been done yet. | |||
| The code works as proof of concept, but is not yet production | ||||
| ready when using multiple different labels with on-demand kernel | ||||
| ACQUIRES. | ||||
| Contact: Libreswan Development: swan-dev@libreswan.org | Contact: Libreswan Development: swan-dev@libreswan.org | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| A large part of the introduction text was taken verbatim from | A large part of the introduction text was taken verbatim from | |||
| [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | |||
| Quigley and J. Lu. | Quigley and J. Lu. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| skipping to change at page 9, line 27 ¶ | skipping to change at page 9, line 33 ¶ | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [draft-jml-ipsec-ikev2-security-label] | [draft-jml-ipsec-ikev2-security-label] | |||
| Latten, J., Quigley, D., and J. Lu, "Security Label | Latten, J., Quigley, D., and J. Lu, "Security Label | |||
| Extension to IKE", draft-wouters-edns-tcp-keeaplive (work | Extension to IKE", 28 January 2011. | |||
| in progress), January 2011. | ||||
| [FIPS188] NIST, "National Institute of Standards and Technology, | [FIPS188] NIST, "National Institute of Standards and Technology, | |||
| "Standard Security Label for Information Transfer"", | "Standard Security Label for Information Transfer"", | |||
| Federal Information Processing Standard (FIPS) Publication | Federal Information Processing Standard (FIPS) Publication | |||
| 188, September 1994. | 188, September 1994, | |||
| <https://csrc.nist.gov/publications/detail/fips/188/ | ||||
| archive/1994-09-06>. | ||||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | |||
| Architecture Label IPv6 Security Option (CALIPSO)", | Architecture Label IPv6 Security Option (CALIPSO)", | |||
| RFC 5570, DOI 10.17487/RFC5570, July 2009, | RFC 5570, DOI 10.17487/RFC5570, July 2009, | |||
| <https://www.rfc-editor.org/info/rfc5570>. | <https://www.rfc-editor.org/info/rfc5570>. | |||
| skipping to change at page 10, line 8 ¶ | skipping to change at page 10, line 18 ¶ | |||
| <https://www.rfc-editor.org/info/rfc6982>. | <https://www.rfc-editor.org/info/rfc6982>. | |||
| [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | |||
| Code: The Implementation Status Section", BCP 205, | Code: The Implementation Status Section", BCP 205, | |||
| RFC 7942, DOI 10.17487/RFC7942, July 2016, | RFC 7942, DOI 10.17487/RFC7942, July 2016, | |||
| <https://www.rfc-editor.org/info/rfc7942>. | <https://www.rfc-editor.org/info/rfc7942>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Wouters | Paul Wouters | |||
| Red Hat | Aiven | |||
| Email: pwouters@redhat.com | Email: paul.wouters@aiven.io | |||
| Sahana Prasad | Sahana Prasad | |||
| Red Hat | Red Hat | |||
| Email: sahana@redhat.com | Email: sahana@redhat.com | |||
| End of changes. 23 change blocks. | ||||
| 35 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||