draft-ietf-ipsecme-labeled-ipsec-04.txt   draft-ietf-ipsecme-labeled-ipsec-05.txt 
Network P. Wouters Network P. Wouters
Internet-Draft S. Prasad Internet-Draft Aiven
Updates: 7296 (if approved) Red Hat Updates: 7296 (if approved) S. Prasad
Intended status: Standards Track October 30, 2020 Intended status: Standards Track Red Hat
Expires: May 3, 2021 Expires: 5 November 2021 4 May 2021
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-04 draft-ietf-ipsecme-labeled-ipsec-05
Abstract Abstract
This document defines a new Traffic Selector (TS) Type for Internet This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD). Security Labels for IPsec are also Security Policy Database (SPD). Security Labels for IPsec are also
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
consists of a variable length opaque field specifying the security consists of a variable length opaque field specifying the security
label. This document updates the IKEv2 TS negotiation specified in label. This document updates the IKEv2 TS negotiation specified in
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2021. This Internet-Draft will expire on 5 November 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3
1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4
2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4
2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4
3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5
3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6
3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7
6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security label. A security label is comprised of a set of security
skipping to change at page 4, line 34 skipping to change at page 4, line 34
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| TS Type | Reserved | Selector Length | | TS Type | Reserved | Selector Length |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
~ Security Label* ~ ~ Security Label* ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 1: Labeled IPsec Traffic Selector Figure 1: Labeled IPsec Traffic Selector
*Note: All fields other than TS Type and Selector Length depend on *Note: All fields other than TS Type and Selector Length depend on
the TS Type. The fields shown is for TS Type TS_SECLABEL, the the TS Type. The fields shown is for TS Type TS_SECLABEL, the
selector this document defines. selector this document defines.
o TS Type (one octet) - Set to [TBD] for TS_SECLABEL, * TS Type (one octet) - Set to [TBD] for TS_SECLABEL,
o Selector Length (2 octets, unsigned integer) - Specifies the * Selector Length (2 octets, unsigned integer) - Specifies the
length of this Traffic Selector substructure including the header. length of this Traffic Selector substructure including the header.
o Security Label - An opaque byte stream of at least one octet. * Security Label - An opaque byte stream of at least one octet.
2.2. TS_SECLABEL properties 2.2. TS_SECLABEL properties
The TS_SECLABEL Traffic Selector Type does not support narrowing or The TS_SECLABEL Traffic Selector Type does not support narrowing or
wildcards. It MUST be used as an exact match value. wildcards. It MUST be used as an exact match value.
If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also
be present in that TSi/TSr. be present in that TSi/TSr.
skipping to change at page 7, line 46 skipping to change at page 7, line 46
5. IANA Considerations 5. IANA Considerations
This document defines two new entries in the IKEv2 Traffic Selector This document defines two new entries in the IKEv2 Traffic Selector
Types registry: Types registry:
Value TS Type Reference Value TS Type Reference
----- --------------------------- ----------------- ----- --------------------------- -----------------
TBD TS_SECLABEL [this document] TBD TS_SECLABEL [this document]
Figure 4 Figure 4
6. Implementation Status 6. Implementation Status
[Note to RFC Editor: Please remove this section and the reference to [Note to RFC Editor: Please remove this section and the reference to
[RFC6982] before publication.] [RFC6982] before publication.]
This section records the status of known implementations of the This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942]. Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to assist the IETF in its decision processes in progressing drafts to
skipping to change at page 8, line 30 skipping to change at page 8, line 30
and feedback that have made the implemented protocols more mature. and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as It is up to the individual working groups to use this information as
they see fit". they see fit".
Authors are requested to add a note to the RFC Editor at the top of Authors are requested to add a note to the RFC Editor at the top of
this section, advising the Editor to remove the entire section before this section, advising the Editor to remove the entire section before
publication, as well as the reference to [RFC7942]. publication, as well as the reference to [RFC7942].
6.1. Libreswan 6.1. Libreswan
Organization: The Libreswan Project Organization: The Libreswan Project
Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/
Description: A Proof of Concept branch is available for interop Description: Implementation has been released as part of libreswan
testing. version 4.4.
Level of maturity: Alpha Level of maturity: beta
Coverage: Implements the entire draft using SElinux based labels Coverage: Implements the entire draft using SElinux based labels
Licensing: GPLv2 Licensing: GPLv2
Implementation experience: TBD Implementation experience: No interop testing has been done yet.
The code works as proof of concept, but is not yet production
ready when using multiple different labels with on-demand kernel
ACQUIRES.
Contact: Libreswan Development: swan-dev@libreswan.org Contact: Libreswan Development: swan-dev@libreswan.org
7. Acknowledgements 7. Acknowledgements
A large part of the introduction text was taken verbatim from A large part of the introduction text was taken verbatim from
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Quigley and J. Lu.
8. References 8. References
8.1. Normative References 8.1. Normative References
skipping to change at page 9, line 27 skipping to change at page 9, line 33
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 8.2. Informative References
[draft-jml-ipsec-ikev2-security-label] [draft-jml-ipsec-ikev2-security-label]
Latten, J., Quigley, D., and J. Lu, "Security Label Latten, J., Quigley, D., and J. Lu, "Security Label
Extension to IKE", draft-wouters-edns-tcp-keeaplive (work Extension to IKE", 28 January 2011.
in progress), January 2011.
[FIPS188] NIST, "National Institute of Standards and Technology, [FIPS188] NIST, "National Institute of Standards and Technology,
"Standard Security Label for Information Transfer"", "Standard Security Label for Information Transfer"",
Federal Information Processing Standard (FIPS) Publication Federal Information Processing Standard (FIPS) Publication
188, September 1994. 188, September 1994,
<https://csrc.nist.gov/publications/detail/fips/188/
archive/1994-09-06>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
skipping to change at page 10, line 8 skipping to change at page 10, line 18
<https://www.rfc-editor.org/info/rfc6982>. <https://www.rfc-editor.org/info/rfc6982>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205, Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>. <https://www.rfc-editor.org/info/rfc7942>.
Authors' Addresses Authors' Addresses
Paul Wouters Paul Wouters
Red Hat Aiven
Email: pwouters@redhat.com Email: paul.wouters@aiven.io
Sahana Prasad Sahana Prasad
Red Hat Red Hat
Email: sahana@redhat.com Email: sahana@redhat.com
 End of changes. 23 change blocks. 
35 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/