--- 1/draft-ietf-ipsecme-labeled-ipsec-04.txt 2021-05-04 19:13:10.689974112 -0700 +++ 2/draft-ietf-ipsecme-labeled-ipsec-05.txt 2021-05-04 19:13:10.713974724 -0700 @@ -1,19 +1,19 @@ Network P. Wouters -Internet-Draft S. Prasad -Updates: 7296 (if approved) Red Hat -Intended status: Standards Track October 30, 2020 -Expires: May 3, 2021 +Internet-Draft Aiven +Updates: 7296 (if approved) S. Prasad +Intended status: Standards Track Red Hat +Expires: 5 November 2021 4 May 2021 Labeled IPsec Traffic Selector support for IKEv2 - draft-ietf-ipsecme-labeled-ipsec-04 + draft-ietf-ipsecme-labeled-ipsec-05 Abstract This document defines a new Traffic Selector (TS) Type for Internet Key Exchange version 2 to add support for negotiating Mandatory Access Control (MAC) security labels as a traffic selector of the Security Policy Database (SPD). Security Labels for IPsec are also known as "Labeled IPsec". The new TS type is TS_SECLABEL, which consists of a variable length opaque field specifying the security label. This document updates the IKEv2 TS negotiation specified in @@ -27,54 +27,53 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 3, 2021. + This Internet-Draft will expire on 5 November 2021. Copyright Notice - Copyright (c) 2020 IETF Trust and the persons identified as the + Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info) in effect on the date of - publication of this document. Please review these documents - carefully, as they describe your rights and restrictions with respect - to this document. Code Components extracted from this document must - include Simplified BSD License text as described in Section 4.e of - the Trust Legal Provisions and are provided without warranty as - described in the Simplified BSD License. + Provisions Relating to IETF Documents (https://trustee.ietf.org/ + license-info) in effect on the date of publication of this document. + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. Code Components + extracted from this document must include Simplified BSD License text + as described in Section 4.e of the Trust Legal Provisions and are + provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction In computer security, Mandatory Access Control usually refers to systems in which all subjects and objects are assigned a security label. A security label is comprised of a set of security @@ -165,26 +164,26 @@ ~ Security Label* ~ | | +---------------------------------------------------------------+ Figure 1: Labeled IPsec Traffic Selector *Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shown is for TS Type TS_SECLABEL, the selector this document defines. - o TS Type (one octet) - Set to [TBD] for TS_SECLABEL, + * TS Type (one octet) - Set to [TBD] for TS_SECLABEL, - o Selector Length (2 octets, unsigned integer) - Specifies the + * Selector Length (2 octets, unsigned integer) - Specifies the length of this Traffic Selector substructure including the header. - o Security Label - An opaque byte stream of at least one octet. + * Security Label - An opaque byte stream of at least one octet. 2.2. TS_SECLABEL properties The TS_SECLABEL Traffic Selector Type does not support narrowing or wildcards. It MUST be used as an exact match value. If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also be present in that TSi/TSr. @@ -347,30 +346,33 @@ Authors are requested to add a note to the RFC Editor at the top of this section, advising the Editor to remove the entire section before publication, as well as the reference to [RFC7942]. 6.1. Libreswan Organization: The Libreswan Project Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ - Description: A Proof of Concept branch is available for interop - testing. + Description: Implementation has been released as part of libreswan + version 4.4. - Level of maturity: Alpha + Level of maturity: beta Coverage: Implements the entire draft using SElinux based labels Licensing: GPLv2 - Implementation experience: TBD + Implementation experience: No interop testing has been done yet. + The code works as proof of concept, but is not yet production + ready when using multiple different labels with on-demand kernel + ACQUIRES. Contact: Libreswan Development: swan-dev@libreswan.org 7. Acknowledgements A large part of the introduction text was taken verbatim from [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. Quigley and J. Lu. 8. References @@ -388,27 +390,28 @@ 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [draft-jml-ipsec-ikev2-security-label] Latten, J., Quigley, D., and J. Lu, "Security Label - Extension to IKE", draft-wouters-edns-tcp-keeaplive (work - in progress), January 2011. + Extension to IKE", 28 January 2011. [FIPS188] NIST, "National Institute of Standards and Technology, "Standard Security Label for Information Transfer"", Federal Information Processing Standard (FIPS) Publication - 188, September 1994. + 188, September 1994, + . [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common Architecture Label IPv6 Security Option (CALIPSO)", RFC 5570, DOI 10.17487/RFC5570, July 2009, . @@ -418,18 +421,18 @@ . [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . Authors' Addresses Paul Wouters - Red Hat + Aiven - Email: pwouters@redhat.com + Email: paul.wouters@aiven.io Sahana Prasad Red Hat Email: sahana@redhat.com