draft-ietf-ipsecme-labeled-ipsec-05.txt   draft-ietf-ipsecme-labeled-ipsec-06.txt 
Network P. Wouters Network P. Wouters
Internet-Draft Aiven Internet-Draft Aiven
Updates: 7296 (if approved) S. Prasad Updates: 7296 (if approved) S. Prasad
Intended status: Standards Track Red Hat Intended status: Standards Track Red Hat
Expires: 5 November 2021 4 May 2021 Expires: 28 April 2022 25 October 2021
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-05 draft-ietf-ipsecme-labeled-ipsec-06
Abstract Abstract
This document defines a new Traffic Selector (TS) Type for Internet This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD). Security Labels for IPsec are also Security Policy Database (SPD). Security Labels for IPsec are also
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
consists of a variable length opaque field specifying the security consists of a variable length opaque field specifying the security
label. This document updates the IKEv2 TS negotiation specified in label. This document updates the IKEv2 TS negotiation specified in
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 November 2021. This Internet-Draft will expire on 28 April 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 24 skipping to change at page 2, line 24
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4
2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4
2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4
3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5
3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6
3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7
6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security label. A security label is comprised of a set of security
attributes. The security labels along with a system authorization attributes. The security labels along with a system authorization
skipping to change at page 5, line 5 skipping to change at page 5, line 5
* Selector Length (2 octets, unsigned integer) - Specifies the * Selector Length (2 octets, unsigned integer) - Specifies the
length of this Traffic Selector substructure including the header. length of this Traffic Selector substructure including the header.
* Security Label - An opaque byte stream of at least one octet. * Security Label - An opaque byte stream of at least one octet.
2.2. TS_SECLABEL properties 2.2. TS_SECLABEL properties
The TS_SECLABEL Traffic Selector Type does not support narrowing or The TS_SECLABEL Traffic Selector Type does not support narrowing or
wildcards. It MUST be used as an exact match value. wildcards. It MUST be used as an exact match value.
If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also
be present in that TSi/TSr.
The Security Label contents are opaque to the IKE implementation. The Security Label contents are opaque to the IKE implementation.
That is, the IKE implementation might not have any knowledge of the That is, the IKE implementation might not have any knowledge of the
meaning of this selector, other than as a type and opaque value to meaning of this selector, other than as a type and opaque value to
pass to the SPD. pass to the SPD.
A zero length Security Label MUST NOT be used. If a received TS A zero length Security Label MUST NOT be used. If a received TS
payload contains a TS_TYPE of TS_SECLABEL with a zero length Security payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
Label, that specific Traffic Selector MUST be ignored. If no other Label, that specific Traffic Selector MUST be ignored. If no other
Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label. Security Label MUST NOT be interpreted as a wildcard security label.
If multiple Security Labels are allowed for a given IP protocol, If multiple Security Labels are allowed for a given IP protocol,
start and end address/port match, multiple TS_SECLABEL can be start and end address/port match, the initiator includes all of the
included in a TS payload. acceptable TS_SECLABEL's and the responder MUST select one of them.
If the Security Label traffic selector is optional from a If the Security Label traffic selector is optional from a
configuration point of view, the initiator will have to choose which configuration point of view, the initiator will have to choose which
TS payload to attempt first. If it includes the Security Label and TS payload to attempt first. If it includes the Security Label and
receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation
without that Security Label. without that Security Label.
A responder that selected a TS with TS_SECLABEL MUST use the Security A responder that selected a TS with TS_SECLABEL MUST use the Security
Label for all selector operations on the resulting IPsec SA. It MUST Label for all selector operations on the resulting TS. It MUST NOT
NOT select a TS_set with a TS_SECLABEL without using the specified select a TS_SECLABEL without using the specified Security Label, even
Security Label, even if it deems the Security Label optional, as the if it deems the Security Label optional, as the initiator has
initiator TS_set with TS_SECLABEL means the initiator mandates using indicated (and expects) that Security Label will be set for all
that Security Label. traffic matching the negotiated TS.
3. Traffic Selector negotiation 3. Traffic Selector negotiation
This document updates the [RFC7296] specification as follows: This document updates the [RFC7296] specification as follows:
Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs,
such as TS_SECLABEL. such as TS_SECLABEL.
A responder MUST create its TS response by selecting one of each A responder MUST create each TS response by creating one of more
TS_TYPE present in the offered TS by the initiator. If it cannot (narrowed or not) TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE entries,
select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error plus one of each further TS_TYPE present in the offered TS by the
Notify payload. initiator. If this is not possible, it MUST return a TS_UNACCEPTABLE
Error Notify payload.
If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or
TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the
initiator SHOULD first try to negotiate the Child SA with the TS initiator SHOULD first try to negotiate the Child SA with the TS
payload including the optional TS_TYPE. Upon receiving payload including the optional TS_TYPE. Upon receiving
TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using
the same TS but without the optional TS_TYPE. the same TS but without the optional TS_TYPE.
Some TS_TYPE's support narrowing, where the responder is allowed to
select a subset of the original TS. Narrowing MUST NOT result in an
empty selector for that TS_TYPE.
3.1. Example TS negotiation 3.1. Example TS negotiation
An initiator could send: An initiator could send:
TSi = ((17,0,192.0.2.0-192.0.2.255), TSi = ((17,0,192.0.2.0-192.0.2.255),
(0,0,198.51.0-198.51.255), (0,0,198.51.0-198.51.255),
TS_SECLABEL1, TS_SECLABEL2) TS_SECLABEL1, TS_SECLABEL2)
TSr = ((17,0,203.0.113.0-203.0.113.255), TSr = ((17,0,203.0.113.0-203.0.113.255),
(0,0,203.0.113.0-203.0.113.255), (0,0,203.0.113.0-203.0.113.255),
skipping to change at page 7, line 15 skipping to change at page 7, line 8
If different IP ranges can only use different specific Security If different IP ranges can only use different specific Security
Labels, than these should be negotiated in two different Child SA Labels, than these should be negotiated in two different Child SA
negotiations. If in the example above, the initiator only allows negotiations. If in the example above, the initiator only allows
192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2,
than it MUST NOT combine these two ranges and security labels into than it MUST NOT combine these two ranges and security labels into
one Child SA negotiation. one Child SA negotiation.
The mechanism of narrowing of Traffic Selectors with The mechanism of narrowing of Traffic Selectors with
TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to
TS_SECLABEL as the Security Label itself is not interpreted and TS_SECLABEL as the Security Label itself is not interpreted and
cannot itself be narrowed. It MUST be matched exactly. Rekey of an cannot be narrowed. It MUST be matched exactly. Since a rekey MUST
IPsec SA MUST only use identical Traffic Selectors, which means the NOT narrow down the Traffic Selectors narrower than the scope
same TS Type and selectors MUST be used. This guarantees that a currently in use, the only valid choice of TS_SECLABEL for a rekey is
Security Label once negotiated, remains part of the IPsec SA after a the identical TS_SECLABEL that is in use by the Child SA being
rekey. rekeyed. If the TS_LABEL is missing from the TS during the rekey
negotiation, the negotiation MUST fail with TS_UNACCEPTABLE.
4. Security Considerations 4. Security Considerations
It is assumed that the Security Label can be matched by the IKE It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE implementation to its own configured value, even if the IKE
implementation itself cannot interpret the Security Label value. implementation itself cannot interpret the Security Label value.
A packet that matches an SPD entry for all components except the A packet that matches an SPD entry for all components except the
Security Label would be treated as "not matching". If no other SPD Security Label would be treated as "not matching". If no other SPD
entries match, the (mis-labeled) traffic might end up being entries match, the (mis-labeled) traffic might end up being
skipping to change at page 9, line 9 skipping to change at page 8, line 48
The code works as proof of concept, but is not yet production The code works as proof of concept, but is not yet production
ready when using multiple different labels with on-demand kernel ready when using multiple different labels with on-demand kernel
ACQUIRES. ACQUIRES.
Contact: Libreswan Development: swan-dev@libreswan.org Contact: Libreswan Development: swan-dev@libreswan.org
7. Acknowledgements 7. Acknowledgements
A large part of the introduction text was taken verbatim from A large part of the introduction text was taken verbatim from
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Quigley and J. Lu. Valery Smyslov provided valuable input regarding
IKEv2 Traffic Selector semantics.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
 End of changes. 12 change blocks. 
31 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/