| draft-ietf-ipsecme-labeled-ipsec-05.txt | draft-ietf-ipsecme-labeled-ipsec-06.txt | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft Aiven | Internet-Draft Aiven | |||
| Updates: 7296 (if approved) S. Prasad | Updates: 7296 (if approved) S. Prasad | |||
| Intended status: Standards Track Red Hat | Intended status: Standards Track Red Hat | |||
| Expires: 5 November 2021 4 May 2021 | Expires: 28 April 2022 25 October 2021 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-05 | draft-ietf-ipsecme-labeled-ipsec-06 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 5 November 2021. | This Internet-Draft will expire on 28 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 24 ¶ | skipping to change at page 2, line 24 ¶ | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | |||
| 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | |||
| 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | |||
| 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| In computer security, Mandatory Access Control usually refers to | In computer security, Mandatory Access Control usually refers to | |||
| systems in which all subjects and objects are assigned a security | systems in which all subjects and objects are assigned a security | |||
| label. A security label is comprised of a set of security | label. A security label is comprised of a set of security | |||
| attributes. The security labels along with a system authorization | attributes. The security labels along with a system authorization | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 5, line 5 ¶ | |||
| * Selector Length (2 octets, unsigned integer) - Specifies the | * Selector Length (2 octets, unsigned integer) - Specifies the | |||
| length of this Traffic Selector substructure including the header. | length of this Traffic Selector substructure including the header. | |||
| * Security Label - An opaque byte stream of at least one octet. | * Security Label - An opaque byte stream of at least one octet. | |||
| 2.2. TS_SECLABEL properties | 2.2. TS_SECLABEL properties | |||
| The TS_SECLABEL Traffic Selector Type does not support narrowing or | The TS_SECLABEL Traffic Selector Type does not support narrowing or | |||
| wildcards. It MUST be used as an exact match value. | wildcards. It MUST be used as an exact match value. | |||
| If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | ||||
| Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also | ||||
| be present in that TSi/TSr. | ||||
| The Security Label contents are opaque to the IKE implementation. | The Security Label contents are opaque to the IKE implementation. | |||
| That is, the IKE implementation might not have any knowledge of the | That is, the IKE implementation might not have any knowledge of the | |||
| meaning of this selector, other than as a type and opaque value to | meaning of this selector, other than as a type and opaque value to | |||
| pass to the SPD. | pass to the SPD. | |||
| A zero length Security Label MUST NOT be used. If a received TS | A zero length Security Label MUST NOT be used. If a received TS | |||
| payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | |||
| Label, that specific Traffic Selector MUST be ignored. If no other | Label, that specific Traffic Selector MUST be ignored. If no other | |||
| Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | |||
| TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | |||
| Security Label MUST NOT be interpreted as a wildcard security label. | Security Label MUST NOT be interpreted as a wildcard security label. | |||
| If multiple Security Labels are allowed for a given IP protocol, | If multiple Security Labels are allowed for a given IP protocol, | |||
| start and end address/port match, multiple TS_SECLABEL can be | start and end address/port match, the initiator includes all of the | |||
| included in a TS payload. | acceptable TS_SECLABEL's and the responder MUST select one of them. | |||
| If the Security Label traffic selector is optional from a | If the Security Label traffic selector is optional from a | |||
| configuration point of view, the initiator will have to choose which | configuration point of view, the initiator will have to choose which | |||
| TS payload to attempt first. If it includes the Security Label and | TS payload to attempt first. If it includes the Security Label and | |||
| receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation | receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation | |||
| without that Security Label. | without that Security Label. | |||
| A responder that selected a TS with TS_SECLABEL MUST use the Security | A responder that selected a TS with TS_SECLABEL MUST use the Security | |||
| Label for all selector operations on the resulting IPsec SA. It MUST | Label for all selector operations on the resulting TS. It MUST NOT | |||
| NOT select a TS_set with a TS_SECLABEL without using the specified | select a TS_SECLABEL without using the specified Security Label, even | |||
| Security Label, even if it deems the Security Label optional, as the | if it deems the Security Label optional, as the initiator has | |||
| initiator TS_set with TS_SECLABEL means the initiator mandates using | indicated (and expects) that Security Label will be set for all | |||
| that Security Label. | traffic matching the negotiated TS. | |||
| 3. Traffic Selector negotiation | 3. Traffic Selector negotiation | |||
| This document updates the [RFC7296] specification as follows: | This document updates the [RFC7296] specification as follows: | |||
| Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of | Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of | |||
| TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. | TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. | |||
| Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, | Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, | |||
| such as TS_SECLABEL. | such as TS_SECLABEL. | |||
| A responder MUST create its TS response by selecting one of each | A responder MUST create each TS response by creating one of more | |||
| TS_TYPE present in the offered TS by the initiator. If it cannot | (narrowed or not) TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE entries, | |||
| select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error | plus one of each further TS_TYPE present in the offered TS by the | |||
| Notify payload. | initiator. If this is not possible, it MUST return a TS_UNACCEPTABLE | |||
| Error Notify payload. | ||||
| If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or | If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or | |||
| TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | |||
| initiator SHOULD first try to negotiate the Child SA with the TS | initiator SHOULD first try to negotiate the Child SA with the TS | |||
| payload including the optional TS_TYPE. Upon receiving | payload including the optional TS_TYPE. Upon receiving | |||
| TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using | TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using | |||
| the same TS but without the optional TS_TYPE. | the same TS but without the optional TS_TYPE. | |||
| Some TS_TYPE's support narrowing, where the responder is allowed to | ||||
| select a subset of the original TS. Narrowing MUST NOT result in an | ||||
| empty selector for that TS_TYPE. | ||||
| 3.1. Example TS negotiation | 3.1. Example TS negotiation | |||
| An initiator could send: | An initiator could send: | |||
| TSi = ((17,0,192.0.2.0-192.0.2.255), | TSi = ((17,0,192.0.2.0-192.0.2.255), | |||
| (0,0,198.51.0-198.51.255), | (0,0,198.51.0-198.51.255), | |||
| TS_SECLABEL1, TS_SECLABEL2) | TS_SECLABEL1, TS_SECLABEL2) | |||
| TSr = ((17,0,203.0.113.0-203.0.113.255), | TSr = ((17,0,203.0.113.0-203.0.113.255), | |||
| (0,0,203.0.113.0-203.0.113.255), | (0,0,203.0.113.0-203.0.113.255), | |||
| skipping to change at page 7, line 15 ¶ | skipping to change at page 7, line 8 ¶ | |||
| If different IP ranges can only use different specific Security | If different IP ranges can only use different specific Security | |||
| Labels, than these should be negotiated in two different Child SA | Labels, than these should be negotiated in two different Child SA | |||
| negotiations. If in the example above, the initiator only allows | negotiations. If in the example above, the initiator only allows | |||
| 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, | 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, | |||
| than it MUST NOT combine these two ranges and security labels into | than it MUST NOT combine these two ranges and security labels into | |||
| one Child SA negotiation. | one Child SA negotiation. | |||
| The mechanism of narrowing of Traffic Selectors with | The mechanism of narrowing of Traffic Selectors with | |||
| TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to | TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to | |||
| TS_SECLABEL as the Security Label itself is not interpreted and | TS_SECLABEL as the Security Label itself is not interpreted and | |||
| cannot itself be narrowed. It MUST be matched exactly. Rekey of an | cannot be narrowed. It MUST be matched exactly. Since a rekey MUST | |||
| IPsec SA MUST only use identical Traffic Selectors, which means the | NOT narrow down the Traffic Selectors narrower than the scope | |||
| same TS Type and selectors MUST be used. This guarantees that a | currently in use, the only valid choice of TS_SECLABEL for a rekey is | |||
| Security Label once negotiated, remains part of the IPsec SA after a | the identical TS_SECLABEL that is in use by the Child SA being | |||
| rekey. | rekeyed. If the TS_LABEL is missing from the TS during the rekey | |||
| negotiation, the negotiation MUST fail with TS_UNACCEPTABLE. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| It is assumed that the Security Label can be matched by the IKE | It is assumed that the Security Label can be matched by the IKE | |||
| implementation to its own configured value, even if the IKE | implementation to its own configured value, even if the IKE | |||
| implementation itself cannot interpret the Security Label value. | implementation itself cannot interpret the Security Label value. | |||
| A packet that matches an SPD entry for all components except the | A packet that matches an SPD entry for all components except the | |||
| Security Label would be treated as "not matching". If no other SPD | Security Label would be treated as "not matching". If no other SPD | |||
| entries match, the (mis-labeled) traffic might end up being | entries match, the (mis-labeled) traffic might end up being | |||
| skipping to change at page 9, line 9 ¶ | skipping to change at page 8, line 48 ¶ | |||
| The code works as proof of concept, but is not yet production | The code works as proof of concept, but is not yet production | |||
| ready when using multiple different labels with on-demand kernel | ready when using multiple different labels with on-demand kernel | |||
| ACQUIRES. | ACQUIRES. | |||
| Contact: Libreswan Development: swan-dev@libreswan.org | Contact: Libreswan Development: swan-dev@libreswan.org | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| A large part of the introduction text was taken verbatim from | A large part of the introduction text was taken verbatim from | |||
| [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | |||
| Quigley and J. Lu. | Quigley and J. Lu. Valery Smyslov provided valuable input regarding | |||
| IKEv2 Traffic Selector semantics. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| End of changes. 12 change blocks. | ||||
| 31 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||