--- 1/draft-ietf-ipsecme-labeled-ipsec-05.txt 2021-10-25 14:13:08.903976395 -0700 +++ 2/draft-ietf-ipsecme-labeled-ipsec-06.txt 2021-10-25 14:13:08.927976997 -0700 @@ -1,19 +1,19 @@ Network P. Wouters Internet-Draft Aiven Updates: 7296 (if approved) S. Prasad Intended status: Standards Track Red Hat -Expires: 5 November 2021 4 May 2021 +Expires: 28 April 2022 25 October 2021 Labeled IPsec Traffic Selector support for IKEv2 - draft-ietf-ipsecme-labeled-ipsec-05 + draft-ietf-ipsecme-labeled-ipsec-06 Abstract This document defines a new Traffic Selector (TS) Type for Internet Key Exchange version 2 to add support for negotiating Mandatory Access Control (MAC) security labels as a traffic selector of the Security Policy Database (SPD). Security Labels for IPsec are also known as "Labeled IPsec". The new TS type is TS_SECLABEL, which consists of a variable length opaque field specifying the security label. This document updates the IKEv2 TS negotiation specified in @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 5 November 2021. + This Internet-Draft will expire on 28 April 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -59,22 +59,22 @@ 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction In computer security, Mandatory Access Control usually refers to systems in which all subjects and objects are assigned a security label. A security label is comprised of a set of security attributes. The security labels along with a system authorization @@ -176,79 +176,72 @@ * Selector Length (2 octets, unsigned integer) - Specifies the length of this Traffic Selector substructure including the header. * Security Label - An opaque byte stream of at least one octet. 2.2. TS_SECLABEL properties The TS_SECLABEL Traffic Selector Type does not support narrowing or wildcards. It MUST be used as an exact match value. - If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic - Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also - be present in that TSi/TSr. - The Security Label contents are opaque to the IKE implementation. That is, the IKE implementation might not have any knowledge of the meaning of this selector, other than as a type and opaque value to pass to the SPD. A zero length Security Label MUST NOT be used. If a received TS payload contains a TS_TYPE of TS_SECLABEL with a zero length Security Label, that specific Traffic Selector MUST be ignored. If no other Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length Security Label MUST NOT be interpreted as a wildcard security label. If multiple Security Labels are allowed for a given IP protocol, - start and end address/port match, multiple TS_SECLABEL can be - included in a TS payload. + start and end address/port match, the initiator includes all of the + acceptable TS_SECLABEL's and the responder MUST select one of them. If the Security Label traffic selector is optional from a configuration point of view, the initiator will have to choose which TS payload to attempt first. If it includes the Security Label and receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation without that Security Label. A responder that selected a TS with TS_SECLABEL MUST use the Security - Label for all selector operations on the resulting IPsec SA. It MUST - NOT select a TS_set with a TS_SECLABEL without using the specified - Security Label, even if it deems the Security Label optional, as the - initiator TS_set with TS_SECLABEL means the initiator mandates using - that Security Label. + Label for all selector operations on the resulting TS. It MUST NOT + select a TS_SECLABEL without using the specified Security Label, even + if it deems the Security Label optional, as the initiator has + indicated (and expects) that Security Label will be set for all + traffic matching the negotiated TS. 3. Traffic Selector negotiation This document updates the [RFC7296] specification as follows: Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, such as TS_SECLABEL. - A responder MUST create its TS response by selecting one of each - TS_TYPE present in the offered TS by the initiator. If it cannot - select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error - Notify payload. + A responder MUST create each TS response by creating one of more + (narrowed or not) TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE entries, + plus one of each further TS_TYPE present in the offered TS by the + initiator. If this is not possible, it MUST return a TS_UNACCEPTABLE + Error Notify payload. If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the initiator SHOULD first try to negotiate the Child SA with the TS payload including the optional TS_TYPE. Upon receiving TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using the same TS but without the optional TS_TYPE. - Some TS_TYPE's support narrowing, where the responder is allowed to - select a subset of the original TS. Narrowing MUST NOT result in an - empty selector for that TS_TYPE. - 3.1. Example TS negotiation An initiator could send: TSi = ((17,0,192.0.2.0-192.0.2.255), (0,0,198.51.0-198.51.255), TS_SECLABEL1, TS_SECLABEL2) TSr = ((17,0,203.0.113.0-203.0.113.255), (0,0,203.0.113.0-203.0.113.255), @@ -279,25 +272,26 @@ If different IP ranges can only use different specific Security Labels, than these should be negotiated in two different Child SA negotiations. If in the example above, the initiator only allows 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, than it MUST NOT combine these two ranges and security labels into one Child SA negotiation. The mechanism of narrowing of Traffic Selectors with TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to TS_SECLABEL as the Security Label itself is not interpreted and - cannot itself be narrowed. It MUST be matched exactly. Rekey of an - IPsec SA MUST only use identical Traffic Selectors, which means the - same TS Type and selectors MUST be used. This guarantees that a - Security Label once negotiated, remains part of the IPsec SA after a - rekey. + cannot be narrowed. It MUST be matched exactly. Since a rekey MUST + NOT narrow down the Traffic Selectors narrower than the scope + currently in use, the only valid choice of TS_SECLABEL for a rekey is + the identical TS_SECLABEL that is in use by the Child SA being + rekeyed. If the TS_LABEL is missing from the TS during the rekey + negotiation, the negotiation MUST fail with TS_UNACCEPTABLE. 4. Security Considerations It is assumed that the Security Label can be matched by the IKE implementation to its own configured value, even if the IKE implementation itself cannot interpret the Security Label value. A packet that matches an SPD entry for all components except the Security Label would be treated as "not matching". If no other SPD entries match, the (mis-labeled) traffic might end up being @@ -366,24 +361,24 @@ The code works as proof of concept, but is not yet production ready when using multiple different labels with on-demand kernel ACQUIRES. Contact: Libreswan Development: swan-dev@libreswan.org 7. Acknowledgements A large part of the introduction text was taken verbatim from [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. - Quigley and J. Lu. + Quigley and J. Lu. Valery Smyslov provided valuable input regarding + IKEv2 Traffic Selector semantics. 8. References - 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October