| < draft-ietf-ipsecme-labeled-ipsec-02.txt | draft-ietf-ipsecme-labeled-ipsec-03.txt > | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft S. Prasad | Internet-Draft S. Prasad | |||
| Updates: 7296 (if approved) Red Hat | Updates: 7296 (if approved) Red Hat | |||
| Intended status: Standards Track November 4, 2019 | Intended status: Standards Track July 13, 2020 | |||
| Expires: May 7, 2020 | Expires: January 14, 2021 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-02 | draft-ietf-ipsecme-labeled-ipsec-03 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| RFC 7296 Section 2.9. | RFC 7296 Section 2.9. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 7, 2020. | This Internet-Draft will expire on January 14, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| skipping to change at page 4, line 45 ¶ | skipping to change at page 4, line 45 ¶ | |||
| length of this Traffic Selector substructure including the header. | length of this Traffic Selector substructure including the header. | |||
| o Security Label - An opaque byte stream of at least one octet. | o Security Label - An opaque byte stream of at least one octet. | |||
| 2.2. TS_SECLABEL properties | 2.2. TS_SECLABEL properties | |||
| The TS_SECLABEL Traffic Selector Type does not support narrowing or | The TS_SECLABEL Traffic Selector Type does not support narrowing or | |||
| wildcards. It MUST be used as an exact match value. | wildcards. It MUST be used as an exact match value. | |||
| If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic | |||
| Selector of type TS_IPV4_ADDR_RANGE or TS_IPV4_ADDR_RANGE MUST also | Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also | |||
| be present in that TSi/TSr. | be present in that TSi/TSr. | |||
| The Security Label contents are opague to the IKE implementation. | The Security Label contents are opaque to the IKE implementation. | |||
| That is, the IKE implementation might not have any knowledge of the | That is, the IKE implementation might not have any knowledge of the | |||
| meaning of this selector, other than as a type and opaque value to | meaning of this selector, other than as a type and opaque value to | |||
| pass to the SPD. | pass to the SPD. | |||
| A zero length Security Label MUST NOT be used. If a received TS | A zero length Security Label MUST NOT be used. If a received TS | |||
| payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | payload contains a TS_TYPE of TS_SECLABEL with a zero length Security | |||
| Label, that specific Traffic Selector MUST be ignored. If no other | Label, that specific Traffic Selector MUST be ignored. If no other | |||
| Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a | |||
| TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | |||
| Security Label MUST NOT be interpreted as a wildcard security label. | Security Label MUST NOT be interpreted as a wildcard security label. | |||
| skipping to change at page 7, line 42 ¶ | skipping to change at page 7, line 42 ¶ | |||
| A large part of the introduction text was taken verbatim from | A large part of the introduction text was taken verbatim from | |||
| [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | |||
| Quigley and J. Lu. | Quigley and J. Lu. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, | |||
| editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| End of changes. 9 change blocks. | ||||
| 11 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||