| < draft-ietf-ipsecme-labeled-ipsec-03.txt | draft-ietf-ipsecme-labeled-ipsec-04.txt > | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft S. Prasad | Internet-Draft S. Prasad | |||
| Updates: 7296 (if approved) Red Hat | Updates: 7296 (if approved) Red Hat | |||
| Intended status: Standards Track July 13, 2020 | Intended status: Standards Track October 30, 2020 | |||
| Expires: January 14, 2021 | Expires: May 3, 2021 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-03 | draft-ietf-ipsecme-labeled-ipsec-04 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 14, 2021. | This Internet-Draft will expire on May 3, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | |||
| 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 3 | 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | |||
| 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | |||
| 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | |||
| 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 8 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 1. Introduction | 1. Introduction | |||
| In computer security, Mandatory Access Control usually refers to | In computer security, Mandatory Access Control usually refers to | |||
| systems in which all subjects and objects are assigned a security | systems in which all subjects and objects are assigned a security | |||
| label. A security label is comprised of a set of security | label. A security label is comprised of a set of security | |||
| attributes. The security labels along with a system authorization | attributes. The security labels along with a system authorization | |||
| policy determine access. Rules within the system authorization | policy determine access. Rules within the system authorization | |||
| policy determine whether the access will be granted based on the | policy determine whether the access will be granted based on the | |||
| security attributes of the subject and object. | security attributes of the subject and object. | |||
| skipping to change at page 3, line 19 ¶ | skipping to change at page 3, line 23 ¶ | |||
| selectors for the Security Policy Database (SPD) to further restrict | selectors for the Security Policy Database (SPD) to further restrict | |||
| the type of traffic allowed to be sent and received over the IPsec | the type of traffic allowed to be sent and received over the IPsec | |||
| SA. | SA. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| captials, as shown here. | capitals, as shown here. | |||
| 1.2. Traffic Selector clarification | 1.2. Traffic Selector clarification | |||
| The negotiation of Traffic Selectors is specified in Section 2.9 of | The negotiation of Traffic Selectors is specified in Section 2.9 of | |||
| [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and | [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and | |||
| TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is | TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is | |||
| specified in Section 3.13 of [RFC7296]. However, the term Traffic | specified in Section 3.13 of [RFC7296]. However, the term Traffic | |||
| Selector is used to denote the traffic selector payloads and | Selector is used to denote the traffic selector payloads and | |||
| individual traffic selectors of that payload. Sometimes the exact | individual traffic selectors of that payload. Sometimes the exact | |||
| meaning can only be learned from context or if the item is written in | meaning can only be learned from context or if the item is written in | |||
| skipping to change at page 3, line 43 ¶ | skipping to change at page 3, line 47 ¶ | |||
| A Traffic Selector (no acronym) is one selector for traffic of a | A Traffic Selector (no acronym) is one selector for traffic of a | |||
| specific Traffic Selector Type (TS_TYPE). For example a Traffic | specific Traffic Selector Type (TS_TYPE). For example a Traffic | |||
| Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP | Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP | |||
| network 198.51.100.0/24 covering all ports, is denoted as (17, 0, | network 198.51.100.0/24 covering all ports, is denoted as (17, 0, | |||
| 198.51.100.0-198.51.100.255) | 198.51.100.0-198.51.100.255) | |||
| A Traffic Selector payload (TS) is a set of one or more Traffic | A Traffic Selector payload (TS) is a set of one or more Traffic | |||
| Selectors of the same or different TS_TYPEs, but MUST include at | Selectors of the same or different TS_TYPEs, but MUST include at | |||
| least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For | least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For | |||
| example, the above Traffic Selector by itself in a TS payload is | example, the above Traffic Selector by itself in a TS payload is | |||
| denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) | denoted as TS((17, 0, 198.51.100.0-198.51.100.255)) | |||
| 1.3. Traffic Selector update | 1.3. Traffic Selector update | |||
| The negotiation of Traffic Selectors is specified in Section 2.9 of | The negotiation of Traffic Selectors is specified in Section 2.9 of | |||
| [RFC7296] and states that the TSi/TSr payloads MUST contain at least | [RFC7296] and states that the TSi/TSr payloads MUST contain at least | |||
| one Traffic Selector type. This document updates the text to mean | one Traffic Selector type. This document updates the text to mean | |||
| that the TSi/TSr payloads MUST contain at least one Traffic Selector | that the TSi/TSr payloads MUST contain at least one Traffic Selector | |||
| of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic | of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic | |||
| Selector types can be defined that are complimentary to these Traffic | Selector types can be defined that are complimentary to these Traffic | |||
| Selector Types and cannot be selected on their own without | Selector Types and cannot be selected on their own without | |||
| skipping to change at page 5, line 21 ¶ | skipping to change at page 5, line 28 ¶ | |||
| TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length | |||
| Security Label MUST NOT be interpreted as a wildcard security label. | Security Label MUST NOT be interpreted as a wildcard security label. | |||
| If multiple Security Labels are allowed for a given IP protocol, | If multiple Security Labels are allowed for a given IP protocol, | |||
| start and end address/port match, multiple TS_SECLABEL can be | start and end address/port match, multiple TS_SECLABEL can be | |||
| included in a TS payload. | included in a TS payload. | |||
| If the Security Label traffic selector is optional from a | If the Security Label traffic selector is optional from a | |||
| configuration point of view, the initiator will have to choose which | configuration point of view, the initiator will have to choose which | |||
| TS payload to attempt first. If it includes the Security Label and | TS payload to attempt first. If it includes the Security Label and | |||
| receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation | receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation | |||
| without that Security Label. | without that Security Label. | |||
| A responder that selected a TS with TS_SECLABEL MUST use the Security | A responder that selected a TS with TS_SECLABEL MUST use the Security | |||
| Label for all selector operations on the resulting IPsec SA. It MUST | Label for all selector operations on the resulting IPsec SA. It MUST | |||
| NOT select a TS_set with a TS_SECLABEL without using the specified | NOT select a TS_set with a TS_SECLABEL without using the specified | |||
| Security Label, even if it deems the Security Label optional, as the | Security Label, even if it deems the Security Label optional, as the | |||
| initiator TS_set with TS_SECLABEL means the initiator mandates using | initiator TS_set with TS_SECLABEL means the initiator mandates using | |||
| that Security Label. | that Security Label. | |||
| 3. Traffic Selector negotiation | 3. Traffic Selector negotiation | |||
| skipping to change at page 5, line 43 ¶ | skipping to change at page 5, line 50 ¶ | |||
| This document updates the [RFC7296] specification as follows: | This document updates the [RFC7296] specification as follows: | |||
| Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of | Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of | |||
| TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. | TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. | |||
| Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, | Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, | |||
| such as TS_SECLABEL. | such as TS_SECLABEL. | |||
| A responder MUST create its TS response by selecting one of each | A responder MUST create its TS response by selecting one of each | |||
| TS_TYPE present in the offered TS by the initiator. If it cannot | TS_TYPE present in the offered TS by the initiator. If it cannot | |||
| select one of each TS_TYPE, it MUST return a TS_UNAVAILABLE Error | select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error | |||
| Notify payload. | Notify payload. | |||
| If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or | If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or | |||
| TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | |||
| initiator SHOULD first try to negotiate the Child SA with the TS | initiator SHOULD first try to negotiate the Child SA with the TS | |||
| payload including the optional TS_TYPE. Upon receiving | payload including the optional TS_TYPE. Upon receiving | |||
| TS_UNAVAILABLE, it SHOULD attempt a new Child SA negotiation using | TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using | |||
| the same TS but without the optional TS_TYPE. | the same TS but without the optional TS_TYPE. | |||
| Some TS_TYPE's support narrowing, where the responder is allowed to | Some TS_TYPE's support narrowing, where the responder is allowed to | |||
| select a subset of the original TS. Narrowing MUST NOT result in an | select a subset of the original TS. Narrowing MUST NOT result in an | |||
| empty selector for that TS_TYPE. | empty selector for that TS_TYPE. | |||
| 3.1. Example TS negotiation | 3.1. Example TS negotiation | |||
| An initiator could send: | An initiator could send: | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 7, line 12 ¶ | |||
| first Security Label first, and upon failure retry a new Child SA | first Security Label first, and upon failure retry a new Child SA | |||
| negotiation with only the second Security Label. | negotiation with only the second Security Label. | |||
| If different IP ranges can only use different specific Security | If different IP ranges can only use different specific Security | |||
| Labels, than these should be negotiated in two different Child SA | Labels, than these should be negotiated in two different Child SA | |||
| negotiations. If in the example above, the initiator only allows | negotiations. If in the example above, the initiator only allows | |||
| 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, | 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, | |||
| than it MUST NOT combine these two ranges and security labels into | than it MUST NOT combine these two ranges and security labels into | |||
| one Child SA negotiation. | one Child SA negotiation. | |||
| Narrowing of Traffic Selectors currenrtly only applies only to | The mechanism of narrowing of Traffic Selectors with | |||
| TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE and not to TS_SECLABEL as | TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to | |||
| the Security Label itself is not interpreted and cannot itself be | TS_SECLABEL as the Security Label itself is not interpreted and | |||
| narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST | cannot itself be narrowed. It MUST be matched exactly. Rekey of an | |||
| only use identical Traffic Selectors, which means the same TS Type | IPsec SA MUST only use identical Traffic Selectors, which means the | |||
| and selectors MUST be used. This guarantees that a Security Label | same TS Type and selectors MUST be used. This guarantees that a | |||
| once negotiated, remains part of the IPsec SA after a rekey. | Security Label once negotiated, remains part of the IPsec SA after a | |||
| rekey. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| It is assumed that the Security Label can be matched by the IKE | It is assumed that the Security Label can be matched by the IKE | |||
| implementation to its own configured value, even if the IKE | implementation to its own configured value, even if the IKE | |||
| implemention itself cannot interpret the Security Label value. | implementation itself cannot interpret the Security Label value. | |||
| A packet that matches an SPD entry for all components except the | ||||
| Security Label would be treated as "not matching". If no other SPD | ||||
| entries match, the (mis-labeled) traffic might end up being | ||||
| transmitted in the clear. It is presumed that other Mandatory Access | ||||
| Control methods are in place to prevent mis-labeled traffic from | ||||
| reaching the IPsec subsystem, or that the IPsec subsystem itself | ||||
| would install a REJECT/DISCARD rule in the SPD to prevent unlabeled | ||||
| traffic otherwise matching a labeled security SPD rule from being | ||||
| transmitted without IPsec protection. | ||||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document defines two new entries in the IKEv2 Traffic Selector | This document defines two new entries in the IKEv2 Traffic Selector | |||
| Types registry: | Types registry: | |||
| Value TS Type Reference | Value TS Type Reference | |||
| ----- --------------------------- ----------------- | ----- --------------------------- ----------------- | |||
| TBD TS_SECLABEL [this document] | TBD TS_SECLABEL [this document] | |||
| Figure 4 | Figure 4 | |||
| 6. Acknowledgements | 6. Implementation Status | |||
| [Note to RFC Editor: Please remove this section and the reference to | ||||
| [RFC6982] before publication.] | ||||
| This section records the status of known implementations of the | ||||
| protocol defined by this specification at the time of posting of this | ||||
| Internet-Draft, and is based on a proposal described in [RFC7942]. | ||||
| The description of implementations in this section is intended to | ||||
| assist the IETF in its decision processes in progressing drafts to | ||||
| RFCs. Please note that the listing of any individual implementation | ||||
| here does not imply endorsement by the IETF. Furthermore, no effort | ||||
| has been spent to verify the information presented here that was | ||||
| supplied by IETF contributors. This is not intended as, and must not | ||||
| be construed to be, a catalog of available implementations or their | ||||
| features. Readers are advised to note that other implementations may | ||||
| exist. | ||||
| According to [RFC7942], "this will allow reviewers and working groups | ||||
| to assign due consideration to documents that have the benefit of | ||||
| running code, which may serve as evidence of valuable experimentation | ||||
| and feedback that have made the implemented protocols more mature. | ||||
| It is up to the individual working groups to use this information as | ||||
| they see fit". | ||||
| Authors are requested to add a note to the RFC Editor at the top of | ||||
| this section, advising the Editor to remove the entire section before | ||||
| publication, as well as the reference to [RFC7942]. | ||||
| 6.1. Libreswan | ||||
| Organization: The Libreswan Project | ||||
| Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ | ||||
| Description: A Proof of Concept branch is available for interop | ||||
| testing. | ||||
| Level of maturity: Alpha | ||||
| Coverage: Implements the entire draft using SElinux based labels | ||||
| Licensing: GPLv2 | ||||
| Implementation experience: TBD | ||||
| Contact: Libreswan Development: swan-dev@libreswan.org | ||||
| 7. Acknowledgements | ||||
| A large part of the introduction text was taken verbatim from | A large part of the introduction text was taken verbatim from | |||
| [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. | |||
| Quigley and J. Lu. | Quigley and J. Lu. | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [draft-jml-ipsec-ikev2-security-label] | [draft-jml-ipsec-ikev2-security-label] | |||
| Latten, J., Quigley, D., and J. Lu, "Security Label | Latten, J., Quigley, D., and J. Lu, "Security Label | |||
| Extension to IKE", draft-wouters-edns-tcp-keeaplive (work | Extension to IKE", draft-wouters-edns-tcp-keeaplive (work | |||
| in progress), January 2011. | in progress), January 2011. | |||
| [FIPS188] NIST, "National Institute of Standards and Technology, | [FIPS188] NIST, "National Institute of Standards and Technology, | |||
| "Standard Security Label for Information Transfer"", | "Standard Security Label for Information Transfer"", | |||
| Federal Information Processing Standard (FIPS) Publication | Federal Information Processing Standard (FIPS) Publication | |||
| 188, September 1994. | 188, September 1994. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | |||
| Architecture Label IPv6 Security Option (CALIPSO)", | Architecture Label IPv6 Security Option (CALIPSO)", | |||
| RFC 5570, DOI 10.17487/RFC5570, July 2009, | RFC 5570, DOI 10.17487/RFC5570, July 2009, | |||
| <https://www.rfc-editor.org/info/rfc5570>. | <https://www.rfc-editor.org/info/rfc5570>. | |||
| [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | ||||
| Code: The Implementation Status Section", RFC 6982, | ||||
| DOI 10.17487/RFC6982, July 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6982>. | ||||
| [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | ||||
| Code: The Implementation Status Section", BCP 205, | ||||
| RFC 7942, DOI 10.17487/RFC7942, July 2016, | ||||
| <https://www.rfc-editor.org/info/rfc7942>. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Paul Wouters | Paul Wouters | |||
| Red Hat | Red Hat | |||
| Email: pwouters@redhat.com | Email: pwouters@redhat.com | |||
| Sahana Prasad | Sahana Prasad | |||
| Red Hat | Red Hat | |||
| End of changes. 17 change blocks. | ||||
| 27 lines changed or deleted | 97 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||