| < draft-ietf-ipsecme-labeled-ipsec-06.txt | draft-ietf-ipsecme-labeled-ipsec-07.txt > | |||
|---|---|---|---|---|
| Network P. Wouters | Network P. Wouters | |||
| Internet-Draft Aiven | Internet-Draft Aiven | |||
| Updates: 7296 (if approved) S. Prasad | Updates: 7296 (if approved) S. Prasad | |||
| Intended status: Standards Track Red Hat | Intended status: Standards Track Red Hat | |||
| Expires: 28 April 2022 25 October 2021 | Expires: 25 September 2022 24 March 2022 | |||
| Labeled IPsec Traffic Selector support for IKEv2 | Labeled IPsec Traffic Selector support for IKEv2 | |||
| draft-ietf-ipsecme-labeled-ipsec-06 | draft-ietf-ipsecme-labeled-ipsec-07 | |||
| Abstract | Abstract | |||
| This document defines a new Traffic Selector (TS) Type for Internet | This document defines a new Traffic Selector (TS) Type for Internet | |||
| Key Exchange version 2 to add support for negotiating Mandatory | Key Exchange version 2 to add support for negotiating Mandatory | |||
| Access Control (MAC) security labels as a traffic selector of the | Access Control (MAC) security labels as a traffic selector of the | |||
| Security Policy Database (SPD). Security Labels for IPsec are also | Security Policy Database (SPD). Security Labels for IPsec are also | |||
| known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | known as "Labeled IPsec". The new TS type is TS_SECLABEL, which | |||
| consists of a variable length opaque field specifying the security | consists of a variable length opaque field specifying the security | |||
| label. This document updates the IKEv2 TS negotiation specified in | label. This document updates the IKEv2 TS negotiation specified in | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 28 April 2022. | This Internet-Draft will expire on 25 September 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Revised BSD License text as | |||
| as described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 | |||
| 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 | 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 | |||
| 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 | |||
| 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 | |||
| 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 | |||
| 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| In computer security, Mandatory Access Control usually refers to | In computer security, Mandatory Access Control usually refers to | |||
| systems in which all subjects and objects are assigned a security | systems in which all subjects and objects are assigned a security | |||
| label. A security label is comprised of a set of security | label. A security label is comprised of a set of security | |||
| attributes. The security labels along with a system authorization | attributes. The security labels along with a system authorization | |||
| skipping to change at page 4, line 40 ¶ | skipping to change at page 4, line 40 ¶ | |||
| ~ Security Label* ~ | ~ Security Label* ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| Figure 1: Labeled IPsec Traffic Selector | Figure 1: Labeled IPsec Traffic Selector | |||
| *Note: All fields other than TS Type and Selector Length depend on | *Note: All fields other than TS Type and Selector Length depend on | |||
| the TS Type. The fields shown is for TS Type TS_SECLABEL, the | the TS Type. The fields shown is for TS Type TS_SECLABEL, the | |||
| selector this document defines. | selector this document defines. | |||
| * TS Type (one octet) - Set to [TBD] for TS_SECLABEL, | * TS Type (one octet) - Set to 10 for TS_SECLABEL, | |||
| * Selector Length (2 octets, unsigned integer) - Specifies the | * Selector Length (2 octets, unsigned integer) - Specifies the | |||
| length of this Traffic Selector substructure including the header. | length of this Traffic Selector substructure including the header. | |||
| * Security Label - An opaque byte stream of at least one octet. | * Security Label - An opaque byte stream of at least one octet. | |||
| 2.2. TS_SECLABEL properties | 2.2. TS_SECLABEL properties | |||
| The TS_SECLABEL Traffic Selector Type does not support narrowing or | The TS_SECLABEL Traffic Selector Type does not support narrowing or | |||
| wildcards. It MUST be used as an exact match value. | wildcards. It MUST be used as an exact match value. | |||
| skipping to change at page 6, line 12 ¶ | skipping to change at page 6, line 12 ¶ | |||
| TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the | |||
| initiator SHOULD first try to negotiate the Child SA with the TS | initiator SHOULD first try to negotiate the Child SA with the TS | |||
| payload including the optional TS_TYPE. Upon receiving | payload including the optional TS_TYPE. Upon receiving | |||
| TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using | TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using | |||
| the same TS but without the optional TS_TYPE. | the same TS but without the optional TS_TYPE. | |||
| 3.1. Example TS negotiation | 3.1. Example TS negotiation | |||
| An initiator could send: | An initiator could send: | |||
| TSi = ((17,0,192.0.2.0-192.0.2.255), | TSi = ((17,24233,198.51.12-198.51.12), | |||
| (17,0,192.0.2.0-192.0.2.255), | ||||
| (0,0,198.51.0-198.51.255), | (0,0,198.51.0-198.51.255), | |||
| TS_SECLABEL1, TS_SECLABEL2) | TS_SECLABEL1, TS_SECLABEL2) | |||
| TSr = ((17,0,203.0.113.0-203.0.113.255), | TSr = ((17,53,203.0.113.1-203.0.113.1), | |||
| (17,0,203.0.113.0-203.0.113.255), | ||||
| (0,0,203.0.113.0-203.0.113.255), | (0,0,203.0.113.0-203.0.113.255), | |||
| TS_SECLABEL1, TS_SECLABEL2) | TS_SECLABEL1, TS_SECLABEL2) | |||
| Figure 2: initiator TS payloads example | Figure 2: initiator TS payloads example | |||
| The responder could answer with the following example: | The responder could answer with the following example: | |||
| TSi = ((0,0,198.51.0-198.51.255), | TSi = ((0,0,198.51.0-198.51.255), | |||
| TS_SECLABEL1) | TS_SECLABEL1) | |||
| skipping to change at page 7, line 33 ¶ | skipping to change at page 7, line 33 ¶ | |||
| entries match, the (mis-labeled) traffic might end up being | entries match, the (mis-labeled) traffic might end up being | |||
| transmitted in the clear. It is presumed that other Mandatory Access | transmitted in the clear. It is presumed that other Mandatory Access | |||
| Control methods are in place to prevent mis-labeled traffic from | Control methods are in place to prevent mis-labeled traffic from | |||
| reaching the IPsec subsystem, or that the IPsec subsystem itself | reaching the IPsec subsystem, or that the IPsec subsystem itself | |||
| would install a REJECT/DISCARD rule in the SPD to prevent unlabeled | would install a REJECT/DISCARD rule in the SPD to prevent unlabeled | |||
| traffic otherwise matching a labeled security SPD rule from being | traffic otherwise matching a labeled security SPD rule from being | |||
| transmitted without IPsec protection. | transmitted without IPsec protection. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document defines two new entries in the IKEv2 Traffic Selector | This document defines one new entry in the IKEv2 Traffic Selector | |||
| Types registry: | Types registry: | |||
| [Note to RFC Editor (please remove before publication): This value | ||||
| has already bee added via Early Allocation. | ||||
| Value TS Type Reference | Value TS Type Reference | |||
| ----- --------------------------- ----------------- | ----- --------------------------- ----------------- | |||
| TBD TS_SECLABEL [this document] | 10 TS_SECLABEL [this document] | |||
| Figure 4 | Figure 4 | |||
| 6. Implementation Status | 6. Implementation Status | |||
| [Note to RFC Editor: Please remove this section and the reference to | [Note to RFC Editor: Please remove this section and the reference to | |||
| [RFC6982] before publication.] | [RFC7942] before publication.] | |||
| This section records the status of known implementations of the | This section records the status of known implementations of the | |||
| protocol defined by this specification at the time of posting of this | protocol defined by this specification at the time of posting of this | |||
| Internet-Draft, and is based on a proposal described in [RFC7942]. | Internet-Draft, and is based on a proposal described in [RFC7942]. | |||
| The description of implementations in this section is intended to | The description of implementations in this section is intended to | |||
| assist the IETF in its decision processes in progressing drafts to | assist the IETF in its decision processes in progressing drafts to | |||
| RFCs. Please note that the listing of any individual implementation | RFCs. Please note that the listing of any individual implementation | |||
| here does not imply endorsement by the IETF. Furthermore, no effort | here does not imply endorsement by the IETF. Furthermore, no effort | |||
| has been spent to verify the information presented here that was | has been spent to verify the information presented here that was | |||
| supplied by IETF contributors. This is not intended as, and must not | supplied by IETF contributors. This is not intended as, and must not | |||
| be construed to be, a catalog of available implementations or their | be construed to be, a catalog of available implementations or their | |||
| features. Readers are advised to note that other implementations may | features. Readers are advised to note that other implementations may | |||
| exist. | exist. | |||
| skipping to change at page 9, line 42 ¶ | skipping to change at page 10, line 5 ¶ | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common | |||
| Architecture Label IPv6 Security Option (CALIPSO)", | Architecture Label IPv6 Security Option (CALIPSO)", | |||
| RFC 5570, DOI 10.17487/RFC5570, July 2009, | RFC 5570, DOI 10.17487/RFC5570, July 2009, | |||
| <https://www.rfc-editor.org/info/rfc5570>. | <https://www.rfc-editor.org/info/rfc5570>. | |||
| [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | ||||
| Code: The Implementation Status Section", RFC 6982, | ||||
| DOI 10.17487/RFC6982, July 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6982>. | ||||
| [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running | |||
| Code: The Implementation Status Section", BCP 205, | Code: The Implementation Status Section", BCP 205, | |||
| RFC 7942, DOI 10.17487/RFC7942, July 2016, | RFC 7942, DOI 10.17487/RFC7942, July 2016, | |||
| <https://www.rfc-editor.org/info/rfc7942>. | <https://www.rfc-editor.org/info/rfc7942>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Wouters | Paul Wouters | |||
| Aiven | Aiven | |||
| Email: paul.wouters@aiven.io | Email: paul.wouters@aiven.io | |||
| Sahana Prasad | Sahana Prasad | |||
| Red Hat | Red Hat | |||
| Email: sahana@redhat.com | Email: sahana@redhat.com | |||
| End of changes. 17 change blocks. | ||||
| 22 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||