idnits 2.17.1 draft-ietf-ipsecme-labeled-ipsec-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document updates RFC7296, but the abstract doesn't seem to directly say this. It does mention RFC7296 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 8, 2019) is 1725 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 160, but not defined Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network P. Wouters 3 Internet-Draft Red Hat 4 Updates: 7296 (if approved) S. Prasad 5 Intended status: Standards Track Technical University of Munich 6 Expires: January 9, 2020 July 8, 2019 8 Labeled IPsec Traffic Selector support for IKEv2 9 draft-ietf-ipsecme-labeled-ipsec-01 11 Abstract 13 This document defines a new Traffic Selector (TS) Type for Internet 14 Key Exchange version 2 to add support for negotiating Mandatory 15 Access Control (MAC) security labels as a traffic selector of the 16 Security Policy Database (SPD). Security Labels for IPsec are also 17 known as "Labeled IPsec". The new TS type is TS_SECLABEL, which 18 consists of a variable length opaque field specifying the security 19 label. This document updates the IKEv2 TS negotiation specified in 20 RFC 7296 Section 2.9. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 9, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 59 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 3 60 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 61 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 62 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 63 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 5 64 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 67 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 69 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 70 7.2. Informative References . . . . . . . . . . . . . . . . . 7 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 73 1. Introduction 75 In computer security, Mandatory Access Control usually refers to 76 systems in which all subjects and objects are assigned a security 77 label. A security label is comprised of a set of security 78 attributes. The security labels along with a system authorization 79 policy determine access. Rules within the system authorization 80 policy determine whether the access will be granted based on the 81 security attributes of the subject and object. 83 Traditionally, security labels used by Multilevel Systems (MLS) are 84 comprised of a sensitivity level (or classification) field and a 85 compartment (or category) field, as defined in [FIPS188] and 86 [RFC5570]. As MAC systems evolved, other MAC models gained in 87 popularity. For example, SELinux, a Flux Advanced Security Kernel 88 (FLASK) implementation, has security labels represented as colon- 89 separated ASCII strings composed of values for identity, role, and 90 type. The security labels are often referred to as security 91 contexts. 93 Traffic Selector (TS) payloads specify the selection criteria for 94 packets that will be forwarded over the newly set up IPsec SA as 95 enforced by the Security Policy Database (SPD, see [RFC4301]). This 96 document updates the Traffic Selector negotiation specified in 97 Section 2.9 of [RFC7296]. 99 This document specifies a new Traffic Selector Type TS_SECLABEL for 100 IKEv2 that can be used to negotiate security labels as additional 101 selectors for the Security Policy Database (SPD) to further restrict 102 the type of traffic allowed to be sent and received over the IPsec 103 SA. 105 1.1. Requirements Language 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 109 "OPTIONAL" in this document are to be interpreted as described in BCP 110 14 [RFC2119] [RFC8174] when, and only when, they appear in all 111 captials, as shown here. 113 1.2. Traffic Selector clarification 115 The negotiation of Traffic Selectors is specified in Section 2.9 of 116 [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and 117 TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is 118 specified in Section 3.13 of [RFC7296]. However, the term Traffic 119 Selector is used to denote the traffic selector payloads and 120 individual traffic selectors of that payload. Sometimes the exact 121 meaning can only be learned from context or if the item is written in 122 plural ("Traffic Selectors" or "TSs"). This section clarifies these 123 terms as follows: 125 A Traffic Selector (no acronym) is one selector for traffic of a 126 specific Traffic Selector Type (TS_TYPE). For example a Traffic 127 Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP 128 network 198.51.100.0/24 covering all ports, is denoted as (17, 0, 129 198.51.100.0-198.51.100.255) 131 A Traffic Selector payload (TS) is a set of one or more Traffic 132 Selectors of the same or different TS_TYPEs, but MUST include at 133 least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For 134 example, the above Traffic Selector by itself in a TS payload is 135 denotated as TS((17, 0, 198.51.100.0-198.51.100.255)) 137 2. TS_SECLABEL Traffic Selector Type 139 This document defines a new TS Type, TS_SECLABEL that contains a 140 single new opaque Security Label. 142 2.1. TS_SECLABEL payload format 144 1 2 3 145 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 146 +---------------+---------------+-------------------------------+ 147 | TS Type | Reserved | Selector Length | 148 +---------------+---------------+-------------------------------+ 149 | | 150 ~ Security Label* ~ 151 | | 152 +---------------------------------------------------------------+ 154 Figure 1: Labeled IPsec Traffic Selector 156 *Note: All fields other than TS Type and Selector Length depend on 157 the TS Type. The fields shown is for TS Type TS_SECLABEL, the 158 selector this document defines. 160 o TS Type (one octet) - Set to [TBD] for TS_SECLABEL, 162 o Selector Length (2 octets, unsigned integer) - Specifies the 163 length of this Traffic Selector substructure including the header. 165 o Security Label - An opaque byte stream of at least one octet. 167 2.2. TS_SECLABEL properties 169 The TS_SECLABEL Traffic Selector Type does not support narrowing or 170 wildcards. It MUST be used as an exact match value. 172 The Security Label contents are opague to the IKE implementation. 173 That is, the IKE implementation might not have any knowledge of the 174 meaning of this selector, other than as a type and opaque value to 175 pass to the SPD. 177 A zero length Security Label MUST NOT be used. If a received TS 178 payload contains a TS_TYPE of TS_SECLABEL with a zero length Security 179 Label, that specific Traffic Selector MUST be ignored. If no other 180 Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a 181 TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length 182 Security Label MUST NOT be interpreted as a wildcard security label. 184 If multiple Security Labels are allowed for a given IP protocol, 185 start and end address/port match, multiple TS_SECLABEL can be 186 included in a TS payload. 188 If the Security Label traffic selector is optional from a 189 configuration point of view, the initiator will have to choose which 190 TS payload to attempt first. If it includes the Security Label and 191 receives a TS_UNAVAILABLE, it can attempt a new Child SA negotiation 192 without that Security Label . 194 A responder that selected a TS with TS_SECLABEL MUST use the Security 195 Label for all selector operations on the resulting IPsec SA. It MUST 196 NOT select a TS_set with a TS_SECLABEL without using the specified 197 Security Label, even if it deems the Security Label optional, as the 198 initiator TS_set with TS_SECLABEL means the initiator mandates using 199 that Security Label. 201 3. Traffic Selector negotiation 203 This document updates the [RFC7296] specification as follows: 205 Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of 206 TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. 208 Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, 209 such as TS_SECLABEL. 211 A responder MUST create its TS response by selecting one of each 212 TS_TYPE present in the offered TS by the initiator. If it cannot 213 select one of each TS_TYPE, it MUST return a TS_UNAVAILABLE Error 214 Notify payload. 216 If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or 217 TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the 218 initiator SHOULD first try to negotiate the Child SA with the TS 219 payload including the optional TS_TYPE. Upon receiving 220 TS_UNAVAILABLE, it SHOULD attempt a new Child SA negotiation using 221 the same TS but without the optional TS_TYPE. 223 Some TS_TYPE's support narrowing, where the responder is allowed to 224 select a subset of the original TS. Narrowing MUST NOT result in an 225 empty selector for that TS_TYPE. 227 3.1. Example TS negotiation 229 An initiator could send: 231 TSi = ((17,0,192.0.2.0-192.0.2.255), 232 (0,0,198.51.0-198.51.255), 233 TS_SECLABEL1, TS_SECLABEL2) 235 TSr = ((17,0,203.0.113.0-203.0.113.255), 236 (0,0,203.0.113.0-203.0.113.255), 237 TS_SECLABEL1, TS_SECLABEL2) 239 Figure 2: initiator TS payloads example 241 The responder could answer with the following example: 243 TSi = ((0,0,198.51.0-198.51.255), 244 TS_SECLABEL1) 246 TSr = (((0,0,203.0.113.0-203.0.113.255), 247 TS_SECLABEL1) 249 Figure 3: responder TS payloads example 251 3.2. Considerations for using multiple TS_TYPEs in a TS 253 It would be unlikely that the traffic for TSi and TSr would have a 254 different Security Label, but this specification does allow this to 255 be specified. If the initiator does not support this, and wants to 256 prevent the responder from picking different labels for the TSi / TSr 257 payloads, it should attempt a Child SA negotiation with only the 258 first Security Label first, and upon failure retry a new Child SA 259 negotiation with only the second Security Label. 261 If different IP ranges can only use different specific Security 262 Labels, than these should be negotiated in two different Child SA 263 negotiations. If in the example above, the initiator only allows 264 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, 265 than it MUST NOT combine these two ranges and security labels into 266 one Child SA negotiation. 268 Narrowing of Traffic Selectors currenrtly only applies only to 269 TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE and not to TS_SECLABEL as 270 the Security Label itself is not interpreted and cannot itself be 271 narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST 272 only use identical Traffic Selectors, which means the same TS Type 273 and selectors MUST be used. This guarantees that a Security Label 274 once negotiated, remains part of the IPsec SA after a rekey. 276 4. Security Considerations 278 It is assumed that the Security Label can be matched by the IKE 279 implementation to its own configured value, even if the IKE 280 implemention itself cannot interpret the Security Label value. 282 5. IANA Considerations 284 This document defines two new entries in the IKEv2 Traffic Selector 285 Types registry: 287 Value TS Type Reference 288 ----- --------------------------- ----------------- 289 TBD TS_SECLABEL [this document] 291 Figure 4 293 6. Acknowledgements 295 A large part of the introduction text was taken verbatim from 296 [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. 297 Quigley and J. Lu. 299 7. References 301 7.1. Normative References 303 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 304 Requirement Levels", BCP 14, RFC 2119, 305 DOI 10.17487/RFC2119, March 1997, . 308 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 309 Kivinen, "Internet Key Exchange Protocol Version 2 310 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 311 2014, . 313 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 314 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 315 May 2017, . 317 7.2. Informative References 319 [draft-jml-ipsec-ikev2-security-label] 320 Latten, J., Quigley, D., and J. Lu, "Security Label 321 Extension to IKE", draft-wouters-edns-tcp-keeaplive (work 322 in progress), January 2011. 324 [FIPS188] NIST, "National Institute of Standards and Technology, 325 "Standard Security Label for Information Transfer"", 326 Federal Information Processing Standard (FIPS) Publication 327 188, September 1994. 329 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 330 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 331 December 2005, . 333 [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common 334 Architecture Label IPv6 Security Option (CALIPSO)", 335 RFC 5570, DOI 10.17487/RFC5570, July 2009, 336 . 338 Authors' Addresses 340 Paul Wouters 341 Red Hat 343 Email: pwouters@redhat.com 345 Sahana Prasad 346 Technical University of Munich 348 Email: sahana.prasad07@gmail.com