idnits 2.17.1 draft-ietf-ipsecme-labeled-ipsec-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document updates RFC7296, but the abstract doesn't seem to directly say this. It does mention RFC7296 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (4 May 2021) is 1087 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 174, but not defined -- Obsolete informational reference (is this intentional?): RFC 6982 (Obsoleted by RFC 7942) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network P. Wouters 3 Internet-Draft Aiven 4 Updates: 7296 (if approved) S. Prasad 5 Intended status: Standards Track Red Hat 6 Expires: 5 November 2021 4 May 2021 8 Labeled IPsec Traffic Selector support for IKEv2 9 draft-ietf-ipsecme-labeled-ipsec-05 11 Abstract 13 This document defines a new Traffic Selector (TS) Type for Internet 14 Key Exchange version 2 to add support for negotiating Mandatory 15 Access Control (MAC) security labels as a traffic selector of the 16 Security Policy Database (SPD). Security Labels for IPsec are also 17 known as "Labeled IPsec". The new TS type is TS_SECLABEL, which 18 consists of a variable length opaque field specifying the security 19 label. This document updates the IKEv2 TS negotiation specified in 20 RFC 7296 Section 2.9. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on 5 November 2021. 39 Copyright Notice 41 Copyright (c) 2021 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Simplified BSD License text 50 as described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 57 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 58 1.3. Traffic Selector update . . . . . . . . . . . . . . . . . 4 59 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 60 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 61 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 4 62 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 63 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 64 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 67 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 68 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 72 8.2. Informative References . . . . . . . . . . . . . . . . . 9 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 75 1. Introduction 77 In computer security, Mandatory Access Control usually refers to 78 systems in which all subjects and objects are assigned a security 79 label. A security label is comprised of a set of security 80 attributes. The security labels along with a system authorization 81 policy determine access. Rules within the system authorization 82 policy determine whether the access will be granted based on the 83 security attributes of the subject and object. 85 Traditionally, security labels used by Multilevel Systems (MLS) are 86 comprised of a sensitivity level (or classification) field and a 87 compartment (or category) field, as defined in [FIPS188] and 88 [RFC5570]. As MAC systems evolved, other MAC models gained in 89 popularity. For example, SELinux, a Flux Advanced Security Kernel 90 (FLASK) implementation, has security labels represented as colon- 91 separated ASCII strings composed of values for identity, role, and 92 type. The security labels are often referred to as security 93 contexts. 95 Traffic Selector (TS) payloads specify the selection criteria for 96 packets that will be forwarded over the newly set up IPsec SA as 97 enforced by the Security Policy Database (SPD, see [RFC4301]). This 98 document updates the Traffic Selector negotiation specified in 99 Section 2.9 of [RFC7296]. 101 This document specifies a new Traffic Selector Type TS_SECLABEL for 102 IKEv2 that can be used to negotiate security labels as additional 103 selectors for the Security Policy Database (SPD) to further restrict 104 the type of traffic allowed to be sent and received over the IPsec 105 SA. 107 1.1. Requirements Language 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 111 "OPTIONAL" in this document are to be interpreted as described in BCP 112 14 [RFC2119] [RFC8174] when, and only when, they appear in all 113 capitals, as shown here. 115 1.2. Traffic Selector clarification 117 The negotiation of Traffic Selectors is specified in Section 2.9 of 118 [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and 119 TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is 120 specified in Section 3.13 of [RFC7296]. However, the term Traffic 121 Selector is used to denote the traffic selector payloads and 122 individual traffic selectors of that payload. Sometimes the exact 123 meaning can only be learned from context or if the item is written in 124 plural ("Traffic Selectors" or "TSs"). This section clarifies these 125 terms as follows: 127 A Traffic Selector (no acronym) is one selector for traffic of a 128 specific Traffic Selector Type (TS_TYPE). For example a Traffic 129 Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP 130 network 198.51.100.0/24 covering all ports, is denoted as (17, 0, 131 198.51.100.0-198.51.100.255) 133 A Traffic Selector payload (TS) is a set of one or more Traffic 134 Selectors of the same or different TS_TYPEs, but MUST include at 135 least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. For 136 example, the above Traffic Selector by itself in a TS payload is 137 denoted as TS((17, 0, 198.51.100.0-198.51.100.255)) 139 1.3. Traffic Selector update 141 The negotiation of Traffic Selectors is specified in Section 2.9 of 142 [RFC7296] and states that the TSi/TSr payloads MUST contain at least 143 one Traffic Selector type. This document updates the text to mean 144 that the TSi/TSr payloads MUST contain at least one Traffic Selector 145 of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic 146 Selector types can be defined that are complimentary to these Traffic 147 Selector Types and cannot be selected on their own without 148 TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. The below defined 149 TS_SECLABEL Traffic Selector Type is an example of this. 151 2. TS_SECLABEL Traffic Selector Type 153 This document defines a new TS Type, TS_SECLABEL that contains a 154 single new opaque Security Label. 156 2.1. TS_SECLABEL payload format 158 1 2 3 159 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 160 +---------------+---------------+-------------------------------+ 161 | TS Type | Reserved | Selector Length | 162 +---------------+---------------+-------------------------------+ 163 | | 164 ~ Security Label* ~ 165 | | 166 +---------------------------------------------------------------+ 168 Figure 1: Labeled IPsec Traffic Selector 170 *Note: All fields other than TS Type and Selector Length depend on 171 the TS Type. The fields shown is for TS Type TS_SECLABEL, the 172 selector this document defines. 174 * TS Type (one octet) - Set to [TBD] for TS_SECLABEL, 176 * Selector Length (2 octets, unsigned integer) - Specifies the 177 length of this Traffic Selector substructure including the header. 179 * Security Label - An opaque byte stream of at least one octet. 181 2.2. TS_SECLABEL properties 183 The TS_SECLABEL Traffic Selector Type does not support narrowing or 184 wildcards. It MUST be used as an exact match value. 186 If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic 187 Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also 188 be present in that TSi/TSr. 190 The Security Label contents are opaque to the IKE implementation. 191 That is, the IKE implementation might not have any knowledge of the 192 meaning of this selector, other than as a type and opaque value to 193 pass to the SPD. 195 A zero length Security Label MUST NOT be used. If a received TS 196 payload contains a TS_TYPE of TS_SECLABEL with a zero length Security 197 Label, that specific Traffic Selector MUST be ignored. If no other 198 Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a 199 TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length 200 Security Label MUST NOT be interpreted as a wildcard security label. 202 If multiple Security Labels are allowed for a given IP protocol, 203 start and end address/port match, multiple TS_SECLABEL can be 204 included in a TS payload. 206 If the Security Label traffic selector is optional from a 207 configuration point of view, the initiator will have to choose which 208 TS payload to attempt first. If it includes the Security Label and 209 receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation 210 without that Security Label. 212 A responder that selected a TS with TS_SECLABEL MUST use the Security 213 Label for all selector operations on the resulting IPsec SA. It MUST 214 NOT select a TS_set with a TS_SECLABEL without using the specified 215 Security Label, even if it deems the Security Label optional, as the 216 initiator TS_set with TS_SECLABEL means the initiator mandates using 217 that Security Label. 219 3. Traffic Selector negotiation 221 This document updates the [RFC7296] specification as follows: 223 Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of 224 TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE. 226 Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs, 227 such as TS_SECLABEL. 229 A responder MUST create its TS response by selecting one of each 230 TS_TYPE present in the offered TS by the initiator. If it cannot 231 select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error 232 Notify payload. 234 If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or 235 TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the 236 initiator SHOULD first try to negotiate the Child SA with the TS 237 payload including the optional TS_TYPE. Upon receiving 238 TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using 239 the same TS but without the optional TS_TYPE. 241 Some TS_TYPE's support narrowing, where the responder is allowed to 242 select a subset of the original TS. Narrowing MUST NOT result in an 243 empty selector for that TS_TYPE. 245 3.1. Example TS negotiation 247 An initiator could send: 249 TSi = ((17,0,192.0.2.0-192.0.2.255), 250 (0,0,198.51.0-198.51.255), 251 TS_SECLABEL1, TS_SECLABEL2) 253 TSr = ((17,0,203.0.113.0-203.0.113.255), 254 (0,0,203.0.113.0-203.0.113.255), 255 TS_SECLABEL1, TS_SECLABEL2) 257 Figure 2: initiator TS payloads example 259 The responder could answer with the following example: 261 TSi = ((0,0,198.51.0-198.51.255), 262 TS_SECLABEL1) 264 TSr = (((0,0,203.0.113.0-203.0.113.255), 265 TS_SECLABEL1) 267 Figure 3: responder TS payloads example 269 3.2. Considerations for using multiple TS_TYPEs in a TS 271 It would be unlikely that the traffic for TSi and TSr would have a 272 different Security Label, but this specification does allow this to 273 be specified. If the initiator does not support this, and wants to 274 prevent the responder from picking different labels for the TSi / TSr 275 payloads, it should attempt a Child SA negotiation with only the 276 first Security Label first, and upon failure retry a new Child SA 277 negotiation with only the second Security Label. 279 If different IP ranges can only use different specific Security 280 Labels, than these should be negotiated in two different Child SA 281 negotiations. If in the example above, the initiator only allows 282 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, 283 than it MUST NOT combine these two ranges and security labels into 284 one Child SA negotiation. 286 The mechanism of narrowing of Traffic Selectors with 287 TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to 288 TS_SECLABEL as the Security Label itself is not interpreted and 289 cannot itself be narrowed. It MUST be matched exactly. Rekey of an 290 IPsec SA MUST only use identical Traffic Selectors, which means the 291 same TS Type and selectors MUST be used. This guarantees that a 292 Security Label once negotiated, remains part of the IPsec SA after a 293 rekey. 295 4. Security Considerations 297 It is assumed that the Security Label can be matched by the IKE 298 implementation to its own configured value, even if the IKE 299 implementation itself cannot interpret the Security Label value. 301 A packet that matches an SPD entry for all components except the 302 Security Label would be treated as "not matching". If no other SPD 303 entries match, the (mis-labeled) traffic might end up being 304 transmitted in the clear. It is presumed that other Mandatory Access 305 Control methods are in place to prevent mis-labeled traffic from 306 reaching the IPsec subsystem, or that the IPsec subsystem itself 307 would install a REJECT/DISCARD rule in the SPD to prevent unlabeled 308 traffic otherwise matching a labeled security SPD rule from being 309 transmitted without IPsec protection. 311 5. IANA Considerations 313 This document defines two new entries in the IKEv2 Traffic Selector 314 Types registry: 316 Value TS Type Reference 317 ----- --------------------------- ----------------- 318 TBD TS_SECLABEL [this document] 320 Figure 4 322 6. Implementation Status 324 [Note to RFC Editor: Please remove this section and the reference to 325 [RFC6982] before publication.] 326 This section records the status of known implementations of the 327 protocol defined by this specification at the time of posting of this 328 Internet-Draft, and is based on a proposal described in [RFC7942]. 329 The description of implementations in this section is intended to 330 assist the IETF in its decision processes in progressing drafts to 331 RFCs. Please note that the listing of any individual implementation 332 here does not imply endorsement by the IETF. Furthermore, no effort 333 has been spent to verify the information presented here that was 334 supplied by IETF contributors. This is not intended as, and must not 335 be construed to be, a catalog of available implementations or their 336 features. Readers are advised to note that other implementations may 337 exist. 339 According to [RFC7942], "this will allow reviewers and working groups 340 to assign due consideration to documents that have the benefit of 341 running code, which may serve as evidence of valuable experimentation 342 and feedback that have made the implemented protocols more mature. 343 It is up to the individual working groups to use this information as 344 they see fit". 346 Authors are requested to add a note to the RFC Editor at the top of 347 this section, advising the Editor to remove the entire section before 348 publication, as well as the reference to [RFC7942]. 350 6.1. Libreswan 352 Organization: The Libreswan Project 354 Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ 356 Description: Implementation has been released as part of libreswan 357 version 4.4. 359 Level of maturity: beta 361 Coverage: Implements the entire draft using SElinux based labels 363 Licensing: GPLv2 365 Implementation experience: No interop testing has been done yet. 366 The code works as proof of concept, but is not yet production 367 ready when using multiple different labels with on-demand kernel 368 ACQUIRES. 370 Contact: Libreswan Development: swan-dev@libreswan.org 372 7. Acknowledgements 374 A large part of the introduction text was taken verbatim from 375 [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. 376 Quigley and J. Lu. 378 8. References 380 8.1. Normative References 382 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 383 Requirement Levels", BCP 14, RFC 2119, 384 DOI 10.17487/RFC2119, March 1997, 385 . 387 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 388 Kivinen, "Internet Key Exchange Protocol Version 2 389 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 390 2014, . 392 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 393 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 394 May 2017, . 396 8.2. Informative References 398 [draft-jml-ipsec-ikev2-security-label] 399 Latten, J., Quigley, D., and J. Lu, "Security Label 400 Extension to IKE", 28 January 2011. 402 [FIPS188] NIST, "National Institute of Standards and Technology, 403 "Standard Security Label for Information Transfer"", 404 Federal Information Processing Standard (FIPS) Publication 405 188, September 1994, 406 . 409 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 410 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 411 December 2005, . 413 [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common 414 Architecture Label IPv6 Security Option (CALIPSO)", 415 RFC 5570, DOI 10.17487/RFC5570, July 2009, 416 . 418 [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 419 Code: The Implementation Status Section", RFC 6982, 420 DOI 10.17487/RFC6982, July 2013, 421 . 423 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 424 Code: The Implementation Status Section", BCP 205, 425 RFC 7942, DOI 10.17487/RFC7942, July 2016, 426 . 428 Authors' Addresses 430 Paul Wouters 431 Aiven 433 Email: paul.wouters@aiven.io 435 Sahana Prasad 436 Red Hat 438 Email: sahana@redhat.com