Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-00
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (ipsecme WG) | |
|---|---|---|---|
| Authors | Paul Wouters , Sahana Prasad | ||
| Last updated | 2019-03-28 (Latest revision 2019-03-11) | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats | plain text xml htmlized pdfized bibtex | ||
| Stream | WG state | WG Document | |
| Associated WG milestone |
|
||
| Document shepherd | Tero Kivinen | ||
| IESG | IESG state | I-D Exists | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | Tero Kivinen <kivinen@iki.fi> |
draft-ietf-ipsecme-labeled-ipsec-00
Network P. Wouters
Internet-Draft Red Hat
Intended status: Standards Track S. Prasad
Expires: September 11, 2019 Technical University of Munich
March 10, 2019
Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-00
Abstract
This document defines two new Traffic Selector (TS) Types for
Internet Key Exchange version 2 to add support for Mandatory Access
Control (MAC) security labels, also known as "Labeled IPsec". The
two new TS Types are TS_IPV4_ADDR_RANGE_SECLABEL and
TS_IPV6_ADDR_RANGE_SECLABEL, which are identical to their non-
seclabel namesakes except for the addition of a variable length
opaque field specifying the security label. These new Traffic
Selector Types facilitate negotiating security labels as an
additional selector of the Security Policy Database to further
restrict the type of traffic allowed to be send and received over the
IPsec SA.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 11, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Wouters & Prasad Expires September 11, 2019 [Page 1]
Internet-Draft Labeled IPsec March 2019
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Traffic Selector negotiation . . . . . . . . . . . . . . . . 3
3. SECLABEL Traffic Selector . . . . . . . . . . . . . . . . . . 3
4. Traffic Selector matching . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
In computer security, Mandatory Access Control usually refers to
systems in which all subjects and objects are assigned a security
label. A security label is comprised of a set of security
attributes. The security labels along with a system authorization
policy determine access. Rules within the system authorization
policy determine whether the access will be granted based on the
security attributes of the subject and object.
Traditionally, security labels used by Multilevel Systems (MLS) are
comprised of a sensitivity level (or classification) field and a
compartment (or category) field, as defined in [FIPS188] and
[RFC5570]. As MAC systems evolved, other MAC models gained in
popularity. For example, SELinux, a Flux Advanced Security Kernel
(FLASK) implementation, has security labels represented as colon-
separated ASCII strings composed of values for identity, role, and
type. The security labels are often referred to as security
contexts.
This document specifies two new Traffic Selector Types for IKEv2 that
can be used to negotiate security labels as additional selectors for
the Security Policy Database (SPD) to further restrict the type of
traffic allowed to be send and received over the IPsec SA.
Wouters & Prasad Expires September 11, 2019 [Page 2]
Internet-Draft Labeled IPsec March 2019
Traffic Selector (TS) payloads allow endpoints to communicate some of
the information from their SPD to their peers. These must be
communicated to IKE from the SPD. TS payloads specify the selection
criteria for packets that will be forwarded over the newly set up SA.
Section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296]
illustrates the Traffic Selector negotiation procedure.
Two TS payloads appear in each of the messages in the exchange that
creates a Child SA pair. Each TS payload contains one or more
Traffic Selectors. Currently, each Traffic Selector consists of an
address range (IPv4 or IPv6), a port range, and an IP protocol ID.
However, a security context or a label is missing. Therefore this
document extends the section 2.9 in the Internet Key Exchange
protocol version 2 [RFC7296] to add support for a new traffic
selector type which would be used to negotiate the security label or
context.
Negotiating and verifying the security context or label in the new TS
types will act as an additional criteria that has to match along with
the previously mentioned Traffic Selectors.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Traffic Selector negotiation
The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296]. The initiating IKE peer sends a Traffic Selector payload
for the initiator side (TSi) and a Traffic Selector payload for the
responder side (TSr). The TSi and TSr payloads contain a list of one
or more Traffic Selectors (TS). The responder picks one TS from the
TSi list and one TS from the TSr list and returns these in their own
TSi/TSr payloads to the initiator in the IKE response as confirmation
of the chosen traffic selectors. [RFC7296] defines two TS Types,
TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE. These TS payloads contain
the TS Type, IP protocol ID, Selector Length, Start and End Port and
Start and End Address.
3. SECLABEL Traffic Selector
This document defines two new TS Types, TS_IPV4_ADDR_RANGE_SECLABEL
and TS_IPV6_ADDR_RANGE_SECLABEL. In addition to the above mentioned
selectors, it contains a single new opaque Security Label selector.
Wouters & Prasad Expires September 11, 2019 [Page 3]
Internet-Draft Labeled IPsec March 2019
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| TS Type |IP Protocol ID*| Selector Length |
+---------------+---------------+-------------------------------+
| Start Port* | End Port* |
+-------------------------------+-------------------------------+
| |
~ Starting Address* ~
| |
+---------------------------------------------------------------+
| |
~ Ending Address* ~
| |
+---------------------------------------------------------------+
| |
~ Security Label* ~
| |
+---------------------------------------------------------------+
Figure 1: Labeled IPsec Traffic Selector
*Note: All fields other than TS Type and Selector Length depend on
the TS Type. The fields shown are for TS Types [TBD] and [TBD], the
two values this document defines.
o TS Type (one octet) - Specifies the type of Traffic Selector.
o IP protocol ID (1 octet) - Value specifying an associated IP
protocol ID (such as UDP, TCP, and ICMP). A value of zero means
that the protocol ID is not relevant to this Traffic Selector --
the SA can carry all protocols.
o Selector Length (2 octets, unsigned integer) - Specifies the
length of this Traffic Selector substructure including the header.
o Start Port (2 octets, unsigned integer) - Value specifying the
smallest port number allowed by this Traffic Selector. For
protocols for which port is undefined (including protocol 0), or
if all ports are allowed, this field MUST be zero. ICMP and
ICMPv6 Type and Code values, as well as Mobile IP version 6
(MIPv6) mobility header (MH) Type values, are represented in this
field as specified in Section 4.4.1.1 of [RFC4301]. ICMP Type and
Code values are treated as a single 16-bit integer port number,
with Type in the most significant eight bits and Code in the least
significant eight bits. MIPv6 MH Type values are treated as a
single 16-bit integer port number, with Type in the most
Wouters & Prasad Expires September 11, 2019 [Page 4]
Internet-Draft Labeled IPsec March 2019
significant eight bits and the least significant eight bits set to
zero.
o End Port (2 octets, unsigned integer) - Value specifying the
largest port number allowed by this Traffic Selector. For
protocols for which port is undefined (including protocol 0), or
if all ports are allowed, this field MUST be 65535. ICMP and
ICMPv6 Type and Code values, as well as MIPv6 MH Type values, are
represented in this field as specified in Section 4.4.1.1 of
[RFC4301]. ICMP Type and Code values are treated as a single
16-bit integer port number, with Type in the most significant
eight bits and Code in the least significant eight bits. MIPv6 MH
Type values are treated as a single 16-bit integer port number,
with Type in the most significant eight bits and the least
significant eight bits set to zero.
o Starting Address - The smallest address included in this Traffic
Selector (length determined by TS Type).
o Ending Address - The largest address included in this Traffic
Selector (length determined by TS Type).
o Security Label - An opaque byte stream of at least one octet.
4. Traffic Selector matching
Matching of the IP protocol, start and end address, and start and end
port is performed the same way as for the TS_IPV4_ADDR_RANGE and
TS_IPV6_ADDR_RANGE TS types. Additionally, the Security Label is
compared for an exact match as well. Label matching is done by
comparing the opaque bytestream.
The Security Label in the TSi and TSr MUST be identical. If the
responder's policy does not allow it to accept any part of the
proposed Traffic Selector including the Security Label, it MUST
ignore the TS and look for another matching TS in the list. If no
list entry matches, a TS_UNACCEPTABLE Notify message is returned.
A zero length Security Label MUST NOT be sent. If the SPD policy
contains no Security Label selectors, the TS Types
TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL should
not be used and TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE should be
used instead. Any received Traffic Selector with a zero length
Security Label MUST be ignored, and if no valid TS can be selected,
an TS_UNACCEPTABLE Error Notify message is returned. A zero length
Security Label MUST NOT be interpreted as a wildcard security label.
Wouters & Prasad Expires September 11, 2019 [Page 5]
Internet-Draft Labeled IPsec March 2019
If multiple Security Labels are allowed for a given IP protocol,
start and end address/port match, multiple
TS_IPV4_ADDR_RANGE_SECLABEL or TS_IPV6_ADDR_RANGE_SECLABEL Traffic
Selectors must be included that only differ in the Security Label.
Narrowing of Traffic Selectors applies to TS_IPV4_ADDR_RANGE_SECLABEL
and TS_IPV6_ADDR_RANGE_SECLABEL as well, but the Security Label
itself is not interpreted and cannot itself be narrowed. It MUST be
matched exactly. Rekey of an IPsec SA MUST only use identical
Traffic Selectors, which means the same TS Type and selectors MUST be
used. This guarantees that a Security Label once negotiated, remains
part of the IPsec SA after a rekey.
5. Security Considerations
It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE
implemention itself cannot interpret the Security Label value.
6. IANA Considerations
This document defines two new entries in the IKEv2 Traffic Selector
Types registry:
Value TS Type Reference
----- --------------------------- -----------------
TBD TS_IPV4_ADDR_RANGE_SECLABEL [this document]
TBD TS_IPV6_ADDR_RANGE_SECLABEL [this document]
Figure 2
7. Acknowledgements
A large part of the introduction text was taken verbatim from
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Part of the Traffic Selector description is
reproduced from [RFC7296].
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
Wouters & Prasad Expires September 11, 2019 [Page 6]
Internet-Draft Labeled IPsec March 2019
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>.
8.2. Informative References
[draft-jml-ipsec-ikev2-security-label]
Latten, J., Quigley, D., and J. Lu, "Security Label
Extension to IKE", draft-wouters-edns-tcp-keeaplive (work
in progress), January 2011.
[FIPS188] NIST, "National Institute of Standards and Technology,
"Standard Security Label for Information Transfer"",
Federal Information Processing Standard (FIPS) Publication
188, September 1994.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>.
Authors' Addresses
Paul Wouters
Red Hat
Email: pwouters@redhat.com
Sahana Prasad
Technical University of Munich
Email: sahana.prasad07@gmail.com
Wouters & Prasad Expires September 11, 2019 [Page 7]