Skip to main content

Labeled IPsec Traffic Selector support for IKEv2

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 9478.
Authors Paul Wouters , Sahana Prasad
Last updated 2023-04-27 (Latest revision 2023-04-10)
RFC stream Internet Engineering Task Force (IETF)
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Associated WG milestone
Jul 2022
The security labels support for IKEv2 to IESG
Document shepherd Tero Kivinen
Shepherd write-up Show Last changed 2023-02-09
IESG IESG state Became RFC 9478 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Roman Danyliw
Send notices to Tero Kivinen <>
IANA IANA review state IANA OK - Actions Needed
Network                                                       P. Wouters
Internet-Draft                                                     Aiven
Intended status: Standards Track                               S. Prasad
Expires: 12 October 2023                                         Red Hat
                                                           10 April 2023

            Labeled IPsec Traffic Selector support for IKEv2


   This document defines a new Traffic Selector (TS) Type for Internet
   Key Exchange version 2 to add support for negotiating Mandatory
   Access Control (MAC) security labels as a traffic selector of the
   Security Policy Database (SPD).  Security Labels for IPsec are also
   known as "Labeled IPsec".  The new TS type is TS_SECLABEL, which
   consists of a variable length opaque field specifying the security

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 12 October 2023.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Wouters & Prasad         Expires 12 October 2023                [Page 1]
Internet-Draft                Labeled IPsec                   April 2023

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Traffic Selector clarification  . . . . . . . . . . . . .   3
     1.3.  Security Label Traffic Selector negotiation . . . . . . .   4
   2.  TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . .   4
     2.1.  TS_SECLABEL payload format  . . . . . . . . . . . . . . .   4
     2.2.  TS_SECLABEL properties  . . . . . . . . . . . . . . . . .   5
   3.  Traffic Selector negotiation  . . . . . . . . . . . . . . . .   5
     3.1.  Example TS negotiation  . . . . . . . . . . . . . . . . .   6
     3.2.  Considerations for using multiple TS_TYPEs in a TS  . . .   7
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   6.  Implementation Status . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Libreswan . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   In computer security, Mandatory Access Control usually refers to
   systems in which all subjects and objects are assigned a security
   label.  A security label is comprised of a set of security
   attributes.  The security labels along with a system authorization
   policy determine access.  Rules within the system authorization
   policy determine whether the access will be granted based on the
   security attributes of the subject and object.

Wouters & Prasad         Expires 12 October 2023                [Page 2]
Internet-Draft                Labeled IPsec                   April 2023

   Traditionally, security labels used by Multilevel Systems (MLS) are
   comprised of a sensitivity level (or classification) field and a
   compartment (or category) field, as defined in [FIPS188] and
   [RFC5570].  As MAC systems evolved, other MAC models gained in
   popularity.  For example, SELinux, a Flux Advanced Security Kernel
   (FLASK) implementation, has security labels represented as colon-
   separated ASCII strings composed of values for identity, role, and
   type.  The security labels are often referred to as security

   Traffic Selector (TS) payloads specify the selection criteria for
   packets that will be forwarded over the newly set up IPsec SA as
   enforced by the Security Policy Database (SPD, see [RFC4301]).

   This document specifies a new Traffic Selector Type TS_SECLABEL for
   IKEv2 that can be used to negotiate security labels as additional
   selectors for the Security Policy Database (SPD) to further restrict
   the type of traffic allowed to be sent and received over the IPsec

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  Traffic Selector clarification

   The negotiation of Traffic Selectors is specified in Section 2.9 of
   [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and
   TS_IPV6_ADDR_RANGE).  The Traffic Selector payload format is
   specified in Section 3.13 of [RFC7296].  However, the term Traffic
   Selector is used to denote the traffic selector payloads and
   individual traffic selectors of that payload.  Sometimes the exact
   meaning can only be learned from context or if the item is written in
   plural ("Traffic Selectors" or "TSs").  This section clarifies these
   terms as follows:

   A Traffic Selector (no acronym) is one selector for traffic of a
   specific Traffic Selector Type (TS_TYPE).  For example a Traffic
   Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
   network covering all ports, is denoted as (17, 0,

Wouters & Prasad         Expires 12 October 2023                [Page 3]
Internet-Draft                Labeled IPsec                   April 2023

   A Traffic Selector payload (TS) is a set of one or more Traffic
   Selectors of the same or different TS_TYPEs.  It typically contains
   one or more of the TS_TYPE of TS_IPV4_ADDR_RANGE and/or
   TS_IPV6_ADDR_RANGE.  For example, the above Traffic Selector by
   itself in a TS payload is denoted as TS((17, 0,

1.3.  Security Label Traffic Selector negotiation

   The negotiation of Traffic Selectors is specified in Section 2.9 of
   [RFC7296] and states that the TSi/TSr payloads MUST contain at least
   one Traffic Selector type.  This document adds a new TS_TYPE of
   TS_SECLABEL that is valid only with at least one other type of
   Traffic Selector.  That is, it cannot be the only TS_TYPE present in
   a TSi or TSr payload.  It MUST be used along with an IP address
   selector type such as TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE.

2.  TS_SECLABEL Traffic Selector Type

   This document defines a new TS Type, TS_SECLABEL that contains a
   single new opaque Security Label.

2.1.  TS_SECLABEL payload format

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |   TS Type     |    Reserved   |       Selector Length         |
      |                                                               |
      ~                         Security Label*                       ~
      |                                                               |

                  Figure 1: Labeled IPsec Traffic Selector

   *Note: All fields other than TS Type and Selector Length depend on
   the TS Type.  The fields shown is for TS Type TS_SECLABEL, the
   selector this document defines.

   *  TS Type (one octet) - Set to 10 for TS_SECLABEL,

   *  Selector Length (2 octets, unsigned integer) - Specifies the
      length of this Traffic Selector substructure including the header.

   *  Security Label - An opaque byte stream of at least one octet.

Wouters & Prasad         Expires 12 October 2023                [Page 4]
Internet-Draft                Labeled IPsec                   April 2023

2.2.  TS_SECLABEL properties

   The TS_SECLABEL Traffic Selector Type does not support narrowing or
   wildcards.  It MUST be used as an exact match value.

   The TS_SECLABEL Traffic Selector Type MUST NOT be the only TS_TYPE
   present in the TS payload.  If a TS payload is received with only
   TS_SECLABEL Traffic Selector types, an Error Notify message
   containing TS_UNACCEPTABLE MUST be returned.

   The Security Label contents are opaque to the IKE implementation.
   That is, the IKE implementation might not have any knowledge of the
   meaning of this selector, other than as a type and opaque value to
   pass to the SPD.

   A zero length Security Label MUST NOT be used.  If a received TS
   payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
   Label, that specific Traffic Selector MUST be ignored.  If no other
   Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
   TS_UNACCEPTABLE Error Notify message MUST be returned.  A zero length
   Security Label MUST NOT be interpreted as a wildcard security label.

   If multiple Security Labels are allowed for a given IP protocol,
   start and end address/port match, the initiator includes all of the
   acceptable TS_SECLABEL's and the responder MUST select one of them.

   A responder that selected a TS with TS_SECLABEL MUST use the Security
   Label for all selector operations on the resulting TS.  It MUST NOT
   select a TS_SECLABEL without using the specified Security Label, even
   if it deems the Security Label optional, as the initiator has
   indicated (and expects) that Security Label will be set for all
   traffic matching the negotiated TS.

3.  Traffic Selector negotiation

   TS_SECLABEL MUST NOT be used without another TS_TYPE in a Traffic
   Selector Payload, as it does not specify a complete set of traffic
   selectors on its own.  TS_SECLABEL is complimentary to another type
   of Traffic Selector.  There MUST be an IP address Traffic Selector
   type in addtion to the TS_SECLABEL Traffic Selector type in the
   Traffic Selector Payload.

Wouters & Prasad         Expires 12 October 2023                [Page 5]
Internet-Draft                Labeled IPsec                   April 2023

   If the TSi Payload contains a traffic selector for TS_TYPE of
   TS_SECLABEL (along with another TS_TYPE), the responder MUST create
   each TS response for the other TS_TYPEs using its normal rules
   specifed for each of those TS_TYPE, such as narrowing them following
   the rules specified for that TS_TYPE, and then add exactly one for
   the TS_TYPE of TS_SECLABEL to the TS Payload(s).  If this is not
   possible, it MUST return a TS_UNACCEPTABLE Error Notify payload.

   If the Security Label traffic selector is optional from a
   configuration point of view, an initiator will add the TS_SECLABEL to
   the TSi/TSr Payloads.  If the responder replies with TSi/TSr Payloads
   that include the TS_SECLABEL, than the Child SA MUST be created
   including the negotiated Security Label.  If the responder did not
   include a TS_SECLABEL in its response, then the initiator (which
   deemed the Security Label optional) will install the Child SA without
   including any Security Label.  If the initiator required the
   TS_SECLABEL, it MUST NOT install the Child SA and it MUST send a
   Delete notification for the Child SA so the responder can uninstall
   its Child SA.

3.1.  Example TS negotiation

   An initiator could send:

         TSi = ((17,24233,,
                TS_SECLABEL1, TS_SECLABEL2)

         TSr = ((17,53,,
                TS_SECLABEL1, TS_SECLABEL2)

                  Figure 2: initiator TS payloads example

   The responder could answer with the following example:

         TSi = ((0,0,,

         TSr = (((0,0,,

                  Figure 3: responder TS payloads example

Wouters & Prasad         Expires 12 October 2023                [Page 6]
Internet-Draft                Labeled IPsec                   April 2023

3.2.  Considerations for using multiple TS_TYPEs in a TS

   It would be unlikely that the traffic for TSi and TSr would have a
   different Security Label, but this specification does allow this to
   be specified.  If the initiator does not support this, and wants to
   prevent the responder from picking different labels for the TSi / TSr
   payloads, it should attempt a Child SA negotiation with only the
   first Security Label first, and upon failure retry a new Child SA
   negotiation with only the second Security Label.

   If different IP ranges can only use different specific Security
   Labels, than these should be negotiated in two different Child SA
   negotiations.  If in the example above, the initiator only allows with TS_SECLABEL1, and with
   TS_SECLABEL2, than it MUST NOT combine these two ranges and security
   labels into one Child SA negotiation.

4.  Security Considerations

   It is assumed that the Security Label can be matched by the IKE
   implementation to its own configured value, even if the IKE
   implementation itself cannot interpret the Security Label value.

   A packet that matches an SPD entry for all components except the
   Security Label would be treated as "not matching".  If no other SPD
   entries match, the (mis-labeled) traffic might end up being
   transmitted in the clear.  It is presumed that other Mandatory Access
   Control methods are in place to prevent mis-labeled traffic from
   reaching the IPsec subsystem, or that the IPsec subsystem itself
   would install a REJECT/DISCARD rule in the SPD to prevent unlabeled
   traffic otherwise matching a labeled security SPD rule from being
   transmitted without IPsec protection.

5.  IANA Considerations

   This document defines one new entry in the IKEv2 Traffic Selector
   Types registry:

   [Note to RFC Editor (please remove before publication): This value
   has already bee added via Early Allocation.

      Value   TS Type                      Reference
      -----   ---------------------------  -----------------
      10     TS_SECLABEL   [this document]

                                  Figure 4

Wouters & Prasad         Expires 12 October 2023                [Page 7]
Internet-Draft                Labeled IPsec                   April 2023

6.  Implementation Status

   [Note to RFC Editor: Please remove this section and the reference to
   [RFC7942] before publication.]

   This section records the status of known implementations of the
   protocol defined by this specification at the time of posting of this
   Internet-Draft, and is based on a proposal described in [RFC7942].
   The description of implementations in this section is intended to
   assist the IETF in its decision processes in progressing drafts to
   RFCs.  Please note that the listing of any individual implementation
   here does not imply endorsement by the IETF.  Furthermore, no effort
   has been spent to verify the information presented here that was
   supplied by IETF contributors.  This is not intended as, and must not
   be construed to be, a catalog of available implementations or their
   features.  Readers are advised to note that other implementations may

   According to [RFC7942], "this will allow reviewers and working groups
   to assign due consideration to documents that have the benefit of
   running code, which may serve as evidence of valuable experimentation
   and feedback that have made the implemented protocols more mature.
   It is up to the individual working groups to use this information as
   they see fit".

   Authors are requested to add a note to the RFC Editor at the top of
   this section, advising the Editor to remove the entire section before
   publication, as well as the reference to [RFC7942].

6.1.  Libreswan

   Organization:  The Libreswan Project


   Description:  Implementation was introduced in 4.4, but 4.6 or newer
      should be used

   Level of maturity:  beta

   Coverage:  Implements the entire draft using SElinux based labels

   Licensing:  GPLv2

   Implementation experience:  No interop testing has been done yet.
      The code works including different labeled on-demand kernel

Wouters & Prasad         Expires 12 October 2023                [Page 8]
Internet-Draft                Labeled IPsec                   April 2023

   Contact:  Libreswan Development:

7.  Acknowledgements

   A large part of the introduction text was taken verbatim from
   [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
   Quigley and J.  Lu.  Valery Smyslov provided valuable input regarding
   IKEv2 Traffic Selector semantics.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <>.

8.2.  Informative References

              Latten, J., Quigley, D., and J. Lu, "Security Label
              Extension to IKE", 28 January 2011.

   [FIPS188]  NIST, "National Institute of Standards and Technology,
              "Standard Security Label for Information Transfer"",
              Federal Information Processing Standard (FIPS) Publication
              188, September 1994,

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
              December 2005, <>.

   [RFC5570]  StJohns, M., Atkinson, R., and G. Thomas, "Common
              Architecture Label IPv6 Security Option (CALIPSO)",
              RFC 5570, DOI 10.17487/RFC5570, July 2009,

Wouters & Prasad         Expires 12 October 2023                [Page 9]
Internet-Draft                Labeled IPsec                   April 2023

   [RFC7942]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
              Code: The Implementation Status Section", BCP 205,
              RFC 7942, DOI 10.17487/RFC7942, July 2016,

Authors' Addresses

   Paul Wouters

   Sahana Prasad
   Red Hat

Wouters & Prasad         Expires 12 October 2023               [Page 10]