Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-07
Revision differences
Document history
| Date | Rev. | By | Action |
|---|---|---|---|
|
2022-03-24
|
07 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-07.txt |
|
2022-03-24
|
07 | (System) | New version accepted (logged-in submitter: Paul Wouters) |
|
2022-03-24
|
07 | Paul Wouters | Uploaded new revision |
|
2022-03-23
|
06 | Tero Kivinen | 1. Summary Document Shepherd: Tero Kivinen Responsible AD: Roman Danyliw Status: Standard Track This document defines a new Traffic Selector (TS) Type for Internet Key … 1. Summary Document Shepherd: Tero Kivinen Responsible AD: Roman Danyliw Status: Standard Track This document defines a new Traffic Selector (TS) Type for Internet Key Exchange version 2 to add support for negotiating Mandatory Access Control (MAC) security labels as a traffic selector of the Security Policy Database (SPD). Security Labels for IPsec are also known as "Labeled IPsec". The new TS type is TS_SECLABEL. There exists an IKEv1, non-IETF, non-standard method for negotiating Labeled IPsec for IKEv1. There was a need to standardize this for IKEv2 as to help those deploying Labeled IPsec to migrate from IKEv1 to IKEv2. As it is adding a Traffic Selector type, and updates the core IKEv2 specification in RFC 7296, the document is Standards Track. 2. Review and Consensus The document went through a number of proposals and switched a few times between using a Notify payload to using a Traffic Selector payload until consensus was reached. It was also discussed wether the label should be a variant of existing labels (eg IPv4_SECLABEL and IPv6_SECLABEL) and consensus was reached on making it an indepedent label to avoid a combinatori explosion of Traffic Selector Types. Consensus was also reached to leave the Label itself as opague to the IKE implementation so that it can be used with different types of labeling systems. A small group of core developers were the the active participants, which is quite common on the IPsecME WG. There were no objections. There are currently three interoperable implementations (ELVIS+, libreswan and strongswan). ELVIS+ only implements the IKEv2 extension, where as libreswan and strongswan use the Linux kernel SElinux system as the labeling system. The authors have contemplated doing an informational write up on that system in a seperate new draft. 3. Intellectual Property The authors and their employers have no IPR. The IKEv1 implementation has no known IPR claims - it also negotiates the labels differently. There is no known IPR regarding Labeled IPsec or its IKE negotiation. 4. Other Points There are no downrefs. An entry is added to the IANA IKEv2 Traffic Selector Types Registry which is Expert Review. Note that the value has already been added as an Early Allocation and (opensource) software has already been released that uses this value which now appears in shipped products. Note that one interoperable implementation (ELVIS+) comes from one of the Experts on this IANA Registry (the other Expert being one of the WG Chairs). Both have reviewed and approved the early allocation and there is no expectation they will now reject the IANA allocation. |
|
2021-10-25
|
06 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-06.txt |
|
2021-10-25
|
06 | (System) | New version accepted (logged-in submitter: Paul Wouters) |
|
2021-10-25
|
06 | Paul Wouters | Uploaded new revision |
|
2021-08-16
|
05 | Tero Kivinen | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
|
2021-07-26
|
05 | Tero Kivinen | IETF WG state changed to In WG Last Call from WG Document |
|
2021-05-04
|
05 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-05.txt |
|
2021-05-04
|
05 | (System) | New version accepted (logged-in submitter: Paul Wouters) |
|
2021-05-04
|
05 | Paul Wouters | Uploaded new revision |
|
2021-05-03
|
04 | (System) | Document has expired |
|
2020-11-10
|
04 | Tero Kivinen | Added to session: IETF-109: ipsecme Tue-1600 |
|
2020-10-30
|
04 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-04.txt |
|
2020-10-30
|
04 | (System) | New version approved |
|
2020-10-30
|
04 | (System) | Request for posting confirmation emailed to previous authors: Sahana Prasad <sahana@redhat.com>, Paul Wouters <pwouters@redhat.com> |
|
2020-10-30
|
04 | Paul Wouters | Uploaded new revision |
|
2020-07-13
|
03 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-03.txt |
|
2020-07-13
|
03 | (System) | New version approved |
|
2020-07-13
|
03 | (System) | Request for posting confirmation emailed to previous authors: Paul Wouters <pwouters@redhat.com>, Sahana Prasad <sahana@redhat.com> |
|
2020-07-13
|
03 | Paul Wouters | Uploaded new revision |
|
2020-05-07
|
02 | (System) | Document has expired |
|
2019-11-16
|
02 | Tero Kivinen | Added to session: IETF-106: ipsecme Thu-1550 |
|
2019-11-04
|
02 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-02.txt |
|
2019-11-04
|
02 | (System) | New version accepted (logged-in submitter: Paul Wouters) |
|
2019-11-04
|
02 | Paul Wouters | Uploaded new revision |
|
2019-07-22
|
01 | Tero Kivinen | Added to session: IETF-105: ipsecme Tue-1520 |
|
2019-07-08
|
01 | Paul Wouters | New version available: draft-ietf-ipsecme-labeled-ipsec-01.txt |
|
2019-07-08
|
01 | (System) | New version approved |
|
2019-07-08
|
01 | (System) | Request for posting confirmation emailed to previous authors: Paul Wouters <pwouters@redhat.com>, Sahana Prasad <sahana.prasad07@gmail.com> |
|
2019-07-08
|
01 | Paul Wouters | Uploaded new revision |
|
2019-03-28
|
00 | Tero Kivinen | Notification list changed to Tero Kivinen <kivinen@iki.fi> |
|
2019-03-28
|
00 | Tero Kivinen | Document shepherd changed to Tero Kivinen |
|
2019-03-14
|
00 | Tero Kivinen | Added to session: IETF-104: ipsecme Thu-1050 |
|
2019-03-11
|
00 | Sahana Prasad | New version available: draft-ietf-ipsecme-labeled-ipsec-00.txt |
|
2019-03-11
|
00 | (System) | WG -00 approved |
|
2019-03-10
|
00 | Sahana Prasad | Set submitter to "Sahana Prasad <sahana.prasad07@gmail.com>", replaces to (none) and sent approval email to group chairs: ipsecme-chairs@ietf.org |
|
2019-03-10
|
00 | Sahana Prasad | Uploaded new revision |