Skip to main content

Labeled IPsec Traffic Selector support for IKEv2
draft-ietf-ipsecme-labeled-ipsec-08

Revision differences

Document history

Date Rev. By Action
2022-09-27
08 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-08.txt
2022-09-27
08 Paul Wouters New version accepted (logged-in submitter: Paul Wouters)
2022-09-27
08 Paul Wouters Uploaded new revision
2022-09-25
07 (System) Document has expired
2022-03-24
07 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-07.txt
2022-03-24
07 (System) New version accepted (logged-in submitter: Paul Wouters)
2022-03-24
07 Paul Wouters Uploaded new revision
2022-03-23
06 Tero Kivinen
1. Summary

Document Shepherd: Tero Kivinen
Responsible AD: Roman Danyliw
Status: Standard Track

This document defines a new Traffic Selector (TS) Type for Internet
Key …
1. Summary

Document Shepherd: Tero Kivinen
Responsible AD: Roman Danyliw
Status: Standard Track

This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD).  Security Labels for IPsec are also
known as "Labeled IPsec".  The new TS type is TS_SECLABEL.

There exists an IKEv1, non-IETF, non-standard method for negotiating
Labeled IPsec for IKEv1. There was a need to standardize this for IKEv2
as to help those deploying Labeled IPsec to migrate from IKEv1 to IKEv2.

As it is adding a Traffic Selector type, and updates the core IKEv2
specification in RFC 7296, the document is Standards Track.

2. Review and Consensus

The document went through a number of proposals and switched a few times
between using a Notify payload to using a Traffic Selector payload until
consensus was reached. It was also discussed wether the label should be
a variant of existing labels (eg IPv4_SECLABEL and IPv6_SECLABEL) and
consensus was reached on making it an indepedent label to avoid a
combinatori explosion of Traffic Selector Types.

Consensus was also reached to leave the Label itself as opague to
the IKE implementation so that it can be used with different types of
labeling systems. A small group of core developers were the the active
participants, which is quite common on the IPsecME WG. There were no
objections.

There are currently three interoperable implementations (ELVIS+,
libreswan and strongswan). ELVIS+ only implements the IKEv2 extension,
where as libreswan and strongswan use the Linux kernel SElinux system
as the labeling system. The authors have contemplated doing an
informational write up on that system in a seperate new draft.

3. Intellectual Property

The authors and their employers have no IPR. The IKEv1 implementation
has no known IPR claims - it also negotiates the labels differently.
There is no known IPR regarding Labeled IPsec or its IKE negotiation.

4. Other Points

There are no downrefs. An entry is added to the IANA IKEv2 Traffic Selector
Types Registry which is Expert Review. Note that the value has already
been added as an Early Allocation and (opensource) software has already
been released that uses this value which now appears in shipped products.
Note that one interoperable implementation (ELVIS+) comes from one of the
Experts on this IANA Registry (the other Expert being one of the WG Chairs).
Both have reviewed and approved the early allocation and there is no
expectation they will now reject the IANA allocation.
2021-10-25
06 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-06.txt
2021-10-25
06 (System) New version accepted (logged-in submitter: Paul Wouters)
2021-10-25
06 Paul Wouters Uploaded new revision
2021-08-16
05 Tero Kivinen IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call
2021-07-26
05 Tero Kivinen IETF WG state changed to In WG Last Call from WG Document
2021-05-04
05 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-05.txt
2021-05-04
05 (System) New version accepted (logged-in submitter: Paul Wouters)
2021-05-04
05 Paul Wouters Uploaded new revision
2021-05-03
04 (System) Document has expired
2020-11-10
04 Tero Kivinen Added to session: IETF-109: ipsecme  Tue-1600
2020-10-30
04 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-04.txt
2020-10-30
04 (System) New version approved
2020-10-30
04 (System) Request for posting confirmation emailed to previous authors: Sahana Prasad , Paul Wouters
2020-10-30
04 Paul Wouters Uploaded new revision
2020-07-13
03 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-03.txt
2020-07-13
03 (System) New version approved
2020-07-13
03 (System) Request for posting confirmation emailed to previous authors: Paul Wouters , Sahana Prasad
2020-07-13
03 Paul Wouters Uploaded new revision
2020-05-07
02 (System) Document has expired
2019-11-16
02 Tero Kivinen Added to session: IETF-106: ipsecme  Thu-1550
2019-11-04
02 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-02.txt
2019-11-04
02 (System) New version accepted (logged-in submitter: Paul Wouters)
2019-11-04
02 Paul Wouters Uploaded new revision
2019-07-22
01 Tero Kivinen Added to session: IETF-105: ipsecme  Tue-1520
2019-07-08
01 Paul Wouters New version available: draft-ietf-ipsecme-labeled-ipsec-01.txt
2019-07-08
01 (System) New version approved
2019-07-08
01 (System) Request for posting confirmation emailed to previous authors: Paul Wouters , Sahana Prasad
2019-07-08
01 Paul Wouters Uploaded new revision
2019-03-28
00 Tero Kivinen Notification list changed to Tero Kivinen <kivinen@iki.fi>
2019-03-28
00 Tero Kivinen Document shepherd changed to Tero Kivinen
2019-03-14
00 Tero Kivinen Added to session: IETF-104: ipsecme  Thu-1050
2019-03-11
00 Sahana Prasad New version available: draft-ietf-ipsecme-labeled-ipsec-00.txt
2019-03-11
00 (System) WG -00 approved
2019-03-10
00 Sahana Prasad Set submitter to "Sahana Prasad ", replaces to (none) and sent approval email to group chairs: ipsecme-chairs@ietf.org
2019-03-10
00 Sahana Prasad Uploaded new revision