Skip to main content

Shepherd writeup

1. Summary

Document Shepherd: Tero Kivinen
Responsible AD: Roman Danyliw
Status: Standard Track

This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD).  Security Labels for IPsec are also
known as "Labeled IPsec".  The new TS type is TS_SECLABEL.

There exists an IKEv1, non-IETF, non-standard method for negotiating
Labeled IPsec for IKEv1. There was a need to standardize this for IKEv2
as to help those deploying Labeled IPsec to migrate from IKEv1 to IKEv2.

As it is adding a Traffic Selector type, and updates the core IKEv2
specification in RFC 7296, the document is Standards Track.

2. Review and Consensus

The document went through a number of proposals and switched a few times
between using a Notify payload to using a Traffic Selector payload until
consensus was reached. It was also discussed wether the label should be
a variant of existing labels (eg IPv4_SECLABEL and IPv6_SECLABEL) and
consensus was reached on making it an indepedent label to avoid a
combinatori explosion of Traffic Selector Types.

Consensus was also reached to leave the Label itself as opague to
the IKE implementation so that it can be used with different types of
labeling systems. A small group of core developers were the the active
participants, which is quite common on the IPsecME WG. There were no

There are currently three interoperable implementations (ELVIS+,
libreswan and strongswan). ELVIS+ only implements the IKEv2 extension,
where as libreswan and strongswan use the Linux kernel SElinux system
as the labeling system. The authors have contemplated doing an
informational write up on that system in a seperate new draft.

3. Intellectual Property

The authors and their employers have no IPR. The IKEv1 implementation
has no known IPR claims - it also negotiates the labels differently.
There is no known IPR regarding Labeled IPsec or its IKE negotiation.

4. Other Points

There are no downrefs. An entry is added to the IANA IKEv2 Traffic Selector
Types Registry which is Expert Review. Note that the value has already
been added as an Early Allocation and (opensource) software has already
been released that uses this value which now appears in shipped products.
Note that one interoperable implementation (ELVIS+) comes from one of the
Experts on this IANA Registry (the other Expert being one of the WG Chairs).
Both have reviewed and approved the early allocation and there is no
expectation they will now reject the IANA allocation.