Technical Summary
This document defines a new Traffic Selector (TS) Type for Internet
Key Exchange version 2 to add support for negotiating Mandatory
Access Control (MAC) security labels as a traffic selector of the
Security Policy Database (SPD). Security Labels for IPsec are also
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which
consists of a variable length opaque field specifying the security
label.
Working Group Summary
The document went through a number of proposals and switched a few times
between using a Notify payload to using a Traffic Selector payload until
consensus was reached. It was also discussed whether the label should be
a variant of existing labels (e.g. IPv4_SECLABEL and IPv6_SECLABEL) and
consensus was reached on making it an independent label to avoid a
combinatorial explosion of Traffic Selector Types.
Consensus was also reached to leave the Label itself as opaque to
the IKE implementation so that it can be used with different types of
labeling systems. A small group of core developers were the the active
participants, which is quite common on the IPsecME WG. There were no
objections.
Document Quality
There are currently three interoperable implementations (ELVIS+,
libreswan and strongswan). ELVIS+ only implements the IKEv2 extension,
where as libreswan and strongswan use the Linux kernel SElinux system
as the labeling system. The authors have contemplated doing an
informational write up on that system in a separate new draft.
Personnel
The Document Shepherd for this document is Tero Kivinen. The Responsible
Area Director is Roman Danyliw.