Labeled IPsec Traffic Selector Support for the Internet Key Exchange Protocol Version 2 (IKEv2)
draft-ietf-ipsecme-labeled-ipsec-12

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Tero Kivinen <kivinen@iki.fi>, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-labeled-ipsec@ietf.org, ipsec@ietf.org, ipsecme-chairs@ietf.org, kivinen@iki.fi, rdd@cert.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'Labeled IPsec Traffic Selector support for IKEv2' to Proposed Standard (draft-ietf-ipsecme-labeled-ipsec-12.txt)

The IESG has approved the following document:
- 'Labeled IPsec Traffic Selector support for IKEv2'
  (draft-ietf-ipsecme-labeled-ipsec-12.txt) as Proposed Standard

This document is the product of the IP Security Maintenance and Extensions
Working Group.

The IESG contact persons are Paul Wouters and Roman Danyliw.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-labeled-ipsec/

Ballot Text

Technical Summary

   This document defines a new Traffic Selector (TS) Type for Internet
   Key Exchange version 2 to add support for negotiating Mandatory
   Access Control (MAC) security labels as a traffic selector of the
   Security Policy Database (SPD).  Security Labels for IPsec are also
   known as "Labeled IPsec".  The new TS type is TS_SECLABEL, which
   consists of a variable length opaque field specifying the security
   label.

Working Group Summary

The document went through a number of proposals and switched a few times
between using a Notify payload to using a Traffic Selector payload until
consensus was reached. It was also discussed whether the label should be
a variant of existing labels (e.g. IPv4_SECLABEL and IPv6_SECLABEL) and
consensus was reached on making it an independent label to avoid a
combinatorial explosion of Traffic Selector Types.

Consensus was also reached to leave the Label itself as opaque to
the IKE implementation so that it can be used with different types of
labeling systems. A small group of core developers were the the active
participants, which is quite common on the IPsecME WG. There were no
objections.

Document Quality

There are currently three interoperable implementations (ELVIS+,
libreswan and strongswan). ELVIS+ only implements the IKEv2 extension,
where as libreswan and strongswan use the Linux kernel SElinux system
as the labeling system. The authors have contemplated doing an
informational write up on that system in a separate new draft.

Personnel

   The Document Shepherd for this document is Tero Kivinen. The Responsible
   Area Director is Roman Danyliw.

RFC Editor Note