[Search] [txt|xml|pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05                                             
Network                                                       P. Wouters
Internet-Draft                                                     Aiven
Updates: 7296 (if approved)                                    S. Prasad
Intended status: Standards Track                                 Red Hat
Expires: 5 November 2021                                      4 May 2021


            Labeled IPsec Traffic Selector support for IKEv2
                  draft-ietf-ipsecme-labeled-ipsec-05

Abstract

   This document defines a new Traffic Selector (TS) Type for Internet
   Key Exchange version 2 to add support for negotiating Mandatory
   Access Control (MAC) security labels as a traffic selector of the
   Security Policy Database (SPD).  Security Labels for IPsec are also
   known as "Labeled IPsec".  The new TS type is TS_SECLABEL, which
   consists of a variable length opaque field specifying the security
   label.  This document updates the IKEv2 TS negotiation specified in
   RFC 7296 Section 2.9.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 5 November 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components



Wouters & Prasad         Expires 5 November 2021                [Page 1]


Internet-Draft                Labeled IPsec                     May 2021


   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Traffic Selector clarification  . . . . . . . . . . . . .   3
     1.3.  Traffic Selector update . . . . . . . . . . . . . . . . .   4
   2.  TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . .   4
     2.1.  TS_SECLABEL payload format  . . . . . . . . . . . . . . .   4
     2.2.  TS_SECLABEL properties  . . . . . . . . . . . . . . . . .   4
   3.  Traffic Selector negotiation  . . . . . . . . . . . . . . . .   5
     3.1.  Example TS negotiation  . . . . . . . . . . . . . . . . .   6
     3.2.  Considerations for using multiple TS_TYPEs in a TS  . . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   6.  Implementation Status . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Libreswan . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   In computer security, Mandatory Access Control usually refers to
   systems in which all subjects and objects are assigned a security
   label.  A security label is comprised of a set of security
   attributes.  The security labels along with a system authorization
   policy determine access.  Rules within the system authorization
   policy determine whether the access will be granted based on the
   security attributes of the subject and object.

   Traditionally, security labels used by Multilevel Systems (MLS) are
   comprised of a sensitivity level (or classification) field and a
   compartment (or category) field, as defined in [FIPS188] and
   [RFC5570].  As MAC systems evolved, other MAC models gained in
   popularity.  For example, SELinux, a Flux Advanced Security Kernel
   (FLASK) implementation, has security labels represented as colon-
   separated ASCII strings composed of values for identity, role, and
   type.  The security labels are often referred to as security
   contexts.






Wouters & Prasad         Expires 5 November 2021                [Page 2]


Internet-Draft                Labeled IPsec                     May 2021


   Traffic Selector (TS) payloads specify the selection criteria for
   packets that will be forwarded over the newly set up IPsec SA as
   enforced by the Security Policy Database (SPD, see [RFC4301]).  This
   document updates the Traffic Selector negotiation specified in
   Section 2.9 of [RFC7296].

   This document specifies a new Traffic Selector Type TS_SECLABEL for
   IKEv2 that can be used to negotiate security labels as additional
   selectors for the Security Policy Database (SPD) to further restrict
   the type of traffic allowed to be sent and received over the IPsec
   SA.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  Traffic Selector clarification

   The negotiation of Traffic Selectors is specified in Section 2.9 of
   [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and
   TS_IPV6_ADDR_RANGE).  The Traffic Selector payload format is
   specified in Section 3.13 of [RFC7296].  However, the term Traffic
   Selector is used to denote the traffic selector payloads and
   individual traffic selectors of that payload.  Sometimes the exact
   meaning can only be learned from context or if the item is written in
   plural ("Traffic Selectors" or "TSs").  This section clarifies these
   terms as follows:

   A Traffic Selector (no acronym) is one selector for traffic of a
   specific Traffic Selector Type (TS_TYPE).  For example a Traffic
   Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP
   network 198.51.100.0/24 covering all ports, is denoted as (17, 0,
   198.51.100.0-198.51.100.255)

   A Traffic Selector payload (TS) is a set of one or more Traffic
   Selectors of the same or different TS_TYPEs, but MUST include at
   least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.  For
   example, the above Traffic Selector by itself in a TS payload is
   denoted as TS((17, 0, 198.51.100.0-198.51.100.255))








Wouters & Prasad         Expires 5 November 2021                [Page 3]


Internet-Draft                Labeled IPsec                     May 2021


1.3.  Traffic Selector update

   The negotiation of Traffic Selectors is specified in Section 2.9 of
   [RFC7296] and states that the TSi/TSr payloads MUST contain at least
   one Traffic Selector type.  This document updates the text to mean
   that the TSi/TSr payloads MUST contain at least one Traffic Selector
   of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE, as other Traffic
   Selector types can be defined that are complimentary to these Traffic
   Selector Types and cannot be selected on their own without
   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.  The below defined
   TS_SECLABEL Traffic Selector Type is an example of this.

2.  TS_SECLABEL Traffic Selector Type

   This document defines a new TS Type, TS_SECLABEL that contains a
   single new opaque Security Label.

2.1.  TS_SECLABEL payload format

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +---------------+---------------+-------------------------------+
      |   TS Type     |    Reserved   |       Selector Length         |
      +---------------+---------------+-------------------------------+
      |                                                               |
      ~                         Security Label*                       ~
      |                                                               |
      +---------------------------------------------------------------+

                  Figure 1: Labeled IPsec Traffic Selector

   *Note: All fields other than TS Type and Selector Length depend on
   the TS Type.  The fields shown is for TS Type TS_SECLABEL, the
   selector this document defines.

   *  TS Type (one octet) - Set to [TBD] for TS_SECLABEL,

   *  Selector Length (2 octets, unsigned integer) - Specifies the
      length of this Traffic Selector substructure including the header.

   *  Security Label - An opaque byte stream of at least one octet.

2.2.  TS_SECLABEL properties

   The TS_SECLABEL Traffic Selector Type does not support narrowing or
   wildcards.  It MUST be used as an exact match value.





Wouters & Prasad         Expires 5 November 2021                [Page 4]


Internet-Draft                Labeled IPsec                     May 2021


   If the TS_SECLABEL is present in a TSi/TSr, at least one Traffic
   Selector of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE MUST also
   be present in that TSi/TSr.

   The Security Label contents are opaque to the IKE implementation.
   That is, the IKE implementation might not have any knowledge of the
   meaning of this selector, other than as a type and opaque value to
   pass to the SPD.

   A zero length Security Label MUST NOT be used.  If a received TS
   payload contains a TS_TYPE of TS_SECLABEL with a zero length Security
   Label, that specific Traffic Selector MUST be ignored.  If no other
   Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a
   TS_UNACCEPTABLE Error Notify message MUST be returned.  A zero length
   Security Label MUST NOT be interpreted as a wildcard security label.

   If multiple Security Labels are allowed for a given IP protocol,
   start and end address/port match, multiple TS_SECLABEL can be
   included in a TS payload.

   If the Security Label traffic selector is optional from a
   configuration point of view, the initiator will have to choose which
   TS payload to attempt first.  If it includes the Security Label and
   receives a TS_UNACCEPTABLE, it can attempt a new Child SA negotiation
   without that Security Label.

   A responder that selected a TS with TS_SECLABEL MUST use the Security
   Label for all selector operations on the resulting IPsec SA.  It MUST
   NOT select a TS_set with a TS_SECLABEL without using the specified
   Security Label, even if it deems the Security Label optional, as the
   initiator TS_set with TS_SECLABEL means the initiator mandates using
   that Security Label.

3.  Traffic Selector negotiation

   This document updates the [RFC7296] specification as follows:

   Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.

   Each TS payload (TSi or TSr) MAY contain one or more other TS_TYPEs,
   such as TS_SECLABEL.

   A responder MUST create its TS response by selecting one of each
   TS_TYPE present in the offered TS by the initiator.  If it cannot
   select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error
   Notify payload.




Wouters & Prasad         Expires 5 November 2021                [Page 5]


Internet-Draft                Labeled IPsec                     May 2021


   If a specific TS_TYPE (other than TS_IPV4_ADDR_RANGE or
   TS_IPV6_ADDR_RANGE which are mandatory) is deemed optional, the
   initiator SHOULD first try to negotiate the Child SA with the TS
   payload including the optional TS_TYPE.  Upon receiving
   TS_UNACCEPTABLE, it SHOULD attempt a new Child SA negotiation using
   the same TS but without the optional TS_TYPE.

   Some TS_TYPE's support narrowing, where the responder is allowed to
   select a subset of the original TS.  Narrowing MUST NOT result in an
   empty selector for that TS_TYPE.

3.1.  Example TS negotiation

   An initiator could send:

         TSi = ((17,0,192.0.2.0-192.0.2.255),
                (0,0,198.51.0-198.51.255),
                TS_SECLABEL1, TS_SECLABEL2)

         TSr = ((17,0,203.0.113.0-203.0.113.255),
                (0,0,203.0.113.0-203.0.113.255),
                TS_SECLABEL1, TS_SECLABEL2)


                  Figure 2: initiator TS payloads example

   The responder could answer with the following example:

         TSi = ((0,0,198.51.0-198.51.255),
                TS_SECLABEL1)

         TSr = (((0,0,203.0.113.0-203.0.113.255),
                TS_SECLABEL1)


                  Figure 3: responder TS payloads example

3.2.  Considerations for using multiple TS_TYPEs in a TS

   It would be unlikely that the traffic for TSi and TSr would have a
   different Security Label, but this specification does allow this to
   be specified.  If the initiator does not support this, and wants to
   prevent the responder from picking different labels for the TSi / TSr
   payloads, it should attempt a Child SA negotiation with only the
   first Security Label first, and upon failure retry a new Child SA
   negotiation with only the second Security Label.





Wouters & Prasad         Expires 5 November 2021                [Page 6]


Internet-Draft                Labeled IPsec                     May 2021


   If different IP ranges can only use different specific Security
   Labels, than these should be negotiated in two different Child SA
   negotiations.  If in the example above, the initiator only allows
   192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2,
   than it MUST NOT combine these two ranges and security labels into
   one Child SA negotiation.

   The mechanism of narrowing of Traffic Selectors with
   TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to
   TS_SECLABEL as the Security Label itself is not interpreted and
   cannot itself be narrowed.  It MUST be matched exactly.  Rekey of an
   IPsec SA MUST only use identical Traffic Selectors, which means the
   same TS Type and selectors MUST be used.  This guarantees that a
   Security Label once negotiated, remains part of the IPsec SA after a
   rekey.

4.  Security Considerations

   It is assumed that the Security Label can be matched by the IKE
   implementation to its own configured value, even if the IKE
   implementation itself cannot interpret the Security Label value.

   A packet that matches an SPD entry for all components except the
   Security Label would be treated as "not matching".  If no other SPD
   entries match, the (mis-labeled) traffic might end up being
   transmitted in the clear.  It is presumed that other Mandatory Access
   Control methods are in place to prevent mis-labeled traffic from
   reaching the IPsec subsystem, or that the IPsec subsystem itself
   would install a REJECT/DISCARD rule in the SPD to prevent unlabeled
   traffic otherwise matching a labeled security SPD rule from being
   transmitted without IPsec protection.

5.  IANA Considerations

   This document defines two new entries in the IKEv2 Traffic Selector
   Types registry:

      Value   TS Type                      Reference
      -----   ---------------------------  -----------------
      TBD     TS_SECLABEL   [this document]

                                  Figure 4

6.  Implementation Status

   [Note to RFC Editor: Please remove this section and the reference to
   [RFC6982] before publication.]




Wouters & Prasad         Expires 5 November 2021                [Page 7]


Internet-Draft                Labeled IPsec                     May 2021


   This section records the status of known implementations of the
   protocol defined by this specification at the time of posting of this
   Internet-Draft, and is based on a proposal described in [RFC7942].
   The description of implementations in this section is intended to
   assist the IETF in its decision processes in progressing drafts to
   RFCs.  Please note that the listing of any individual implementation
   here does not imply endorsement by the IETF.  Furthermore, no effort
   has been spent to verify the information presented here that was
   supplied by IETF contributors.  This is not intended as, and must not
   be construed to be, a catalog of available implementations or their
   features.  Readers are advised to note that other implementations may
   exist.

   According to [RFC7942], "this will allow reviewers and working groups
   to assign due consideration to documents that have the benefit of
   running code, which may serve as evidence of valuable experimentation
   and feedback that have made the implemented protocols more mature.
   It is up to the individual working groups to use this information as
   they see fit".

   Authors are requested to add a note to the RFC Editor at the top of
   this section, advising the Editor to remove the entire section before
   publication, as well as the reference to [RFC7942].

6.1.  Libreswan

   Organization:  The Libreswan Project

   Name:  https://lists.libreswan.org/mailman/listinfo/swan-dev/

   Description:  Implementation has been released as part of libreswan
      version 4.4.

   Level of maturity:  beta

   Coverage:  Implements the entire draft using SElinux based labels

   Licensing:  GPLv2

   Implementation experience:  No interop testing has been done yet.
      The code works as proof of concept, but is not yet production
      ready when using multiple different labels with on-demand kernel
      ACQUIRES.

   Contact:  Libreswan Development: swan-dev@libreswan.org






Wouters & Prasad         Expires 5 November 2021                [Page 8]


Internet-Draft                Labeled IPsec                     May 2021


7.  Acknowledgements

   A large part of the introduction text was taken verbatim from
   [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
   Quigley and J.  Lu.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/info/rfc7296>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

8.2.  Informative References

   [draft-jml-ipsec-ikev2-security-label]
              Latten, J., Quigley, D., and J. Lu, "Security Label
              Extension to IKE", 28 January 2011.

   [FIPS188]  NIST, "National Institute of Standards and Technology,
              "Standard Security Label for Information Transfer"",
              Federal Information Processing Standard (FIPS) Publication
              188, September 1994,
              <https://csrc.nist.gov/publications/detail/fips/188/
              archive/1994-09-06>.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
              December 2005, <https://www.rfc-editor.org/info/rfc4301>.

   [RFC5570]  StJohns, M., Atkinson, R., and G. Thomas, "Common
              Architecture Label IPv6 Security Option (CALIPSO)",
              RFC 5570, DOI 10.17487/RFC5570, July 2009,
              <https://www.rfc-editor.org/info/rfc5570>.






Wouters & Prasad         Expires 5 November 2021                [Page 9]


Internet-Draft                Labeled IPsec                     May 2021


   [RFC6982]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
              Code: The Implementation Status Section", RFC 6982,
              DOI 10.17487/RFC6982, July 2013,
              <https://www.rfc-editor.org/info/rfc6982>.

   [RFC7942]  Sheffer, Y. and A. Farrel, "Improving Awareness of Running
              Code: The Implementation Status Section", BCP 205,
              RFC 7942, DOI 10.17487/RFC7942, July 2016,
              <https://www.rfc-editor.org/info/rfc7942>.

Authors' Addresses

   Paul Wouters
   Aiven

   Email: paul.wouters@aiven.io


   Sahana Prasad
   Red Hat

   Email: sahana@redhat.com





























Wouters & Prasad         Expires 5 November 2021               [Page 10]