<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITYRFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">nbsp " "> <!ENTITYRFC4301 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml">zwsp "​"> <!ENTITYRFC5570 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5570.xml">nbhy "‑"> <!ENTITYRFC7296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7296.xml"> <!ENTITY RFC7942 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7942.xml"> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">wj "⁠"> ]><?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc strict="yes" ?> <?rfc toc="yes"?> <?rfc tocdepth="4"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes" ?> <?rfc compact="yes" ?> <?rfc subcompact="no" ?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-ipsecme-labeled-ipsec-12" number="9478" xml:lang="en" updates="" obsoletes=""category="std" docName="draft-ietf-ipsecme-labeled-ipsec-12">tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.17.1 --> <front> <title abbrev="Labeled IPsec">Labeled IPsec Traffic SelectorsupportSupport forIKEv2 </title>the Internet Key Exchange Protocol Version 2 (IKEv2)</title> <seriesInfo name="RFC" value="9478"/> <authorinitials='P.'initials="P." surname="Wouters"fullname='Paul Wouters'>fullname="Paul Wouters"> <organization>Aiven</organization> <address> <email>paul.wouters@aiven.io</email> </address> </author> <author fullname="Sahana Prasad" initials="S." surname="Prasad"> <organization>Red Hat</organization> <address> <email>sahana@redhat.com</email> </address> </author><date/> <area>General</area> <workgroup>Network</workgroup><date year="2023" month="September"/> <area>sec</area> <workgroup>ipsecme</workgroup> <keyword>IKEv2</keyword> <keyword>SPD</keyword> <keyword>SAD</keyword> <abstract> <t> This document defines a new Traffic Selector(TS)Type (TS Type) for the Internet Key Exchange Protocol version 2 (IKEv2) to add support for negotiating Mandatory Access Control (MAC) security labels as atraffic selectorTraffic Selector of the Security Policy Database (SPD). Security Labels for IPsec are also known as "Labeled IPsec". The new TStype isType, TS_SECLABEL,whichconsists of a variable length opaque fieldspecifyingthat specifies the security label.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t> In computer security, Mandatory Access Control (MAC) usually refers to systems in which all subjects and objects are assigned a security label. A security label is composed of a set of security attributes.The security labels alongAlong with a system authorizationpolicypolicy, the security labels determine access. Rules within the system authorization policy determine whether the access will be granted based on the security attributes of the subject and object.</t> <t> Historically, security labels used byMultilevel SystemsMulti-Level Secure (MLS) systems are comprised of a sensitivity level (or classification) field and a compartment (or category) field, as defined in <xreftarget="FIPS188"/> and <xref target="RFC5570"/>.target="RFC5570" format="default"/>. As MAC systems evolved, other MAC models gainedinpopularity. For example, SELinux, a Flux Advanced Security Kernel (FLASK) implementation, has security labels represented as colon-separated ASCII strings composed of values for identity, role, and type. The security labels are often referred to as security contexts.</t> <t>Traffic Selector (TS) payloads specify the selection criteria for packets that will be forwarded over the newly set up IPsec Security Association (SA) as enforced by the Security Policy Database(SPD, see(SPD) <xreftarget="RFC4301"/>).</t> <t> Thistarget="RFC4301" format="default"/>.</t> <t>This document specifies a newTraffic Selector Type TS_SECLABELTS Type, TS_SECLABEL, for IKEv2 that can be used to negotiate security labels as additional selectors for theSecurity Policy Database (SPD)SPD to further restrict the type of traffic that is allowed to be sent and received over the IPsec SA.</t> <sectiontitle="Requirements Language">numbered="true" toc="default"> <name>Requirements Language</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xreftarget="RFC2119"/>target="RFC2119" format="default"/> <xreftarget="RFC8174"/>target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here.</t> </section> <sectiontitle="Trafficnumbered="true" toc="default"> <name>Traffic Selectorclarification">Clarification</name> <t>The negotiation of Traffic Selectors is specified inSection 2.9 of<xreftarget="RFC7296"/>target="RFC7296" sectionFormat="of" section="2.9"/>, where it defines two TS Types (TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE). TheTraffic SelectorTS payload format is specified inSection 3.13 of<xreftarget="RFC7296"/>.target="RFC7296" sectionFormat="of" section="3.13"/>. However, the termTraffic Selector"Traffic Selector" is used to denote thetraffic selectorTS payloads and individualtraffic selectorsTraffic Selectors of that payload.SometimesSometimes, the exact meaning can only be learned from context or if the item is written in plural ("Traffic Selectors" or"TSs")."TSes"). This section clarifies these terms as follows:</t> <t>A Traffic Selector(no(capitalized, no acronym) is one selector for traffic of a specific Traffic Selector Type(TS_TYPE).(TS Type). Forexampleexample, a Traffic Selector ofTS_TYPETS Type TS_IPV4_ADDR_RANGE for UDP (protocol 17) traffic in the IP network 198.51.100.0/24 covering allports,ports is denoted as (17, 0,198.51.100.0-198.51.100.255)</t>198.51.100.0-198.51.100.255).</t> <t>ATraffic SelectorTS payload(TS)is a set of one or more Traffic Selectors of the same or differentTS_TYPEs.TS Types. It typically contains one or more of theTS_TYPETS Type of TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE. For example, the above Traffic Selector by itself in a TS payload is denoted as TS((17, 0, 198.51.100.0-198.51.100.255))</t> </section> <sectiontitle="Securitynumbered="true" toc="default"> <name>Security Label Traffic Selectornegotiation">Negotiation</name> <t>The negotiation of Traffic Selectors is specified inSection 2.9 of<xreftarget="RFC7296"/>target="RFC7296" sectionFormat="of" section="2.9"/> and states that the TSi/TSr payloadsMUST<bcp14>MUST</bcp14> contain at least oneTraffic Selector type.TS Type. This document adds a newTS_TYPETS Type of TS_SECLABEL that is valid only with at least one othertype of Traffic Selector.TS Type. That is, it cannot be the onlyTS_TYPETS Type present in a TSi or TSr payload. ItMUST<bcp14>MUST</bcp14> be used along with an IP address selectortypetype, such as TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE.</t> </section> </section> <sectiontitle="TS_SECLABELnumbered="true" toc="default"> <name>TS_SECLABEL Traffic SelectorType">Type</name> <t>This document defines a new TS Type,TS_SECLABELTS_SECLABEL, that contains a single new opaque Security Label.</t> <sectiontitle="TS_SECLABEL payload format">numbered="true" toc="default"> <name>TS_SECLABEL Payload Format</name> <figurealign="center" anchor="tstype_seclabel" title="Labeledanchor="tstype_seclabel"> <name>Labeled IPsec TrafficSelector">Selector</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | TS Type | Reserved | Selector Length | +---------------+---------------+-------------------------------+ | | ~ Security Label* ~ | | +---------------------------------------------------------------+ ]]></artwork> </figure><t>*Note:<t>Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shownisare for TS Type TS_SECLABEL, which is the selector that this document defines.<list style="symbols"> <t>TS</t> <dl> <dt>TS Type (oneoctet) - Setoctet):</dt><dd>Set to 10 forTS_SECLABEL,</t> <t>SelectorTS_SECLABEL.</dd> <dt>Selector Length(2(two octets, unsignedinteger) - Specifiesinteger):</dt><dd>Specifies the length of this Traffic Selector substructure including theheader.</t> <t>Security Label - Anheader.</dd> <dt>Security Label:</dt><dd>An opaque byte stream of at least oneoctet.</t> </list> </t>octet.</dd> </dl> </section> <sectiontitle="TS_SECLABEL properties">numbered="true" toc="default"> <name>TS_SECLABEL Properties</name> <t>The TS_SECLABELTraffic SelectorTS Type does not support narrowing or wildcards. ItMUST<bcp14>MUST</bcp14> be used as an exact match value.</t> <t>The TS_SECLABELTraffic SelectorTS TypeMUST NOT<bcp14>MUST NOT</bcp14> be the onlyTS_TYPETS Type present in the TSpayloadpayload, as TS_SECLABEL is complimentary to another type of Traffic Selector. ThereMUST<bcp14>MUST</bcp14> be an IP address Traffic SelectortypeType in addition to the TS_SECLABELTraffic Selector typeTS Type in theTraffic Selector Payload.TS payload. If a TS payload is received with only TS_SECLABELTraffic Selector types,TS Types, the exchangeMUST<bcp14>MUST</bcp14> be aborted with an Error Notify message containing TS_UNACCEPTABLE.</t> <t>The Security Label contents are opaque to the IKE implementation. That is, the IKE implementation might not have any knowledgeofregarding the meaning of thisselector,selector other than recognizing it as a type and opaque value to pass to the SPD.</t> <t>Azero lengthzero-length Security LabelMUST NOT<bcp14>MUST NOT</bcp14> be used. If a received TS payload contains aTS_TYPETS Type of TS_SECLABEL with azero lengthzero-length Security Label, that specificTraffic Selector MUSTTS payload <bcp14>MUST</bcp14> be ignored. If no otherTraffic Selector of TS_TYPETS payload contains an acceptable TS_SECLABELcan be selected,TS Type, the exchangeMUST<bcp14>MUST</bcp14> be aborted with a TS_UNACCEPTABLE Error Notify message. Azero lengthzero-length Security LabelMUST NOT<bcp14>MUST NOT</bcp14> be interpreted as a wildcard security label.</t><t>If<t> If multiple Security Labels are allowed for agivenTraffic Selector's IP address range, protocol,startandend address/port match,port range, the initiator includes all ofthethese acceptableTS_SECLABEL's and theSecurity Labels. The responderMUST<bcp14>MUST</bcp14> select exactly one ofthem.</t>the Security Labels.</t> <t>A responder that selected a TS with TS_SECLABELMUST<bcp14>MUST</bcp14> use the Security Label for all selector operations on the resulting TS. ItMUST NOT<bcp14>MUST NOT</bcp14> select a TS_SECLABEL without using the specified Security Label, even if it deems the Security Label optional, as the initiator has indicated (and expects) that the Security Label will be set for all traffic matching the negotiated TS.</t> </section> </section> <sectiontitle="Trafficnumbered="true" toc="default"> <name>Traffic Selectornegotiation">Negotiation</name> <t>If the TSiPayloadpayload contains atraffic selector for TS_TYPE ofTraffic Selector with TS Type TS_SECLABEL (along with anotherTS_TYPE),TS Type), the responderMUST<bcp14>MUST</bcp14> create each TS response for the otherTS_TYPEsTS Types using its normal rules specified for each of thoseTS_TYPE,TS Types, such as narrowing them following the rules specified for thatTS_TYPE,TS Type and thenaddadding exactly one for theTS_TYPETS Type of TS_SECLABEL to the TSPayload(s).payload(s). If this is not possible, itMUST<bcp14>MUST</bcp14> return a TS_UNACCEPTABLE Error Notify payload.</t> <t>If the Security Labeltraffic selectorTS Type is optional from a configuration point of view, an initiator will add the TS_SECLABEL to the TSi/TSrPayloads.payloads. If the responder replies with TSi/TSrPayloadspayloads that include the TS_SECLABEL, then the Child SAMUST<bcp14>MUST</bcp14> be createdincludingand include the negotiated Security Label. If the responder did not include a TS_SECLABEL in its response, then the initiator (which deemed the Security Label optional) will install the Child SA without including any Security Label. If the initiator required the TS_SECLABEL, itMUST NOT<bcp14>MUST NOT</bcp14> install the Child SA and itMUST<bcp14>MUST</bcp14> send a Delete notification for the Child SA so the responder can uninstall its Child SA.</t> <sectiontitle="Examplenumbered="true" toc="default"> <name>Example TSnegotiation">Negotiation</name> <t>An initiator couldsend:</t>send the following:</t> <figurealign="center" anchor="tstype_example_i" title="initiatoranchor="tstype_example_i"> <name>Initiator TSpayloads example">Payloads Example</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ TSi = ((17,24233,198.51.100.12-198.51.100.12), (0,0,198.51.100.0-198.51.100.255), (0,0,192.0.2.0-192.0.2.255), TS_SECLABEL1, TS_SECLABEL2) TSr = ((17,53,203.0.113.1-203.0.113.1), (0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1, TS_SECLABEL2) ]]></artwork> </figure> <t>The responder could answer with thefollowing example:</t>following:</t> <figurealign="center" anchor="tstype_example_r" title="responderanchor="tstype_example_r"> <name>Responder TSpayloads example">Payloads Example</name> <artworkalign="left"><![CDATA[align="left" name="" type="" alt=""><![CDATA[ TSi = ((0,0,198.51.100.0-198.51.100.255), TS_SECLABEL1) TSr = ((0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1) ]]></artwork> </figure> </section> <sectiontitle="Considerationsnumbered="true" toc="default"> <name>Considerations forusing multiple TS_TYPEsUsing Multiple TS Types in aTS">TS</name> <t>It would be unlikely that the traffic for TSi and TSr would have a different Security Label, but this specificationdoes allowallows this to be specified. If the initiator does not supportthis,this and wants to prevent the responder from picking different labels for theTSi / TSrTSi/TSr payloads, it should attempt a Child SA negotiation and start withonlythe first Security Labelfirst, and upon failureonly. Upon failure, the initiator should retry a new Child SA negotiation with only the second Security Label.</t> <t>If different IP ranges can only use different specific Security Labels, then these should be negotiated in two different Child SA negotiations.If inIn the example above, if the initiator only allows 192.0.2.0/24 withTS_SECLABEL1,TS_SECLABEL1 and 198.51.100.0/24 with TS_SECLABEL2,thanthen itMUST NOT<bcp14>MUST NOT</bcp14> combine these two ranges and security labels into one Child SA negotiation.</t> </section> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>It is assumed that the Security Label can be matched by the IKE implementation to its own configured value, even if the IKE implementation itself cannot interpret the Security Label value.</t> <t>A packet that matches an SPD entry for allcomponentscomponents, except the SecurityLabelLabel, would be treated as "not matching". If no other SPD entries match, the(mis-labeled)(mislabeled) traffic might end up being transmitted in the clear. It is presumed that otherMandatory Access ControlMAC methods are in place to preventmis-labeledmislabeled traffic from reaching the IPsecsubsystem,subsystem or that the IPsec subsystem itself would install a REJECT/DISCARD rule in the SPD to prevent unlabeled traffic otherwise matching a labeled security SPD rule from being transmitted without IPsec protection. </t> </section> <section anchor="IANA"title="IANA Considerations"> <t>This document defines onenumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has added a new entry in theIKEv2"IKEv2 Traffic SelectorTypes registry:</t> <t>[Note to RFC Editor (please remove before publication): This value has already been added via Early Allocation.]</t> <figure align="center" anchor="iana_requests"> <artwork align="left"><![CDATA[ Value TS Type Reference ----- --------------------------- ----------------- 10 TS_SECLABEL [this document] ]]></artwork> </figure> </section> <section title="Implementation Status" anchor="impl_status"> <t> [Note to RFC Editor: Please remove this section and the reference toTypes" registry <xreftarget="RFC7942"/> before publication.] </t> <t> This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC7942"/>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. </t> <t> According to <xref target="RFC7942"/>, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". </t> <t> Authors are requested to add a note to the RFC Editor at the top of this section, advising the Editor to remove the entire section before publication, as welltarget="RFC7296"/> asthe reference to <xref target="RFC7942"/>. </t> <section anchor="section.impl-status.libreswan" title="Libreswan"> <t> <list style="hanging"> <t hangText="Organization: ">The Libreswan Project</t> <t hangText="Name: "> https://lists.libreswan.org/mailman/listinfo/swan-dev/</t> <t hangText="Description: "> Implementation was introduced in 4.4, but 4.6 or newer should be used </t> <t hangText="Level of maturity: ">beta</t> <t hangText="Coverage: "> Implements the entire draft using SElinux based labels</t> <t hangText="Licensing: ">GPLv2</t> <t hangText="Implementation experience: ">No interop testing has been done yet. The code works including different labeled on-demand kernel ACQUIRES.</t> <t hangText="Contact: ">Libreswan Development: swan-dev@libreswan.org</t> </list> </t> </section>follows.</t> <table anchor="iana_requests"> <name>IKEv2 Traffic Selector Types Registry</name> <thead> <tr> <th>Value</th> <th>TS Type</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>10</td> <td>TS_SECLABEL</td> <td>RFC 9478</td> </tr> </tbody> </table> </section> </middle> <back> <displayreference target="I-D.jml-ipsec-ikev2-security-label" to="IPSEC-IKEV2-SECURITY-LABEL"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5570.xml"/> <!-- [I-D.jml-ipsec-ikev2-security-label] IESG state Expired --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.jml-ipsec-ikev2-security-label.xml"/> </references> </references> <sectiontitle="Acknowledgements" anchor="acknowledgements">anchor="acknowledgements" numbered="false" toc="default"> <name>Acknowledgements</name> <t>A large part of the introduction text was taken verbatim from <xreftarget="draft-jml-ipsec-ikev2-security-label"/>target="I-D.jml-ipsec-ikev2-security-label" format="default"/>, whose authors areJ Latten, D. Quigley and J. Lu. Valery Smyslov<contact fullname="Joy Latten"/>, <contact fullname="David Quigley"/>, and <contact fullname="Jarrett Lu"/>. <contact fullname="Valery Smyslov"/> provided valuable input regarding IKEv2 Traffic Selector semantics.</t> </section></middle> <back> <references title="Normative References"> &RFC2119; &RFC7296; &RFC8174; </references> <references title="Informative References"> &RFC4301; &RFC5570; &RFC7942; <reference anchor="FIPS188"> <front> <title>National Institute of Standards and Technology, "Standard Security Label for Information Transfer" </title> <author initials="" surname="" fullname="National Institute of Standards and Technology"> <organization>NIST</organization> </author> <date year="1994" month="September"/> </front> <seriesInfo name="Federal Information Processing Standard (FIPS)" value="Publication 188"/> <format type="HTML" target="https://csrc.nist.gov/publications/detail/fips/188/archive/1994-09-06"/> </reference> <reference anchor='draft-jml-ipsec-ikev2-security-label'> <front> <title>Security Label Extension to IKE</title> <author initials='J' surname='Latten' fullname='J. Latten'> <organization>IBM</organization> </author> <author initials='D' surname='Quigley' fullname='D. Quigley'> </author> <author initials='J' surname='Lu' fullname='J.Lu'> <organization>Oracle</organization> </author> <date month='January' day='28' year='2011' /> <abstract><t> This document describes extensions to the Internet Key Exchange Protocol Version 2 RFC5996 to support Mandatory Access Control (MAC) security labels used on deployed systems. </t></abstract> </front> </reference> </references></back> </rfc>