rfc9478xml2.original.xml   rfc9478.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC <!DOCTYPE rfc [
.2119.xml"> <!ENTITY nbsp "&#160;">
<!ENTITY RFC4301 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC <!ENTITY zwsp "&#8203;">
.4301.xml"> <!ENTITY nbhy "&#8209;">
<!ENTITY RFC5570 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC <!ENTITY wj "&#8288;">
.5570.xml">
<!ENTITY RFC7296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7296.xml">
<!ENTITY RFC7942 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7942.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
]> ]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType
<?rfc toc="yes"?> ="IETF" category="std" consensus="true" docName="draft-ietf-ipsecme-labeled-ipse
<?rfc tocdepth="4"?> c-12" number="9478" xml:lang="en" updates="" obsoletes="" tocInclude="true" tocD
<?rfc symrefs="yes"?> epth="4" symRefs="true" sortRefs="true" version="3">
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc ipr="trust200902"
updates=""
obsoletes=""
category="std"
docName="draft-ietf-ipsecme-labeled-ipsec-12">
<!-- xml2rfc v2v3 conversion 3.17.1 -->
<front> <front>
<title abbrev="Labeled IPsec">Labeled IPsec Traffic Selector Support for the
<title abbrev="Labeled IPsec">Labeled IPsec Traffic Selector support for IKE Internet Key Exchange Protocol Version 2 (IKEv2)</title>
v2 </title> <seriesInfo name="RFC" value="9478"/>
<author initials="P." surname="Wouters" fullname="Paul Wouters">
<author initials='P.' surname="Wouters" fullname='Paul Wouters'> <organization>Aiven</organization>
<organization>Aiven</organization> <address>
<address> <email>paul.wouters@aiven.io</email>
<email>paul.wouters@aiven.io</email> </address>
</address>
</author> </author>
<author fullname="Sahana Prasad" initials="S." surname="Prasad"> <author fullname="Sahana Prasad" initials="S." surname="Prasad">
<organization>Red Hat</organization> <organization>Red Hat</organization>
<address>
<address> <email>sahana@redhat.com</email>
<email>sahana@redhat.com</email> </address>
</address>
</author> </author>
<date year="2023" month="September"/>
<date/> <area>sec</area>
<workgroup>ipsecme</workgroup>
<area>General</area>
<workgroup>Network</workgroup>
<keyword>IKEv2</keyword> <keyword>IKEv2</keyword>
<keyword>SPD</keyword> <keyword>SPD</keyword>
<keyword>SAD</keyword> <keyword>SAD</keyword>
<abstract> <abstract>
<t> This document defines a new Traffic Selector (TS) Type for <t> This document defines a new Traffic Selector Type (TS Type) for
Internet Key Exchange version 2 to add support for negotiating the Internet Key Exchange Protocol version 2 (IKEv2) to add support for ne
Mandatory Access Control (MAC) security labels as a traffic selector gotiating
Mandatory Access Control (MAC) security labels as a Traffic Selector
of the Security Policy Database (SPD). Security Labels for IPsec of the Security Policy Database (SPD). Security Labels for IPsec
are also known as "Labeled IPsec". The new TS type is TS_SECLABEL, are also known as "Labeled IPsec". The new TS Type, TS_SECLABEL,
which consists of a variable length opaque field specifying the consists of a variable length opaque field that specifies the
security label.</t> security label.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<t> In computer security, Mandatory Access Control usually <name>Introduction</name>
<t> In computer security, Mandatory Access Control (MAC) usually
refers to systems in which all subjects and objects are assigned refers to systems in which all subjects and objects are assigned
a security label. A security label is composed of a set of a security label. A security label is composed of a set of
security attributes. The security labels along with a system security attributes. Along with a system
authorization policy determine access. Rules within the system authorization policy, the security labels determine access. Rules within
the system
authorization policy determine whether the access will be granted authorization policy determine whether the access will be granted
based on the security attributes of the subject and object.</t> based on the security attributes of the subject and object.</t>
<t> Historically, security labels used by Multilevel Systems <t> Historically, security labels used by Multi-Level Secure
(MLS) are comprised of a sensitivity level (or classification) (MLS) systems are comprised of a sensitivity level (or classification)
field and a compartment (or category) field, as defined in <xref field and a compartment (or category) field, as defined in <xref target=
target="FIPS188"/> and <xref target="RFC5570"/>. As MAC systems "RFC5570" format="default"/>. As MAC systems
evolved, other MAC models gained in popularity. For example, evolved, other MAC models gained popularity. For example,
SELinux, a Flux Advanced Security Kernel (FLASK) implementation, SELinux, a Flux Advanced Security Kernel (FLASK) implementation,
has security labels represented as colon-separated ASCII strings has security labels represented as colon-separated ASCII strings
composed of values for identity, role, and type. The security composed of values for identity, role, and type. The security
labels are often referred to as security contexts.</t> labels are often referred to as security contexts.</t>
<t>Traffic Selector (TS) payloads specify the selection criteria
<t>Traffic Selector (TS) payloads specify the selection criteria
for packets that will be forwarded over the newly set up IPsec for packets that will be forwarded over the newly set up IPsec
Security Association (SA) as enforced by the Security Policy Database Security Association (SA) as enforced by the Security Policy Database
(SPD, see <xref target="RFC4301"/>).</t> (SPD) <xref target="RFC4301" format="default"/>.</t>
<t>This document specifies a new TS Type,
<t> This document specifies a new Traffic Selector Type TS_SECLABEL, for IKEv2 that can be used to negotiate security
TS_SECLABEL for IKEv2 that can be used to negotiate security labels as additional selectors for the SPD
labels as additional selectors for the Security Policy Database to further restrict the type of traffic that is allowed to be sent
(SPD) to further restrict the type of traffic allowed to be sent
and received over the IPsec SA.</t> and received over the IPsec SA.</t>
<section numbered="true" toc="default">
<section title="Requirements Language"> <name>Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"OPTIONAL" in this document are to be interpreted as described in BCP "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDE
14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only D</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and
"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as desc
ribed in BCP
14 <xref target="RFC2119" format="default"/> <xref target="RFC8174" form
at="default"/> when, and only
when, they appear in all capitals, as shown here.</t> when, they appear in all capitals, as shown here.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Traffic Selector clarification"> <name>Traffic Selector Clarification</name>
<t>The negotiation of Traffic Selectors is specified in Section 2.9 of < <t>The negotiation of Traffic Selectors is specified in <xref target="RF
xref C7296" sectionFormat="of" section="2.9"/>, where it defines two TS
target="RFC7296"/> where it defines two TS Types (TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE). The TS payload format
Types (TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE). The Traffic is specified in <xref target="RFC7296" sectionFormat="of" section="3.13"/>.
Selector payload format is specified in Section 3.13 of <xref target="RF However, the term "Traffic Selector" is used to denote the TS payloads a
C7296"/>. nd individual Traffic Selectors of that payload. Sometimes,
However, the term Traffic Selector is used to denote the traffic
selector payloads and individual traffic selectors of that payload. Some
times
the exact meaning can only be learned from context or if the the exact meaning can only be learned from context or if the
item is written in plural ("Traffic Selectors" or "TSs"). This item is written in plural ("Traffic Selectors" or "TSes"). This
section clarifies these terms as follows:</t> section clarifies these terms as follows:</t>
<t>A Traffic Selector (capitalized, no acronym) is one selector for traf
<t>A Traffic Selector (no acronym) is one selector for traffic fic
of a specific Traffic Selector Type (TS_TYPE). For example a of a specific Traffic Selector Type (TS Type). For example, a
Traffic Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP (protocol 17) tra Traffic Selector of TS Type TS_IPV4_ADDR_RANGE for UDP (protocol 17) tra
ffic in ffic in
the IP network 198.51.100.0/24 covering all ports, is denoted as the IP network 198.51.100.0/24 covering all ports is denoted as
(17, 0, 198.51.100.0-198.51.100.255)</t> (17, 0, 198.51.100.0-198.51.100.255).</t>
<t>A TS payload is a set of one or more Traffic
<t>A Traffic Selector payload (TS) is a set of one or more Traffic Selectors of the same or different TS Types. It typically contains
Selectors of the same or different TS_TYPEs. It typically contains one or more of the TS Type of TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RAN
one or more of the TS_TYPE of TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RAN GE.
GE.
For example, the above Traffic Selector by itself in a TS payload is den oted as For example, the above Traffic Selector by itself in a TS payload is den oted as
TS((17, 0, 198.51.100.0-198.51.100.255))</t> TS((17, 0, 198.51.100.0-198.51.100.255))</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Security Label Traffic Selector negotiation"> <name>Security Label Traffic Selector Negotiation</name>
<t>The negotiation of Traffic Selectors is specified in Section 2.9 of < <t>The negotiation of Traffic Selectors is specified in <xref target="RF
xref C7296" sectionFormat="of" section="2.9"/> and states that the TSi/TSr payloads <
target="RFC7296"/> and states that the TSi/TSr payloads MUST contain at bcp14>MUST</bcp14> contain at least one
least one TS Type. This document adds a new TS Type of TS_SECLABEL that is
Traffic Selector type. This document adds a new TS_TYPE of TS_SECLABEL t valid only with at least one other TS Type. That is, it cannot
hat is be the only TS Type present in a TSi or TSr payload. It <bcp14>MUST</bcp
valid only with at least one other type of Traffic Selector. That is, it 14> be used along with
cannot an IP address selector type, such as TS_IPV4_ADDR_RANGE and/or TS_IPV6_A
be the only TS_TYPE present in a TSi or TSr payload. It MUST be used alo DDR_RANGE.</t>
ng with
an IP address selector type such as TS_IPV4_ADDR_RANGE and/or TS_IPV6_AD
DR_RANGE.</t>
</section>
</section> </section>
</section>
<section title="TS_SECLABEL Traffic Selector Type"> <section numbered="true" toc="default">
<t>This document defines a new TS Type, TS_SECLABEL that contains a single <name>TS_SECLABEL Traffic Selector Type</name>
new opaque Security Label.</t> <t>This document defines a new TS Type, TS_SECLABEL, that contains a singl
e new opaque Security Label.</t>
<section title="TS_SECLABEL payload format"> <section numbered="true" toc="default">
<figure align="center" anchor="tstype_seclabel" title="Labeled IPsec Tra <name>TS_SECLABEL Payload Format</name>
ffic Selector"> <figure anchor="tstype_seclabel">
<artwork align="left"><![CDATA[ <name>Labeled IPsec Traffic Selector</name>
<artwork align="left" name="" type="" alt=""><![CDATA[
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| TS Type | Reserved | Selector Length | | TS Type | Reserved | Selector Length |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
~ Security Label* ~ ~ Security Label* ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
]]></artwork> ]]></artwork>
</figure> </figure>
<t>Note: All fields other than TS Type and Selector Length depend on
<t>*Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shown are for TS Type TS_SECLABEL, which is the
the TS Type. The fields shown is for TS Type TS_SECLABEL, the selector that this document defines.
selector this document defines. </t>
<dl>
<list style="symbols"> <dt>TS Type (one octet):</dt><dd>Set to 10 for TS_SECLABEL.</dd>
<t>TS Type (one octet) - Set to 10 for TS_SECLABEL,</t> <dt>Selector Length (two octets, unsigned integer):</dt><dd>Specifies
the
<t>Selector Length (2 octets, unsigned integer) - Specifies the length of this Traffic Selector substructure including the header.</dd>
length of this Traffic Selector substructure including the header.</t> <dt>Security Label:</dt><dd>An opaque byte stream of at least one octe
t.</dd>
<t>Security Label - An opaque byte stream of at least one octet.</t> </dl>
</list> </section>
</t> <section numbered="true" toc="default">
</section> <name>TS_SECLABEL Properties</name>
<t>The TS_SECLABEL TS Type does not support narrowing or
<section title="TS_SECLABEL properties"> wildcards. It <bcp14>MUST</bcp14> be used as an exact match value.</t>
<t>The TS_SECLABEL Traffic Selector Type does not support narrowing or <t>The TS_SECLABEL TS Type <bcp14>MUST NOT</bcp14> be the only TS Type
wildcards. It MUST be used as an exact match value.</t> present in the TS payload, as TS_SECLABEL is complimentary to another
type of Traffic Selector. There <bcp14>MUST</bcp14> be an IP address Traff
<t>The TS_SECLABEL Traffic Selector Type MUST NOT be the only TS_TYPE ic Selector
present in the TS payload as TS_SECLABEL is complimentary to another Type in addition to the TS_SECLABEL TS Type in the TS payload. If a TS pay
type of Traffic Selector. There MUST be an IP address Traffic Selector load is received with only TS_SECLABEL
type in addition to the TS_SECLABEL Traffic Selector type in the Traffic TS Types, the exchange <bcp14>MUST</bcp14> be aborted with an Error Notify
Selector Payload. If a TS payload is received with only TS_SECLABEL
Traffic Selector types, the exchange MUST be aborted with an Error Notify
message containing TS_UNACCEPTABLE.</t> message containing TS_UNACCEPTABLE.</t>
<t>The Security Label contents are opaque to the IKE implementation.
<t>The Security Label contents are opaque to the IKE implementation. That is, the IKE implementation might not have any knowledge regarding
That is, the IKE implementation might not have any knowledge of the the meaning of this selector other than recognizing it as a type and
meaning of this selector, other than as a type and opaque value to pass opaque value to pass to the SPD.</t>
to the SPD.</t> <t>A zero-length Security Label <bcp14>MUST NOT</bcp14> be used. If a re
ceived
<t>A zero length Security Label MUST NOT be used. If a received TS payload contains a TS Type of TS_SECLABEL with a zero-length
TS payload contains a TS_TYPE of TS_SECLABEL with a zero length Security Label, that specific TS payload <bcp14>MUST</bcp14> be ignored. I
Security Label, that specific Traffic Selector MUST be ignored. If f no other TS payload contains an acceptable TS_SECLABEL TS Type, the exchange <
no other Traffic Selector of TS_TYPE TS_SECLABEL can be selected, bcp14>MUST</bcp14> be aborted with a TS_UNACCEPTABLE Error Notify
the exchange MUST be aborted with a TS_UNACCEPTABLE Error Notify message. A zero-length Security Label <bcp14>MUST NOT</bcp14> be interpret
message. A zero length Security Label MUST NOT be interpreted as a ed as a
wildcard security label.</t> wildcard security label.</t>
<t> If multiple Security Labels are allowed for a Traffic Selector's IP
<t>If multiple Security Labels are allowed for a given IP protocol, address range, protocol, and port range, the initiator includes all of these acc
start and end address/port match, the initiator includes all of the eptable Security Labels. The responder <bcp14>MUST</bcp14> select exactly one of
acceptable TS_SECLABEL's and the responder MUST select one of them.</t> the Security Labels.</t>
<t>A responder that selected a TS with TS_SECLABEL <bcp14>MUST</bcp14> u
<t>A responder that selected a TS with TS_SECLABEL MUST use the Security se the Security
Label for all selector operations on the resulting TS. It MUST Label for all selector operations on the resulting TS. It <bcp14>MUST
NOT select a TS_SECLABEL without using the specified Security Label, NOT</bcp14> select a TS_SECLABEL without using the specified Security Labe
l,
even if it deems the Security Label optional, as the initiator has even if it deems the Security Label optional, as the initiator has
indicated (and expects) that Security Label will be set for all indicated (and expects) that the Security Label will be set for all
traffic matching the negotiated TS.</t> traffic matching the negotiated TS.</t>
</section>
</section> </section>
</section> <section numbered="true" toc="default">
<name>Traffic Selector Negotiation</name>
<section title="Traffic Selector negotiation"> <t>If the TSi payload contains a Traffic Selector with TS Type
TS_SECLABEL (along with another TS Type), the responder <bcp14>MUST</bcp14>
<t>If the TSi Payload contains a traffic selector for TS_TYPE of create
TS_SECLABEL (along with another TS_TYPE), the responder MUST create each TS response for the other TS Types using its normal rules
each TS response for the other TS_TYPEs using its normal rules specified for each of those TS Types, such as narrowing them following
specified for each of those TS_TYPE, such as narrowing them following the rules specified for that TS Type and then adding exactly one for the
the rules specified for that TS_TYPE, and then add exactly one for the TS Type of TS_SECLABEL to the TS payload(s). If this is not possible,
TS_TYPE of TS_SECLABEL to the TS Payload(s). If this is not possible, it <bcp14>MUST</bcp14> return a TS_UNACCEPTABLE Error Notify payload.</t>
it MUST return a TS_UNACCEPTABLE Error Notify payload.</t> <t>If the Security Label TS Type is optional from a
<t>If the Security Label traffic selector is optional from a
configuration point of view, an initiator will add the configuration point of view, an initiator will add the
TS_SECLABEL to the TSi/TSr Payloads. If the responder replies with TS_SECLABEL to the TSi/TSr payloads. If the responder replies with
TSi/TSr Payloads that include the TS_SECLABEL, then the Child SA TSi/TSr payloads that include the TS_SECLABEL, then the Child SA
MUST be created including the negotiated Security Label. If the <bcp14>MUST</bcp14> be created and include the negotiated Security Label.
If the
responder did not include a TS_SECLABEL in its response, then the responder did not include a TS_SECLABEL in its response, then the
initiator (which deemed the Security Label optional) will install initiator (which deemed the Security Label optional) will install
the Child SA without including any Security Label. If the initiator the Child SA without including any Security Label. If the initiator
required the TS_SECLABEL, it MUST NOT install the Child SA and it MUST required the TS_SECLABEL, it <bcp14>MUST NOT</bcp14> install the Child SA and it <bcp14>MUST</bcp14>
send a Delete notification for the Child SA so the responder can send a Delete notification for the Child SA so the responder can
uninstall its Child SA.</t> uninstall its Child SA.</t>
<section numbered="true" toc="default">
<name>Example TS Negotiation</name>
<t>An initiator could send the following:</t>
<figure anchor="tstype_example_i">
<name>Initiator TS Payloads Example</name>
<artwork align="left" name="" type="" alt=""><![CDATA[
TSi = ((17,24233,198.51.100.12-198.51.100.12),
(0,0,198.51.100.0-198.51.100.255),
(0,0,192.0.2.0-192.0.2.255),
TS_SECLABEL1, TS_SECLABEL2)
<section title="Example TS negotiation"> TSr = ((17,53,203.0.113.1-203.0.113.1),
(0,0,203.0.113.0-203.0.113.255),
<t>An initiator could send:</t> TS_SECLABEL1, TS_SECLABEL2)
]]></artwork>
<figure align="center" anchor="tstype_example_i" title="initiator TS pay
loads example">
<artwork align="left"><![CDATA[
TSi = ((17,24233,198.51.100.12-198.51.100.12),
(0,0,198.51.100.0-198.51.100.255),
(0,0,192.0.2.0-192.0.2.255),
TS_SECLABEL1, TS_SECLABEL2)
TSr = ((17,53,203.0.113.1-203.0.113.1),
(0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1, TS_SECLABEL2)
]]></artwork>
</figure> </figure>
<t>The responder could answer with the following example:</t> <t>The responder could answer with the following:</t>
<figure anchor="tstype_example_r">
<figure align="center" anchor="tstype_example_r" title="responder TS pay <name>Responder TS Payloads Example</name>
loads example"> <artwork align="left" name="" type="" alt=""><![CDATA[
<artwork align="left"><![CDATA[ TSi = ((0,0,198.51.100.0-198.51.100.255),
TS_SECLABEL1)
TSi = ((0,0,198.51.100.0-198.51.100.255),
TS_SECLABEL1)
TSr = ((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1)
]]></artwork> TSr = ((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1)
]]></artwork>
</figure> </figure>
</section>
</section> <section numbered="true" toc="default">
<name>Considerations for Using Multiple TS Types in a TS</name>
<section title="Considerations for using multiple TS_TYPEs in a TS"> <t>It would be unlikely that the traffic for TSi and TSr would have
<t>It would be unlikely that the traffic for TSi and TSr would have a different Security Label, but this specification allows this to
a different Security Label, but this specification does allow this to be specified.
be specified. If the initiator does not support this, and wants If the initiator does not support this and wants to prevent the responder from
to prevent the responder from picking different labels for the picking different labels for the TSi/TSr payloads, it should attempt a Child
TSi / TSr payloads, it should attempt a Child SA negotiation SA negotiation and start with the first Security Label only. Upon failure, the
with only the first Security Label first, and upon failure retry a new initiator should retry a new Child SA negotiation with only the second
Child SA negotiation with only the second Security Label.</t> Security Label.</t>
<t>If different IP ranges can only use different specific Security
<t>If different IP ranges can only use different specific Security
Labels, then these should be negotiated in two different Child SA Labels, then these should be negotiated in two different Child SA
negotiations. If in the example above, the initiator only allows negotiations. In the example above, if the initiator only allows
192.0.2.0/24 with TS_SECLABEL1, and 198.51.100.0/24 with TS_SECLABEL2, 192.0.2.0/24 with TS_SECLABEL1 and 198.51.100.0/24 with TS_SECLABEL2,
than it MUST NOT combine these two ranges and security labels then it <bcp14>MUST NOT</bcp14> combine these two ranges and security label
s
into one Child SA negotiation.</t> into one Child SA negotiation.</t>
</section> </section>
</section>
</section> <section anchor="Security" numbered="true" toc="default">
<name>Security Considerations</name>
<section anchor="Security" title="Security Considerations">
<t>It is assumed that the Security Label can be matched by the IKE <t>It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE implementation to its own configured value, even if the IKE
implementation itself cannot interpret the Security Label value.</t> implementation itself cannot interpret the Security Label value.</t>
<t>A packet that matches an SPD entry for all components except the <t>A packet that matches an SPD entry for all components, except the
Security Label would be treated as "not matching". If no other SPD Security Label, would be treated as "not matching". If no other SPD
entries match, the (mis-labeled) traffic might end up being transmitted entries match, the (mislabeled) traffic might end up being transmitted
in the clear. It is presumed that other Mandatory Access Control methods in the clear. It is presumed that other MAC methods
are in place to prevent mis-labeled traffic from reaching the IPsec are in place to prevent mislabeled traffic from reaching the IPsec
subsystem, or that the IPsec subsystem itself would install a REJECT/DISC subsystem or that the IPsec subsystem itself would install a REJECT/DISCA
ARD RD
rule in the SPD to prevent unlabeled traffic otherwise matching rule in the SPD to prevent unlabeled traffic otherwise matching
a labeled security SPD rule from being transmitted without IPsec protecti on. a labeled security SPD rule from being transmitted without IPsec protecti on.
</t> </t>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<t>This document defines one new entry in the IKEv2 Traffic Selector Typ <t>IANA has added a new entry in the "IKEv2 Traffic Selector Types" regist
es registry:</t> ry <xref target="RFC7296"/> as follows.</t>
<t>[Note to RFC Editor (please remove before publication): This value ha <table anchor="iana_requests">
s already been added <name>IKEv2 Traffic Selector Types Registry</name>
via Early Allocation.]</t> <thead>
<tr>
<figure align="center" anchor="iana_requests"> <th>Value</th>
<artwork align="left"><![CDATA[ <th>TS Type</th>
Value TS Type Reference <th>Reference</th>
----- --------------------------- ----------------- </tr>
10 TS_SECLABEL [this document] </thead>
]]></artwork> <tbody>
</figure> <tr>
</section> <td>10</td>
<td>TS_SECLABEL</td>
<section title="Implementation Status" anchor="impl_status"> <td>RFC 9478</td>
<t> </tr>
[Note to RFC Editor: Please remove this section and the reference to </tbody>
<xref target="RFC7942"/> before publication.] </table>
</t> </section>
<t>
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of
this Internet-Draft, and is based on a proposal described in
<xref target="RFC7942"/>. The description of implementations in this
section is intended to assist the IETF in its decision processes
in progressing drafts to RFCs. Please note that the listing of
any individual implementation here does not imply endorsement
by the IETF. Furthermore, no effort has been spent to verify the
information presented here that was supplied by IETF contributors.
This is not intended as, and must not be construed to be, a catalog
of available implementations or their features. Readers are advised
to note that other implementations may exist.
</t>
<t>
According to <xref target="RFC7942"/>, "this will allow reviewers
and working groups to assign due consideration to documents that
have the benefit of running code, which may serve as evidence of
valuable experimentation and feedback that have made the implemented
protocols more mature. It is up to the individual working groups
to use this information as they see fit".
</t>
<t>
Authors are requested to add a note to the RFC Editor at the
top of this section, advising the Editor to remove the entire
section before publication, as well as the reference to <xref
target="RFC7942"/>.
</t>
<section anchor="section.impl-status.libreswan" title="Libreswan">
<t>
<list style="hanging">
<t hangText="Organization: ">The Libreswan Project</t>
<t hangText="Name: "> https://lists.libreswan.org/mailman/listinfo/swan-
dev/</t>
<t hangText="Description: ">
Implementation was introduced in 4.4, but 4.6 or newer should be used
</t>
<t hangText="Level of maturity: ">beta</t>
<t hangText="Coverage: ">
Implements the entire draft using SElinux based labels</t>
<t hangText="Licensing: ">GPLv2</t>
<t hangText="Implementation experience: ">No interop testing has been do
ne yet. The code
works including different labeled on-demand kernel ACQUIRES.</t>
<t hangText="Contact: ">Libreswan Development: swan-dev@libreswan.org</t
>
</list>
</t>
</section>
</section>
<section title="Acknowledgements" anchor="acknowledgements">
<t>A large part of the introduction text was taken verbatim from
<xref target="draft-jml-ipsec-ikev2-security-label"/> whose authors
are J Latten, D. Quigley and J. Lu. Valery Smyslov provided valuable
input regarding IKEv2 Traffic Selector semantics.</t>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <displayreference target="I-D.jml-ipsec-ikev2-security-label" to="IPSEC-IKEV2-SE
&RFC2119; CURITY-LABEL"/>
&RFC7296;
&RFC8174;
</references>
<references title="Informative References">
&RFC4301;
&RFC5570;
&RFC7942;
<reference anchor="FIPS188">
<front>
<title>National Institute of Standards and Technology, "Standard Secur
ity Label for Information Transfer"
</title>
<author initials="" surname="" fullname="National Institute of Standar
ds and Technology">
<organization>NIST</organization>
</author>
<date year="1994" month="September"/> <references>
</front> <name>References</name>
<seriesInfo name="Federal Information Processing Standard (FIPS)" value= <references>
"Publication 188"/> <name>Normative References</name>
<format type="HTML" target="https://csrc.nist.gov/publications/detail/fi <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
ps/188/archive/1994-09-06"/> 119.xml"/>
</reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
296.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
301.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
570.xml"/>
<reference anchor='draft-jml-ipsec-ikev2-security-label'> <!-- [I-D.jml-ipsec-ikev2-security-label] IESG state Expired -->
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.jml-ipse
<title>Security Label Extension to IKE</title> c-ikev2-security-label.xml"/>
<author initials='J' surname='Latten' fullname='J. Latten'>
<organization>IBM</organization>
</author>
<author initials='D' surname='Quigley' fullname='D. Quigley'>
</author>
<author initials='J' surname='Lu' fullname='J.Lu'>
<organization>Oracle</organization>
</author>
<date month='January' day='28' year='2011' />
<abstract><t>
This document describes extensions to the Internet Key Exchange
Protocol Version 2 RFC5996 to support Mandatory Access Control
(MAC) security labels used on deployed systems.
</t></abstract>
</front>
</reference>
</references>
</references> </references>
<section anchor="acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t>A large part of the introduction text was taken verbatim from <xref
target="I-D.jml-ipsec-ikev2-security-label" format="default"/>, whose
authors are <contact fullname="Joy Latten"/>, <contact fullname="David
Quigley"/>, and <contact fullname="Jarrett Lu"/>. <contact
fullname="Valery Smyslov"/> provided valuable input regarding IKEv2
Traffic Selector semantics.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 48 change blocks. 
395 lines changed or deleted 281 lines changed or added

This html diff was produced by rfcdiff 1.48.