rfc9478.original   rfc9478.txt 
Network P. Wouters Internet Engineering Task Force (IETF) P. Wouters
Internet-Draft Aiven Request for Comments: 9478 Aiven
Intended status: Standards Track S. Prasad Category: Standards Track S. Prasad
Expires: 16 November 2023 Red Hat ISSN: 2070-1721 Red Hat
15 May 2023 September 2023
Labeled IPsec Traffic Selector support for IKEv2 Labeled IPsec Traffic Selector Support for the Internet Key Exchange
draft-ietf-ipsecme-labeled-ipsec-12 Protocol Version 2 (IKEv2)
Abstract Abstract
This document defines a new Traffic Selector (TS) Type for Internet This document defines a new Traffic Selector Type (TS Type) for the
Key Exchange version 2 to add support for negotiating Mandatory Internet Key Exchange Protocol version 2 (IKEv2) to add support for
Access Control (MAC) security labels as a traffic selector of the negotiating Mandatory Access Control (MAC) security labels as a
Security Policy Database (SPD). Security Labels for IPsec are also Traffic Selector of the Security Policy Database (SPD). Security
known as "Labeled IPsec". The new TS type is TS_SECLABEL, which Labels for IPsec are also known as "Labeled IPsec". The new TS Type,
consists of a variable length opaque field specifying the security TS_SECLABEL, consists of a variable length opaque field that
label. specifies the security label.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 16 November 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9478.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language
1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.2. Traffic Selector Clarification
1.3. Security Label Traffic Selector negotiation . . . . . . . 4 1.3. Security Label Traffic Selector Negotiation
2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type
2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL Payload Format
2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 5 2.2. TS_SECLABEL Properties
3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 5 3. Traffic Selector Negotiation
3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.1. Example TS Negotiation
3.2. Considerations for using multiple TS_TYPEs in a TS . . . 6 3.2. Considerations for Using Multiple TS Types in a TS
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 6. References
6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 Acknowledgements
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
In computer security, Mandatory Access Control usually refers to In computer security, Mandatory Access Control (MAC) usually refers
systems in which all subjects and objects are assigned a security to systems in which all subjects and objects are assigned a security
label. A security label is composed of a set of security attributes. label. A security label is composed of a set of security attributes.
The security labels along with a system authorization policy Along with a system authorization policy, the security labels
determine access. Rules within the system authorization policy determine access. Rules within the system authorization policy
determine whether the access will be granted based on the security determine whether the access will be granted based on the security
attributes of the subject and object. attributes of the subject and object.
Historically, security labels used by Multilevel Systems (MLS) are Historically, security labels used by Multi-Level Secure (MLS)
comprised of a sensitivity level (or classification) field and a systems are comprised of a sensitivity level (or classification)
compartment (or category) field, as defined in [FIPS188] and field and a compartment (or category) field, as defined in [RFC5570].
[RFC5570]. As MAC systems evolved, other MAC models gained in As MAC systems evolved, other MAC models gained popularity. For
popularity. For example, SELinux, a Flux Advanced Security Kernel example, SELinux, a Flux Advanced Security Kernel (FLASK)
(FLASK) implementation, has security labels represented as colon- implementation, has security labels represented as colon-separated
separated ASCII strings composed of values for identity, role, and ASCII strings composed of values for identity, role, and type. The
type. The security labels are often referred to as security security labels are often referred to as security contexts.
contexts.
Traffic Selector (TS) payloads specify the selection criteria for Traffic Selector (TS) payloads specify the selection criteria for
packets that will be forwarded over the newly set up IPsec Security packets that will be forwarded over the newly set up IPsec Security
Association (SA) as enforced by the Security Policy Database (SPD, Association (SA) as enforced by the Security Policy Database (SPD)
see [RFC4301]). [RFC4301].
This document specifies a new Traffic Selector Type TS_SECLABEL for This document specifies a new TS Type, TS_SECLABEL, for IKEv2 that
IKEv2 that can be used to negotiate security labels as additional can be used to negotiate security labels as additional selectors for
selectors for the Security Policy Database (SPD) to further restrict the SPD to further restrict the type of traffic that is allowed to be
the type of traffic allowed to be sent and received over the IPsec sent and received over the IPsec SA.
SA.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Traffic Selector clarification 1.2. Traffic Selector Clarification
The negotiation of Traffic Selectors is specified in Section 2.9 of The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and [RFC7296], where it defines two TS Types (TS_IPV4_ADDR_RANGE and
TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is TS_IPV6_ADDR_RANGE). The TS payload format is specified in
specified in Section 3.13 of [RFC7296]. However, the term Traffic Section 3.13 of [RFC7296]. However, the term "Traffic Selector" is
Selector is used to denote the traffic selector payloads and used to denote the TS payloads and individual Traffic Selectors of
individual traffic selectors of that payload. Sometimes the exact that payload. Sometimes, the exact meaning can only be learned from
meaning can only be learned from context or if the item is written in context or if the item is written in plural ("Traffic Selectors" or
plural ("Traffic Selectors" or "TSs"). This section clarifies these "TSes"). This section clarifies these terms as follows:
terms as follows:
A Traffic Selector (no acronym) is one selector for traffic of a A Traffic Selector (capitalized, no acronym) is one selector for
specific Traffic Selector Type (TS_TYPE). For example a Traffic traffic of a specific Traffic Selector Type (TS Type). For example,
Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP (protocol 17) traffic a Traffic Selector of TS Type TS_IPV4_ADDR_RANGE for UDP (protocol
in the IP network 198.51.100.0/24 covering all ports, is denoted as 17) traffic in the IP network 198.51.100.0/24 covering all ports is
(17, 0, 198.51.100.0-198.51.100.255) denoted as (17, 0, 198.51.100.0-198.51.100.255).
A Traffic Selector payload (TS) is a set of one or more Traffic
Selectors of the same or different TS_TYPEs. It typically contains
one or more of the TS_TYPE of TS_IPV4_ADDR_RANGE and/or
TS_IPV6_ADDR_RANGE. For example, the above Traffic Selector by
itself in a TS payload is denoted as TS((17, 0,
198.51.100.0-198.51.100.255))
1.3. Security Label Traffic Selector negotiation A TS payload is a set of one or more Traffic Selectors of the same or
different TS Types. It typically contains one or more of the TS Type
of TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE. For example, the
above Traffic Selector by itself in a TS payload is denoted as
TS((17, 0, 198.51.100.0-198.51.100.255))
1.3. Security Label Traffic Selector Negotiation
The negotiation of Traffic Selectors is specified in Section 2.9 of The negotiation of Traffic Selectors is specified in Section 2.9 of
[RFC7296] and states that the TSi/TSr payloads MUST contain at least [RFC7296] and states that the TSi/TSr payloads MUST contain at least
one Traffic Selector type. This document adds a new TS_TYPE of one TS Type. This document adds a new TS Type of TS_SECLABEL that is
TS_SECLABEL that is valid only with at least one other type of valid only with at least one other TS Type. That is, it cannot be
Traffic Selector. That is, it cannot be the only TS_TYPE present in the only TS Type present in a TSi or TSr payload. It MUST be used
a TSi or TSr payload. It MUST be used along with an IP address along with an IP address selector type, such as TS_IPV4_ADDR_RANGE
selector type such as TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE. and/or TS_IPV6_ADDR_RANGE.
2. TS_SECLABEL Traffic Selector Type 2. TS_SECLABEL Traffic Selector Type
This document defines a new TS Type, TS_SECLABEL that contains a This document defines a new TS Type, TS_SECLABEL, that contains a
single new opaque Security Label. single new opaque Security Label.
2.1. TS_SECLABEL payload format 2.1. TS_SECLABEL Payload Format
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| TS Type | Reserved | Selector Length | | TS Type | Reserved | Selector Length |
+---------------+---------------+-------------------------------+ +---------------+---------------+-------------------------------+
| | | |
~ Security Label* ~ ~ Security Label* ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
Figure 1: Labeled IPsec Traffic Selector Figure 1: Labeled IPsec Traffic Selector
*Note: All fields other than TS Type and Selector Length depend on Note: All fields other than TS Type and Selector Length depend on the
the TS Type. The fields shown is for TS Type TS_SECLABEL, the TS Type. The fields shown are for TS Type TS_SECLABEL, which is the
selector this document defines. selector that this document defines.
* TS Type (one octet) - Set to 10 for TS_SECLABEL, TS Type (one octet): Set to 10 for TS_SECLABEL.
* Selector Length (2 octets, unsigned integer) - Specifies the Selector Length (two octets, unsigned integer): Specifies the length
length of this Traffic Selector substructure including the header. of this Traffic Selector substructure including the header.
* Security Label - An opaque byte stream of at least one octet. Security Label: An opaque byte stream of at least one octet.
2.2. TS_SECLABEL properties 2.2. TS_SECLABEL Properties
The TS_SECLABEL Traffic Selector Type does not support narrowing or The TS_SECLABEL TS Type does not support narrowing or wildcards. It
wildcards. It MUST be used as an exact match value. MUST be used as an exact match value.
The TS_SECLABEL Traffic Selector Type MUST NOT be the only TS_TYPE The TS_SECLABEL TS Type MUST NOT be the only TS Type present in the
present in the TS payload as TS_SECLABEL is complimentary to another TS payload, as TS_SECLABEL is complimentary to another type of
type of Traffic Selector. There MUST be an IP address Traffic Traffic Selector. There MUST be an IP address Traffic Selector Type
Selector type in addition to the TS_SECLABEL Traffic Selector type in in addition to the TS_SECLABEL TS Type in the TS payload. If a TS
the Traffic Selector Payload. If a TS payload is received with only payload is received with only TS_SECLABEL TS Types, the exchange MUST
TS_SECLABEL Traffic Selector types, the exchange MUST be aborted with be aborted with an Error Notify message containing TS_UNACCEPTABLE.
an Error Notify message containing TS_UNACCEPTABLE.
The Security Label contents are opaque to the IKE implementation. The Security Label contents are opaque to the IKE implementation.
That is, the IKE implementation might not have any knowledge of the That is, the IKE implementation might not have any knowledge
meaning of this selector, other than as a type and opaque value to regarding the meaning of this selector other than recognizing it as a
pass to the SPD. type and opaque value to pass to the SPD.
A zero length Security Label MUST NOT be used. If a received TS A zero-length Security Label MUST NOT be used. If a received TS
payload contains a TS_TYPE of TS_SECLABEL with a zero length Security payload contains a TS Type of TS_SECLABEL with a zero-length Security
Label, that specific Traffic Selector MUST be ignored. If no other Label, that specific TS payload MUST be ignored. If no other TS
Traffic Selector of TS_TYPE TS_SECLABEL can be selected, the exchange payload contains an acceptable TS_SECLABEL TS Type, the exchange MUST
MUST be aborted with a TS_UNACCEPTABLE Error Notify message. A zero be aborted with a TS_UNACCEPTABLE Error Notify message. A zero-
length Security Label MUST NOT be interpreted as a wildcard security length Security Label MUST NOT be interpreted as a wildcard security
label. label.
If multiple Security Labels are allowed for a given IP protocol, If multiple Security Labels are allowed for a Traffic Selector's IP
start and end address/port match, the initiator includes all of the address range, protocol, and port range, the initiator includes all
acceptable TS_SECLABEL's and the responder MUST select one of them. of these acceptable Security Labels. The responder MUST select
exactly one of the Security Labels.
A responder that selected a TS with TS_SECLABEL MUST use the Security A responder that selected a TS with TS_SECLABEL MUST use the Security
Label for all selector operations on the resulting TS. It MUST NOT Label for all selector operations on the resulting TS. It MUST NOT
select a TS_SECLABEL without using the specified Security Label, even select a TS_SECLABEL without using the specified Security Label, even
if it deems the Security Label optional, as the initiator has if it deems the Security Label optional, as the initiator has
indicated (and expects) that Security Label will be set for all indicated (and expects) that the Security Label will be set for all
traffic matching the negotiated TS. traffic matching the negotiated TS.
3. Traffic Selector negotiation 3. Traffic Selector Negotiation
If the TSi Payload contains a traffic selector for TS_TYPE of If the TSi payload contains a Traffic Selector with TS Type
TS_SECLABEL (along with another TS_TYPE), the responder MUST create TS_SECLABEL (along with another TS Type), the responder MUST create
each TS response for the other TS_TYPEs using its normal rules each TS response for the other TS Types using its normal rules
specified for each of those TS_TYPE, such as narrowing them following specified for each of those TS Types, such as narrowing them
the rules specified for that TS_TYPE, and then add exactly one for following the rules specified for that TS Type and then adding
the TS_TYPE of TS_SECLABEL to the TS Payload(s). If this is not exactly one for the TS Type of TS_SECLABEL to the TS payload(s). If
possible, it MUST return a TS_UNACCEPTABLE Error Notify payload. this is not possible, it MUST return a TS_UNACCEPTABLE Error Notify
payload.
If the Security Label traffic selector is optional from a If the Security Label TS Type is optional from a configuration point
configuration point of view, an initiator will add the TS_SECLABEL to of view, an initiator will add the TS_SECLABEL to the TSi/TSr
the TSi/TSr Payloads. If the responder replies with TSi/TSr Payloads payloads. If the responder replies with TSi/TSr payloads that
that include the TS_SECLABEL, then the Child SA MUST be created include the TS_SECLABEL, then the Child SA MUST be created and
including the negotiated Security Label. If the responder did not include the negotiated Security Label. If the responder did not
include a TS_SECLABEL in its response, then the initiator (which include a TS_SECLABEL in its response, then the initiator (which
deemed the Security Label optional) will install the Child SA without deemed the Security Label optional) will install the Child SA without
including any Security Label. If the initiator required the including any Security Label. If the initiator required the
TS_SECLABEL, it MUST NOT install the Child SA and it MUST send a TS_SECLABEL, it MUST NOT install the Child SA and it MUST send a
Delete notification for the Child SA so the responder can uninstall Delete notification for the Child SA so the responder can uninstall
its Child SA. its Child SA.
3.1. Example TS negotiation 3.1. Example TS Negotiation
An initiator could send: An initiator could send the following:
TSi = ((17,24233,198.51.100.12-198.51.100.12), TSi = ((17,24233,198.51.100.12-198.51.100.12),
(0,0,198.51.100.0-198.51.100.255), (0,0,198.51.100.0-198.51.100.255),
(0,0,192.0.2.0-192.0.2.255), (0,0,192.0.2.0-192.0.2.255),
TS_SECLABEL1, TS_SECLABEL2) TS_SECLABEL1, TS_SECLABEL2)
TSr = ((17,53,203.0.113.1-203.0.113.1), TSr = ((17,53,203.0.113.1-203.0.113.1),
(0,0,203.0.113.0-203.0.113.255), (0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1, TS_SECLABEL2) TS_SECLABEL1, TS_SECLABEL2)
Figure 2: initiator TS payloads example Figure 2: Initiator TS Payloads Example
The responder could answer with the following example: The responder could answer with the following:
TSi = ((0,0,198.51.100.0-198.51.100.255), TSi = ((0,0,198.51.100.0-198.51.100.255),
TS_SECLABEL1) TS_SECLABEL1)
TSr = ((0,0,203.0.113.0-203.0.113.255), TSr = ((0,0,203.0.113.0-203.0.113.255),
TS_SECLABEL1) TS_SECLABEL1)
Figure 3: responder TS payloads example Figure 3: Responder TS Payloads Example
3.2. Considerations for using multiple TS_TYPEs in a TS 3.2. Considerations for Using Multiple TS Types in a TS
It would be unlikely that the traffic for TSi and TSr would have a It would be unlikely that the traffic for TSi and TSr would have a
different Security Label, but this specification does allow this to different Security Label, but this specification allows this to be
be specified. If the initiator does not support this, and wants to specified. If the initiator does not support this and wants to
prevent the responder from picking different labels for the TSi / TSr prevent the responder from picking different labels for the TSi/TSr
payloads, it should attempt a Child SA negotiation with only the payloads, it should attempt a Child SA negotiation and start with the
first Security Label first, and upon failure retry a new Child SA first Security Label only. Upon failure, the initiator should retry
negotiation with only the second Security Label. a new Child SA negotiation with only the second Security Label.
If different IP ranges can only use different specific Security If different IP ranges can only use different specific Security
Labels, then these should be negotiated in two different Child SA Labels, then these should be negotiated in two different Child SA
negotiations. If in the example above, the initiator only allows negotiations. In the example above, if the initiator only allows
192.0.2.0/24 with TS_SECLABEL1, and 198.51.100.0/24 with 192.0.2.0/24 with TS_SECLABEL1 and 198.51.100.0/24 with TS_SECLABEL2,
TS_SECLABEL2, than it MUST NOT combine these two ranges and security then it MUST NOT combine these two ranges and security labels into
labels into one Child SA negotiation. one Child SA negotiation.
4. Security Considerations 4. Security Considerations
It is assumed that the Security Label can be matched by the IKE It is assumed that the Security Label can be matched by the IKE
implementation to its own configured value, even if the IKE implementation to its own configured value, even if the IKE
implementation itself cannot interpret the Security Label value. implementation itself cannot interpret the Security Label value.
A packet that matches an SPD entry for all components except the A packet that matches an SPD entry for all components, except the
Security Label would be treated as "not matching". If no other SPD Security Label, would be treated as "not matching". If no other SPD
entries match, the (mis-labeled) traffic might end up being entries match, the (mislabeled) traffic might end up being
transmitted in the clear. It is presumed that other Mandatory Access transmitted in the clear. It is presumed that other MAC methods are
Control methods are in place to prevent mis-labeled traffic from in place to prevent mislabeled traffic from reaching the IPsec
reaching the IPsec subsystem, or that the IPsec subsystem itself subsystem or that the IPsec subsystem itself would install a REJECT/
would install a REJECT/DISCARD rule in the SPD to prevent unlabeled DISCARD rule in the SPD to prevent unlabeled traffic otherwise
traffic otherwise matching a labeled security SPD rule from being matching a labeled security SPD rule from being transmitted without
transmitted without IPsec protection. IPsec protection.
5. IANA Considerations 5. IANA Considerations
This document defines one new entry in the IKEv2 Traffic Selector IANA has added a new entry in the "IKEv2 Traffic Selector Types"
Types registry: registry [RFC7296] as follows.
[Note to RFC Editor (please remove before publication): This value
has already been added via Early Allocation.]
Value TS Type Reference
----- --------------------------- -----------------
10 TS_SECLABEL [this document]
Figure 4
6. Implementation Status
[Note to RFC Editor: Please remove this section and the reference to
[RFC7942] before publication.]
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
Authors are requested to add a note to the RFC Editor at the top of
this section, advising the Editor to remove the entire section before
publication, as well as the reference to [RFC7942].
6.1. Libreswan
Organization: The Libreswan Project
Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/
Description: Implementation was introduced in 4.4, but 4.6 or newer
should be used
Level of maturity: beta
Coverage: Implements the entire draft using SElinux based labels
Licensing: GPLv2
Implementation experience: No interop testing has been done yet.
The code works including different labeled on-demand kernel
ACQUIRES.
Contact: Libreswan Development: swan-dev@libreswan.org +=======+=============+===========+
| Value | TS Type | Reference |
+=======+=============+===========+
| 10 | TS_SECLABEL | RFC 9478 |
+-------+-------------+-----------+
7. Acknowledgements Table 1: IKEv2 Traffic Selector
Types Registry
A large part of the introduction text was taken verbatim from 6. References
[draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D.
Quigley and J. Lu. Valery Smyslov provided valuable input regarding
IKEv2 Traffic Selector semantics.
8. References 6.1. Normative References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 6.2. Informative References
[draft-jml-ipsec-ikev2-security-label] [IPSEC-IKEV2-SECURITY-LABEL]
Latten, J., Quigley, D., and J. Lu, "Security Label Latten, J., Quigley, D., and J. Lu, "Security Label
Extension to IKE", 28 January 2011. Extension to IKE", Work in Progress, Internet-Draft,
draft-jml-ipsec-ikev2-security-label-01, 28 January 2011,
[FIPS188] NIST, "National Institute of Standards and Technology, <https://datatracker.ietf.org/doc/html/draft-jml-ipsec-
"Standard Security Label for Information Transfer"", ikev2-security-label-01>.
Federal Information Processing Standard (FIPS) Publication
188, September 1994,
<https://csrc.nist.gov/publications/detail/fips/188/
archive/1994-09-06>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Acknowledgements
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, A large part of the introduction text was taken verbatim from
<https://www.rfc-editor.org/info/rfc7942>. [IPSEC-IKEV2-SECURITY-LABEL], whose authors are Joy Latten, David
Quigley, and Jarrett Lu. Valery Smyslov provided valuable input
regarding IKEv2 Traffic Selector semantics.
Authors' Addresses Authors' Addresses
Paul Wouters Paul Wouters
Aiven Aiven
Email: paul.wouters@aiven.io Email: paul.wouters@aiven.io
Sahana Prasad Sahana Prasad
Red Hat Red Hat
Email: sahana@redhat.com Email: sahana@redhat.com
 End of changes. 58 change blocks. 
267 lines changed or deleted 204 lines changed or added

This html diff was produced by rfcdiff 1.48.