Network P. Wouters
Internet-Draft Red Hat
Intended status: Standards Track S. Prasad
Expires: September 12, 2019 Technical University of Munich
March 11, 2019

Labeled IPsec Traffic Selector support for IKEv2


This document defines two new Traffic Selector (TS) Types for Internet Key Exchange version 2 to add support for Mandatory Access Control (MAC) security labels, also known as "Labeled IPsec". The two new TS Types are TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL, which are identical to their non-seclabel namesakes except for the addition of a variable length opaque field specifying the security label. These new Traffic Selector Types facilitate negotiating security labels as an additional selector of the Security Policy Database to further restrict the type of traffic allowed to be send and received over the IPsec SA.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 12, 2019.

Copyright Notice

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction

In computer security, Mandatory Access Control usually refers to systems in which all subjects and objects are assigned a security label. A security label is comprised of a set of security attributes. The security labels along with a system authorization policy determine access. Rules within the system authorization policy determine whether the access will be granted based on the security attributes of the subject and object.

Traditionally, security labels used by Multilevel Systems (MLS) are comprised of a sensitivity level (or classification) field and a compartment (or category) field, as defined in [FIPS188] and [RFC5570]. As MAC systems evolved, other MAC models gained in popularity. For example, SELinux, a Flux Advanced Security Kernel (FLASK) implementation, has security labels represented as colon-separated ASCII strings composed of values for identity, role, and type. The security labels are often referred to as security contexts.

This document specifies two new Traffic Selector Types for IKEv2 that can be used to negotiate security labels as additional selectors for the Security Policy Database (SPD) to further restrict the type of traffic allowed to be send and received over the IPsec SA.

Traffic Selector (TS) payloads allow endpoints to communicate some of the information from their SPD to their peers. These must be communicated to IKE from the SPD. TS payloads specify the selection criteria for packets that will be forwarded over the newly set up SA. Section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296] illustrates the Traffic Selector negotiation procedure.

Two TS payloads appear in each of the messages in the exchange that creates a Child SA pair. Each TS payload contains one or more Traffic Selectors. Currently, each Traffic Selector consists of an address range (IPv4 or IPv6), a port range, and an IP protocol ID. However, a security context or a label is missing. Therefore this document extends the section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296] to add support for a new traffic selector type which would be used to negotiate the security label or context.

Negotiating and verifying the security context or label in the new TS types will act as an additional criteria that has to match along with the previously mentioned Traffic Selectors.

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

2. Traffic Selector negotiation

The negotiation of Traffic Selectors is specified in Section 2.9 of [RFC7296]. The initiating IKE peer sends a Traffic Selector payload for the initiator side (TSi) and a Traffic Selector payload for the responder side (TSr). The TSi and TSr payloads contain a list of one or more Traffic Selectors (TS). The responder picks one TS from the TSi list and one TS from the TSr list and returns these in their own TSi/TSr payloads to the initiator in the IKE response as confirmation of the chosen traffic selectors. [RFC7296] defines two TS Types, TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE. These TS payloads contain the TS Type, IP protocol ID, Selector Length, Start and End Port and Start and End Address.

3. SECLABEL Traffic Selector

This document defines two new TS Types, TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL. In addition to the above mentioned selectors, it contains a single new opaque Security Label selector.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |   TS Type     |IP Protocol ID*|       Selector Length         |
   |           Start Port*         |           End Port*           |
   |                                                               |
   ~                         Starting Address*                     ~
   |                                                               |
   |                                                               |
   ~                         Ending Address*                       ~
   |                                                               |
   |                                                               |
   ~                         Security Label*                       ~
   |                                                               |

Figure 1: Labeled IPsec Traffic Selector

*Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shown are for TS Types [TBD] and [TBD], the two values this document defines.

4. Traffic Selector matching

Matching of the IP protocol, start and end address, and start and end port is performed the same way as for the TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE TS types. Additionally, the Security Label is compared for an exact match as well. Label matching is done by comparing the opaque bytestream.

The Security Label in the TSi and TSr MUST be identical. If the responder's policy does not allow it to accept any part of the proposed Traffic Selector including the Security Label, it MUST ignore the TS and look for another matching TS in the list. If no list entry matches, a TS_UNACCEPTABLE Notify message is returned.

A zero length Security Label MUST NOT be sent. If the SPD policy contains no Security Label selectors, the TS Types TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL should not be used and TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE should be used instead. Any received Traffic Selector with a zero length Security Label MUST be ignored, and if no valid TS can be selected, an TS_UNACCEPTABLE Error Notify message is returned. A zero length Security Label MUST NOT be interpreted as a wildcard security label.

If multiple Security Labels are allowed for a given IP protocol, start and end address/port match, multiple TS_IPV4_ADDR_RANGE_SECLABEL or TS_IPV6_ADDR_RANGE_SECLABEL Traffic Selectors must be included that only differ in the Security Label.

Narrowing of Traffic Selectors applies to TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL as well, but the Security Label itself is not interpreted and cannot itself be narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST only use identical Traffic Selectors, which means the same TS Type and selectors MUST be used. This guarantees that a Security Label once negotiated, remains part of the IPsec SA after a rekey.

5. Security Considerations

It is assumed that the Security Label can be matched by the IKE implementation to its own configured value, even if the IKE implemention itself cannot interpret the Security Label value.

6. IANA Considerations

This document defines two new entries in the IKEv2 Traffic Selector Types registry:

Value   TS Type                      Reference
-----   ---------------------------  -----------------
TBD     TS_IPV4_ADDR_RANGE_SECLABEL   [this document]
TBD     TS_IPV6_ADDR_RANGE_SECLABEL   [this document]

Figure 2

7. Acknowledgements

A large part of the introduction text was taken verbatim from [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. Quigley and J. Lu. Part of the Traffic Selector description is reproduced from [RFC7296].

8. References

8.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P. and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014.

8.2. Informative References

[draft-jml-ipsec-ikev2-security-label] Latten, J., Quigley, D. and J. Lu, "Security Label Extension to IKE", Internet-Draft draft-wouters-edns-tcp-keeaplive, January 2011.
[FIPS188] , "National Institute of Standards and Technology, "Standard Security Label for Information Transfer"", Federal Information Processing Standard (FIPS) Publication 188, September 1994.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005.
[RFC5570] StJohns, M., Atkinson, R. and G. Thomas, "Common Architecture Label IPv6 Security Option (CALIPSO)", RFC 5570, DOI 10.17487/RFC5570, July 2009.

Authors' Addresses

Paul Wouters Red Hat EMail:
Sahana Prasad Technical University of Munich EMail: