Network P. Wouters Internet-Draft Red Hat Intended status: Standards Track S. Prasad Expires: September 11, 2019 Technical University of Munich March 10, 2019 Labeled IPsec Traffic Selector support for IKEv2 draft-ietf-ipsecme-labeled-ipsec-00 Abstract This document defines two new Traffic Selector (TS) Types for Internet Key Exchange version 2 to add support for Mandatory Access Control (MAC) security labels, also known as "Labeled IPsec". The two new TS Types are TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL, which are identical to their non- seclabel namesakes except for the addition of a variable length opaque field specifying the security label. These new Traffic Selector Types facilitate negotiating security labels as an additional selector of the Security Policy Database to further restrict the type of traffic allowed to be send and received over the IPsec SA. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 11, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Wouters & Prasad Expires September 11, 2019 [Page 1] Internet-Draft Labeled IPsec March 2019 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Traffic Selector negotiation . . . . . . . . . . . . . . . . 3 3. SECLABEL Traffic Selector . . . . . . . . . . . . . . . . . . 3 4. Traffic Selector matching . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction In computer security, Mandatory Access Control usually refers to systems in which all subjects and objects are assigned a security label. A security label is comprised of a set of security attributes. The security labels along with a system authorization policy determine access. Rules within the system authorization policy determine whether the access will be granted based on the security attributes of the subject and object. Traditionally, security labels used by Multilevel Systems (MLS) are comprised of a sensitivity level (or classification) field and a compartment (or category) field, as defined in [FIPS188] and [RFC5570]. As MAC systems evolved, other MAC models gained in popularity. For example, SELinux, a Flux Advanced Security Kernel (FLASK) implementation, has security labels represented as colon- separated ASCII strings composed of values for identity, role, and type. The security labels are often referred to as security contexts. This document specifies two new Traffic Selector Types for IKEv2 that can be used to negotiate security labels as additional selectors for the Security Policy Database (SPD) to further restrict the type of traffic allowed to be send and received over the IPsec SA. Wouters & Prasad Expires September 11, 2019 [Page 2] Internet-Draft Labeled IPsec March 2019 Traffic Selector (TS) payloads allow endpoints to communicate some of the information from their SPD to their peers. These must be communicated to IKE from the SPD. TS payloads specify the selection criteria for packets that will be forwarded over the newly set up SA. Section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296] illustrates the Traffic Selector negotiation procedure. Two TS payloads appear in each of the messages in the exchange that creates a Child SA pair. Each TS payload contains one or more Traffic Selectors. Currently, each Traffic Selector consists of an address range (IPv4 or IPv6), a port range, and an IP protocol ID. However, a security context or a label is missing. Therefore this document extends the section 2.9 in the Internet Key Exchange protocol version 2 [RFC7296] to add support for a new traffic selector type which would be used to negotiate the security label or context. Negotiating and verifying the security context or label in the new TS types will act as an additional criteria that has to match along with the previously mentioned Traffic Selectors. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Traffic Selector negotiation The negotiation of Traffic Selectors is specified in Section 2.9 of [RFC7296]. The initiating IKE peer sends a Traffic Selector payload for the initiator side (TSi) and a Traffic Selector payload for the responder side (TSr). The TSi and TSr payloads contain a list of one or more Traffic Selectors (TS). The responder picks one TS from the TSi list and one TS from the TSr list and returns these in their own TSi/TSr payloads to the initiator in the IKE response as confirmation of the chosen traffic selectors. [RFC7296] defines two TS Types, TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE. These TS payloads contain the TS Type, IP protocol ID, Selector Length, Start and End Port and Start and End Address. 3. SECLABEL Traffic Selector This document defines two new TS Types, TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL. In addition to the above mentioned selectors, it contains a single new opaque Security Label selector. Wouters & Prasad Expires September 11, 2019 [Page 3] Internet-Draft Labeled IPsec March 2019 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | TS Type |IP Protocol ID*| Selector Length | +---------------+---------------+-------------------------------+ | Start Port* | End Port* | +-------------------------------+-------------------------------+ | | ~ Starting Address* ~ | | +---------------------------------------------------------------+ | | ~ Ending Address* ~ | | +---------------------------------------------------------------+ | | ~ Security Label* ~ | | +---------------------------------------------------------------+ Figure 1: Labeled IPsec Traffic Selector *Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shown are for TS Types [TBD] and [TBD], the two values this document defines. o TS Type (one octet) - Specifies the type of Traffic Selector. o IP protocol ID (1 octet) - Value specifying an associated IP protocol ID (such as UDP, TCP, and ICMP). A value of zero means that the protocol ID is not relevant to this Traffic Selector -- the SA can carry all protocols. o Selector Length (2 octets, unsigned integer) - Specifies the length of this Traffic Selector substructure including the header. o Start Port (2 octets, unsigned integer) - Value specifying the smallest port number allowed by this Traffic Selector. For protocols for which port is undefined (including protocol 0), or if all ports are allowed, this field MUST be zero. ICMP and ICMPv6 Type and Code values, as well as Mobile IP version 6 (MIPv6) mobility header (MH) Type values, are represented in this field as specified in Section 4.4.1.1 of [RFC4301]. ICMP Type and Code values are treated as a single 16-bit integer port number, with Type in the most significant eight bits and Code in the least significant eight bits. MIPv6 MH Type values are treated as a single 16-bit integer port number, with Type in the most Wouters & Prasad Expires September 11, 2019 [Page 4] Internet-Draft Labeled IPsec March 2019 significant eight bits and the least significant eight bits set to zero. o End Port (2 octets, unsigned integer) - Value specifying the largest port number allowed by this Traffic Selector. For protocols for which port is undefined (including protocol 0), or if all ports are allowed, this field MUST be 65535. ICMP and ICMPv6 Type and Code values, as well as MIPv6 MH Type values, are represented in this field as specified in Section 4.4.1.1 of [RFC4301]. ICMP Type and Code values are treated as a single 16-bit integer port number, with Type in the most significant eight bits and Code in the least significant eight bits. MIPv6 MH Type values are treated as a single 16-bit integer port number, with Type in the most significant eight bits and the least significant eight bits set to zero. o Starting Address - The smallest address included in this Traffic Selector (length determined by TS Type). o Ending Address - The largest address included in this Traffic Selector (length determined by TS Type). o Security Label - An opaque byte stream of at least one octet. 4. Traffic Selector matching Matching of the IP protocol, start and end address, and start and end port is performed the same way as for the TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE TS types. Additionally, the Security Label is compared for an exact match as well. Label matching is done by comparing the opaque bytestream. The Security Label in the TSi and TSr MUST be identical. If the responder's policy does not allow it to accept any part of the proposed Traffic Selector including the Security Label, it MUST ignore the TS and look for another matching TS in the list. If no list entry matches, a TS_UNACCEPTABLE Notify message is returned. A zero length Security Label MUST NOT be sent. If the SPD policy contains no Security Label selectors, the TS Types TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL should not be used and TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE should be used instead. Any received Traffic Selector with a zero length Security Label MUST be ignored, and if no valid TS can be selected, an TS_UNACCEPTABLE Error Notify message is returned. A zero length Security Label MUST NOT be interpreted as a wildcard security label. Wouters & Prasad Expires September 11, 2019 [Page 5] Internet-Draft Labeled IPsec March 2019 If multiple Security Labels are allowed for a given IP protocol, start and end address/port match, multiple TS_IPV4_ADDR_RANGE_SECLABEL or TS_IPV6_ADDR_RANGE_SECLABEL Traffic Selectors must be included that only differ in the Security Label. Narrowing of Traffic Selectors applies to TS_IPV4_ADDR_RANGE_SECLABEL and TS_IPV6_ADDR_RANGE_SECLABEL as well, but the Security Label itself is not interpreted and cannot itself be narrowed. It MUST be matched exactly. Rekey of an IPsec SA MUST only use identical Traffic Selectors, which means the same TS Type and selectors MUST be used. This guarantees that a Security Label once negotiated, remains part of the IPsec SA after a rekey. 5. Security Considerations It is assumed that the Security Label can be matched by the IKE implementation to its own configured value, even if the IKE implemention itself cannot interpret the Security Label value. 6. IANA Considerations This document defines two new entries in the IKEv2 Traffic Selector Types registry: Value TS Type Reference ----- --------------------------- ----------------- TBD TS_IPV4_ADDR_RANGE_SECLABEL [this document] TBD TS_IPV6_ADDR_RANGE_SECLABEL [this document] Figure 2 7. Acknowledgements A large part of the introduction text was taken verbatim from [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. Quigley and J. Lu. Part of the Traffic Selector description is reproduced from [RFC7296]. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Wouters & Prasad Expires September 11, 2019 [Page 6] Internet-Draft Labeled IPsec March 2019 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . 8.2. Informative References [draft-jml-ipsec-ikev2-security-label] Latten, J., Quigley, D., and J. Lu, "Security Label Extension to IKE", draft-wouters-edns-tcp-keeaplive (work in progress), January 2011. [FIPS188] NIST, "National Institute of Standards and Technology, "Standard Security Label for Information Transfer"", Federal Information Processing Standard (FIPS) Publication 188, September 1994. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common Architecture Label IPv6 Security Option (CALIPSO)", RFC 5570, DOI 10.17487/RFC5570, July 2009, . Authors' Addresses Paul Wouters Red Hat Email: pwouters@redhat.com Sahana Prasad Technical University of Munich Email: sahana.prasad07@gmail.com Wouters & Prasad Expires September 11, 2019 [Page 7]