Network P. Wouters Internet-Draft Aiven Intended status: Standards Track S. Prasad Expires: 10 August 2023 Red Hat 6 February 2023 Labeled IPsec Traffic Selector support for IKEv2 draft-ietf-ipsecme-labeled-ipsec-09 Abstract This document defines a new Traffic Selector (TS) Type for Internet Key Exchange version 2 to add support for negotiating Mandatory Access Control (MAC) security labels as a traffic selector of the Security Policy Database (SPD). Security Labels for IPsec are also known as "Labeled IPsec". The new TS type is TS_SECLABEL, which consists of a variable length opaque field specifying the security label. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 10 August 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. Wouters & Prasad Expires 10 August 2023 [Page 1] Internet-Draft Labeled IPsec February 2023 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Traffic Selector clarification . . . . . . . . . . . . . 3 1.3. Security Label Traffic Selector negotiation . . . . . . . 4 2. TS_SECLABEL Traffic Selector Type . . . . . . . . . . . . . . 4 2.1. TS_SECLABEL payload format . . . . . . . . . . . . . . . 4 2.2. TS_SECLABEL properties . . . . . . . . . . . . . . . . . 5 3. Traffic Selector negotiation . . . . . . . . . . . . . . . . 6 3.1. Example TS negotiation . . . . . . . . . . . . . . . . . 6 3.2. Considerations for using multiple TS_TYPEs in a TS . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 6.1. Libreswan . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction In computer security, Mandatory Access Control usually refers to systems in which all subjects and objects are assigned a security label. A security label is comprised of a set of security attributes. The security labels along with a system authorization policy determine access. Rules within the system authorization policy determine whether the access will be granted based on the security attributes of the subject and object. Wouters & Prasad Expires 10 August 2023 [Page 2] Internet-Draft Labeled IPsec February 2023 Traditionally, security labels used by Multilevel Systems (MLS) are comprised of a sensitivity level (or classification) field and a compartment (or category) field, as defined in [FIPS188] and [RFC5570]. As MAC systems evolved, other MAC models gained in popularity. For example, SELinux, a Flux Advanced Security Kernel (FLASK) implementation, has security labels represented as colon- separated ASCII strings composed of values for identity, role, and type. The security labels are often referred to as security contexts. Traffic Selector (TS) payloads specify the selection criteria for packets that will be forwarded over the newly set up IPsec SA as enforced by the Security Policy Database (SPD, see [RFC4301]). This document specifies a new Traffic Selector Type TS_SECLABEL for IKEv2 that can be used to negotiate security labels as additional selectors for the Security Policy Database (SPD) to further restrict the type of traffic allowed to be sent and received over the IPsec SA. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Traffic Selector clarification The negotiation of Traffic Selectors is specified in Section 2.9 of [RFC7296] where it defines two TS Types (TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE). The Traffic Selector payload format is specified in Section 3.13 of [RFC7296]. However, the term Traffic Selector is used to denote the traffic selector payloads and individual traffic selectors of that payload. Sometimes the exact meaning can only be learned from context or if the item is written in plural ("Traffic Selectors" or "TSs"). This section clarifies these terms as follows: A Traffic Selector (no acronym) is one selector for traffic of a specific Traffic Selector Type (TS_TYPE). For example a Traffic Selector of TS_TYPE TS_IPV4_ADDR_RANGE for UDP traffic in the IP network 198.51.100.0/24 covering all ports, is denoted as (17, 0, 198.51.100.0-198.51.100.255) Wouters & Prasad Expires 10 August 2023 [Page 3] Internet-Draft Labeled IPsec February 2023 A Traffic Selector payload (TS) is a set of one or more Traffic Selectors of the same or different TS_TYPEs. It typically contains one or more of the TS_TYPE of TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE. For example, the above Traffic Selector by itself in a TS payload is denoted as TS((17, 0, 198.51.100.0-198.51.100.255)) 1.3. Security Label Traffic Selector negotiation The negotiation of Traffic Selectors is specified in Section 2.9 of [RFC7296] and states that the TSi/TSr payloads MUST contain at least one Traffic Selector type. This document adds a new TS_TYPE of TS_SECLABEL that is valid only with at least one other type of Traffic Selector. That is, it cannot be the only TS_TYPE present in a TSi or TSr payload. Typically, the other TS_TYPE would be of type TS_IPV4_ADDR_RANGE and/or TS_IPV6_ADDR_RANGE. 2. TS_SECLABEL Traffic Selector Type This document defines a new TS Type, TS_SECLABEL that contains a single new opaque Security Label. 2.1. TS_SECLABEL payload format 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | TS Type | Reserved | Selector Length | +---------------+---------------+-------------------------------+ | | ~ Security Label* ~ | | +---------------------------------------------------------------+ Figure 1: Labeled IPsec Traffic Selector *Note: All fields other than TS Type and Selector Length depend on the TS Type. The fields shown is for TS Type TS_SECLABEL, the selector this document defines. * TS Type (one octet) - Set to 10 for TS_SECLABEL, * Selector Length (2 octets, unsigned integer) - Specifies the length of this Traffic Selector substructure including the header. * Security Label - An opaque byte stream of at least one octet. Wouters & Prasad Expires 10 August 2023 [Page 4] Internet-Draft Labeled IPsec February 2023 2.2. TS_SECLABEL properties The TS_SECLABEL Traffic Selector Type does not support narrowing or wildcards. It MUST be used as an exact match value. The TS_SECLABEL Traffic Selector Type MUST NOT be the only TS_TYPE present in the TS payload. If a TS payload is received with only TS_SECLABEL Traffic Selector types, an Error Notify message containing TS_UNACCEPTABLE MUST be returned. The Security Label contents are opaque to the IKE implementation. That is, the IKE implementation might not have any knowledge of the meaning of this selector, other than as a type and opaque value to pass to the SPD. A zero length Security Label MUST NOT be used. If a received TS payload contains a TS_TYPE of TS_SECLABEL with a zero length Security Label, that specific Traffic Selector MUST be ignored. If no other Traffic Selector of TS_TYPE TS_SECLABEL can be selected, a TS_UNACCEPTABLE Error Notify message MUST be returned. A zero length Security Label MUST NOT be interpreted as a wildcard security label. If multiple Security Labels are allowed for a given IP protocol, start and end address/port match, the initiator includes all of the acceptable TS_SECLABEL's and the responder MUST select one of them. If the Security Label traffic selector is optional from a configuration point of view, an initiator will add the TS_SECLABEL to the TSi/TSr Payloads. If the responder replies with TSi/TSr Payloads that include the TS_SECLABEL, than the Child SA MUST be created including the negotiated Security Label. If the responder did not include a TS_SECLABEL in its response, then the initiator (with deemed the Security Label optional) will install the Child SA without including any Security Label. If the initiator required the TS_SECLABEL, it MUST not install the Child SA and it MUST send a Delete notification for the Child SA so the responder can uninstall its Child SA. A responder that selected a TS with TS_SECLABEL MUST use the Security Label for all selector operations on the resulting TS. It MUST NOT select a TS_SECLABEL without using the specified Security Label, even if it deems the Security Label optional, as the initiator has indicated (and expects) that Security Label will be set for all traffic matching the negotiated TS. Wouters & Prasad Expires 10 August 2023 [Page 5] Internet-Draft Labeled IPsec February 2023 3. Traffic Selector negotiation TS_SECLABEL MUST NOT be used without another TS_TYPE in a Traffic Selector Payload, as it does not specify a complete set of traffic selectors on its own. TS_SECLABEL is complimentary to another type of Traffic Selector. Because of this there MUST be some other TS_TYPEs in addition to TS_SECLABEL in the Traffic Selector Payload when it is used in negotiation. If the TSi Payload contains a traffic selector for TS_TYPE of TS_SECLABEL (along with another TS_TYPE), the responder MUST create each TS response for the other TS_TYPEs using its normal rules specifed for each of those TS_TYPE, such as narrowing them following the rules specified for that TS_TYPE, and then add exactly one for the TS_TYPE of TS_SECLABEL to the TS Payload(s). If this is not possible, it MUST return a TS_UNACCEPTABLE Error Notify payload. If a TS_SECLABLE is deemed optional, the initiator SHOULD first try to negotiate the Child SA with the TS payload including the optional TS_SECLABEL. If such a negotiation results in receiving a TS_UNACCEPTABLE Error Notify, it SHOULD attempt a new Child SA negotiation using the same TS but without the optional TS_SECLABEL. 3.1. Example TS negotiation An initiator could send: TSi = ((17,24233,198.51.12-198.51.12), (17,0,192.0.2.0-192.0.2.255), (0,0,198.51.0-198.51.255), TS_SECLABEL1, TS_SECLABEL2) TSr = ((17,53,203.0.113.1-203.0.113.1), (17,0,203.0.113.0-203.0.113.255), (0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1, TS_SECLABEL2) Figure 2: initiator TS payloads example The responder could answer with the following example: TSi = ((0,0,198.51.0-198.51.255), TS_SECLABEL1) TSr = (((0,0,203.0.113.0-203.0.113.255), TS_SECLABEL1) Wouters & Prasad Expires 10 August 2023 [Page 6] Internet-Draft Labeled IPsec February 2023 Figure 3: responder TS payloads example 3.2. Considerations for using multiple TS_TYPEs in a TS It would be unlikely that the traffic for TSi and TSr would have a different Security Label, but this specification does allow this to be specified. If the initiator does not support this, and wants to prevent the responder from picking different labels for the TSi / TSr payloads, it should attempt a Child SA negotiation with only the first Security Label first, and upon failure retry a new Child SA negotiation with only the second Security Label. If different IP ranges can only use different specific Security Labels, than these should be negotiated in two different Child SA negotiations. If in the example above, the initiator only allows 192.0.2.0/24 with TS_SECLABEL1, and 198.51.0/24 with TS_SECLABEL2, than it MUST NOT combine these two ranges and security labels into one Child SA negotiation. 4. Security Considerations It is assumed that the Security Label can be matched by the IKE implementation to its own configured value, even if the IKE implementation itself cannot interpret the Security Label value. A packet that matches an SPD entry for all components except the Security Label would be treated as "not matching". If no other SPD entries match, the (mis-labeled) traffic might end up being transmitted in the clear. It is presumed that other Mandatory Access Control methods are in place to prevent mis-labeled traffic from reaching the IPsec subsystem, or that the IPsec subsystem itself would install a REJECT/DISCARD rule in the SPD to prevent unlabeled traffic otherwise matching a labeled security SPD rule from being transmitted without IPsec protection. 5. IANA Considerations This document defines one new entry in the IKEv2 Traffic Selector Types registry: [Note to RFC Editor (please remove before publication): This value has already bee added via Early Allocation. Value TS Type Reference ----- --------------------------- ----------------- 10 TS_SECLABEL [this document] Figure 4 Wouters & Prasad Expires 10 August 2023 [Page 7] Internet-Draft Labeled IPsec February 2023 6. Implementation Status [Note to RFC Editor: Please remove this section and the reference to [RFC7942] before publication.] This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". Authors are requested to add a note to the RFC Editor at the top of this section, advising the Editor to remove the entire section before publication, as well as the reference to [RFC7942]. 6.1. Libreswan Organization: The Libreswan Project Name: https://lists.libreswan.org/mailman/listinfo/swan-dev/ Description: Implementation was introduced in 4.4, but 4.6 or newer should be used Level of maturity: beta Coverage: Implements the entire draft using SElinux based labels Licensing: GPLv2 Implementation experience: No interop testing has been done yet. The code works including different labeled on-demand kernel ACQUIRES. Wouters & Prasad Expires 10 August 2023 [Page 8] Internet-Draft Labeled IPsec February 2023 Contact: Libreswan Development: swan-dev@libreswan.org 7. Acknowledgements A large part of the introduction text was taken verbatim from [draft-jml-ipsec-ikev2-security-label] whose authors are J Latten, D. Quigley and J. Lu. Valery Smyslov provided valuable input regarding IKEv2 Traffic Selector semantics. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [draft-jml-ipsec-ikev2-security-label] Latten, J., Quigley, D., and J. Lu, "Security Label Extension to IKE", 28 January 2011. [FIPS188] NIST, "National Institute of Standards and Technology, "Standard Security Label for Information Transfer"", Federal Information Processing Standard (FIPS) Publication 188, September 1994, . [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common Architecture Label IPv6 Security Option (CALIPSO)", RFC 5570, DOI 10.17487/RFC5570, July 2009, . Wouters & Prasad Expires 10 August 2023 [Page 9] Internet-Draft Labeled IPsec February 2023 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, . Authors' Addresses Paul Wouters Aiven Email: paul.wouters@aiven.io Sahana Prasad Red Hat Email: sahana@redhat.com Wouters & Prasad Expires 10 August 2023 [Page 10]