Re: [IPsec] Labeled IPsec options
Paul Wouters <paul@nohats.ca> Fri, 13 December 2019 14:59 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376C5120154 for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:59:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpEPBdUq5-sy for <ipsec@ietfa.amsl.com>; Fri, 13 Dec 2019 06:59:06 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21B2512011D for <ipsec@ietf.org>; Fri, 13 Dec 2019 06:59:06 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47ZDMX60TQzDZ5; Fri, 13 Dec 2019 15:59:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1576249144; bh=MQxjjLqfVYuKFwrXc9W+Skid5zsVPE4Y/we4VLitPFM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=mWqEwNpm9tsOJnBZOBIGv5Ye+So48vspzKsfc/55pGj//sBzYgkfGJdLkrO1UQvQ3 8w1z64LcvPxU2R6Z/W16OA54uCPNOxYKuF9Uq40R7czGXIg4iMqNQtdHahLIotUYPk BeGsnlmpfsDXY9VpRFRN4FFJ1AfDFFeQEbNd+voE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id m9RJ6N-XDfnN; Fri, 13 Dec 2019 15:59:03 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 13 Dec 2019 15:59:03 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D88CA6007ADD; Fri, 13 Dec 2019 09:59:02 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D502666AA8; Fri, 13 Dec 2019 09:59:02 -0500 (EST)
Date: Fri, 13 Dec 2019 09:59:02 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: ipsec@ietf.org, 'Sahana Prasad' <sahana@redhat.com>
In-Reply-To: <046301d5b1c4$fdad5840$f90808c0$@gmail.com>
Message-ID: <alpine.LRH.2.21.1912130953370.8529@bofh.nohats.ca>
References: <alpine.LRH.2.21.1912092333560.23963@bofh.nohats.ca> <01f501d5b0b2$facb4370$f061ca50$@gmail.com> <alpine.LRH.2.21.1912121606130.22484@bofh.nohats.ca> <046001d5b1c1$232c7be0$698573a0$@gmail.com> <alpine.LRH.2.21.1912130928540.8529@bofh.nohats.ca> <046301d5b1c4$fdad5840$f90808c0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/UE5yVgQ215OK9od4BzCsg8MYl90>
Subject: Re: [IPsec] Labeled IPsec options
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 14:59:07 -0000
On Fri, 13 Dec 2019, Valery Smyslov wrote: >>>> I don't think that matters. Security labels are never optional but >>>> always mandatory. And it seems very unlikely to have a mix of child >>>> sa's with and without label. So they will all have a label, and then >>>> failing the IKE SA is fine, >>> >>> Do you want to say, that it's impossible to have two SGWs with >>> multiple networks behind them so, that traffic from some networks will >>> have security labels and traffic from the others won't have? >> >> I'm not saying it is impossible. I am saying it is not likely to be a real > life >> configuration. If you classify network traffic with labels, your goal is > to not >> have unlabeled traffic come in at all. You might have a label > SEC_WHATEVER, >> but it still seems far more likely you would mark the traffic as having > come >> from SGWx with some kind of LABELx to track the origin throughout your >> network. >> >>> If such a configuration is possible, then it's perfectly OK to have a >>> mix of labelled and non-labelled IPsec SAs created by one IKE SA. >> >> I'd argue the reverse. It would likely be better not to allow such an > awful >> configuration :) > > So, am I right that you want all IPsec SAs created from a single IKE SA to > either > have labels or not? I described what I think are real life scenarios between two gateways. I was not specifying whether did appeared in a single IKE SA or a single IKE_AUTH/CREATE_CHILD_SA. See my previous email how we also have IPV4 ranges that we find are not combinable and thus we need to use a seperate CREATE_CHILD_SA to install the subset of allowed v4 combinations. The same would apply to labels. > If so, then it looks like an IKE SA property, and thus > an ability > to use labels should really be negotiated when IKE SA is created I don't think there is a need to ban the option to do it in seperate exchanges. I don't think we need to force admins to create two IKE SA's between the same endpoints to get labeled and unlabeled IPsec SA's. > (well, I don't care whether it is SECLABELS_SUPPORTED or SECLABELS_REQUIRED > notification :-)). And since peers know that seclabels are supported, we > won't > have any problems with legacy implementations (for example, the responder > cannot ignore label in notification in option 3). Sure, but one suggests the code can do it, the other suggests the configuration insists on it. It avoids the implementor question of "if we understand seclabels, but this connection does not use/require them, should I answer a SECLABELS_SUPPORTED notify with a reply?". Paul
- [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Russ Housley
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Labeled IPsec options Tero Kivinen
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters
- Re: [IPsec] Labeled IPsec options Valery Smyslov
- Re: [IPsec] Labeled IPsec options Paul Wouters