IETF Logo Mail Archive

Re: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec

Paul Wouters <paul@nohats.ca> Wed, 15 December 2021 17:16 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5B13A081A for <ipsec@ietfa.amsl.com>; Wed, 15 Dec 2021 09:16:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HvXtckFR3FQz for <ipsec@ietfa.amsl.com>; Wed, 15 Dec 2021 09:16:29 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D943A0815 for <ipsec@ietf.org>; Wed, 15 Dec 2021 09:16:28 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4JDhjd3NxBz3bw; Wed, 15 Dec 2021 18:16:21 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1639588581; bh=cNU7bPrth2LDKqDDubEMymXEHYJtiHr+G+pxt2kW4Bg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=AZJYjKaQgJFZ3O+A/0J0pqO3Igtl4CIIIKjCBuKX6P1aWZYVl+leDz2+SK/DXyAQv Pc3Fhf3dsPPLsHEPWIRMcQZg7ecN3j0yK2JgaNvEd8/H8jfIj5qqARfhmU8S+7jZ0z JTuALt+BmyfoIgHnOiwymVMlxjFhVFTmeRkbzFLY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id uWmgIwi5Gbod; Wed, 15 Dec 2021 18:16:20 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 15 Dec 2021 18:16:20 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 772431D4165; Wed, 15 Dec 2021 12:16:19 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 745881D4164; Wed, 15 Dec 2021 12:16:19 -0500 (EST)
Date: Wed, 15 Dec 2021 12:16:19 -0500
From: Paul Wouters <paul@nohats.ca>
To: Tobias Brunner <tobias@strongswan.org>
cc: Valery Smyslov <smyslov.ietf@gmail.com>, ipsec@ietf.org, 'Tero Kivinen' <kivinen@iki.fi>
In-Reply-To: <1a61d1fa-9b4e-effd-3819-3b735c077ac2@strongswan.org>
Message-ID: <fcd8e69-384c-588a-a2f6-2a155eb1a15a@nohats.ca>
References: <24831.15082.263253.443690@fireball.acr.fi> <2d1501d799ba$af76bc40$0e6434c0$@gmail.com> <ed3d346-8f66-620-1914-d55e0dd9f2c@nohats.ca> <1a61d1fa-9b4e-effd-3819-3b735c077ac2@strongswan.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/XtjSkEQEnQPdbhY2kw8Zf-a7eos>
Subject: Re: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2021 17:16:33 -0000

On Thu, 9 Dec 2021, Tobias Brunner wrote:

> In the SELinux case, and using your example, could the client actually 
> propose "nfs-client in TSi and "nfs-server" in TSr?  So the server could set 
> "nfs-client" on the inbound SA/policy and "nfs-server" on the corresponding 
> outbound SA/policy of the CHILD_SA (and vice-versa on the client)?  Or won't 
> that work?  If it's a valid use case, should the document specify which of 
> the two labels is to be applied to what SA/policy?  Or is that an 
> implementation aspect that you explicitly want to keep out of it?

I was trying to keep that out of the draft. Because for example if the
label is TOP_SECRET vs SECRET, then you might not want to allow this.
Also, IKE daemons might not know how to interpret the label at all.

> Also, I don't fully get the multiple label in TSi part.  If multiple labels 
> are allowed/supported per SA by the implementation (not sure how that would 
> work inbound, but let's assume there is a way to mark packets with some kind 
> of meta label that covers multiple negotiated ones), why would any narrowing 
> take place for TSr?

Whether or not a label could be narrowed is something that is outside of
the scope of IKE. We don't want to require labels properties that might not
be compatible with a labeling structure we haven't thought or (or aren't
allowed to know about :)

I wanted to leave the option open of being able to suggest multiple
labels to support potential migrations or 'narrowing' or 'widening'.
I also assumed that if the labeling system supports label A and B,
i could also support a different label with the meaning of A|B or A&B.

I guess we could extend the mechanism to allow selecting multiple
labels, but it just seemed a complexity that was likely not to be used
in practise (AFAWK). In fact, I'd much rather remove allowing multiple
labels to be selected, than add complexity to allow multiple labels to
be negotiated.

> On the other hand, if multiple labels are not supported, in what situation 
> could proposing multiple labels be useful?

One reason could be to try and get the most secure label we both support
(or are allowed to use) in place. Eg if the information is SECRET, but
perhaps you and I have TOP_SECRET, by sending both we could end up on
the more secure TOP_SECRET. But if you only have SECRET, I might be
willing to allow SECRET for this as well.

Another example is migration. Perhaps we introduce a new TOPPEST_SECRET,
and I don't know if you upgraded to support this level yet, so I can
send TOPPEST_SECRET and TOP_SECRET and you pick TOP_SECRET when nog yet
upgraded and TOPPEST_SECRET when already upgraded.

>  Wouldn't traffic with the omitted 
> labels just get dropped afterwards?  Or is the assumption that this triggers 
> a new acquire/SA?

Not all labeling systems might be assigned labels based on IP trafic
properties. We would want to avoid things just "not working". Eg if
you don't support TOPPEST_SECRET, we wouldn't want to get stuck with
not being able to exchange traffic at all.

> If so, would the request not contain multiple labels again 
> and, if that's the case, what prevents the peer from selecting the same label 
> as before?  Is it to keep track of what label it selected previously and that 
> the intention of the initiator now might be that another should get selected?

I dont have expectations that using the wrong label or omitting a label
would result in a new working SA. It might or it might not.

> Or is it up to the initiator not to propose multiple labels the second time 
> around (or just omit the ones it already has an SA for)?  If so, why would it 
> send multiple the first time (in particular if the SA was triggered by an 
> acquire)?

I think you are thinking too much about actual packet properties, and
not take organizational / administratie labels into account ?

> I think either the narrowing to a single label should be optional, or sending 
> multiple labels in TSi should be prohibited in the first place.

That would complicate the migration example I explained above. A labeling
system might not accept multiple labels?

Although I am okay with making narrowing to a single label optional.

Note again that for our use case of SElinux, this does not matter as we
do not support more than one label in the IKE negotiation ever at this
point.

Paul

v2.23.0 | Report a Bug | By Email