Re: [IPsec] WGLC of draft-ietf-ipsecme-labeled-ipsec

[Paul Wouters <paul@nohats.ca>]

On Tue, 2 Nov 2021, Valery Smyslov wrote:

>>> 1. Section 1.2.
>>> The last para is erroneous here, since the immediately following the first para of Section 1.3
>>> states exactly the same with more details. Either remove it or rephrase and move to 1.3 (e.g.
>>> to keep provided example).
>>
>> It is actually different. Section 1.2 only clarifies content of RFC
>> 7296. Sectin 1.3 describes to update to RFC 7296.
>
> I disagree. Only the first two paras of 1.2 are clarifications.
> The last para of 1.2 is not a clarification, it is a new requirement for what
> Traffic Selector Payload must contain, so it's an update of 7296 text and for
> this reason should belong to 1.3. But 1.3 has already contained this requirement.
>
> Compare:
>
> Last para of 1.2:
>
>   A Traffic Selector payload (TS) is a set of one or more Traffic
>   Selectors of the same or different TS_TYPEs, but MUST include at
>   least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.

This is true, even if only because those are the only valid TS_TYPEs
that exist in RFC 7296. I could omit it to better match the old text,
but I find that a bit confusing. The goad of 1.2 is to point out the
problem if RFC 7296 using "Traffic Selector" to mean both the selector
and the selector set / payload. If you insist, I can remove:

 	of the same or different TS_TYPEs, but MUST include at
 	least one TS_TYPE of TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.

> 1.3:
>
>   This document updates the text to mean
>   that the TSi/TSr payloads MUST contain at least one Traffic Selector
>   of type TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE...


>>> Why it is repeated here?
>>
>> Defense in depth against sloppy implementers? I removed this one :P
>
> OK.

>>> I wonder why zero-length TS_SECLABEL cannot be used to represent "no security label"?
>>> This would significantly simplify negotiation when using security labels are optional
>>> for initiator. Currently it is proposed that initiator performs two attempts
>>> to establish Child SA in this case - with and without TS_SECLABEL.
>>> If zero-length TS_SECLABEL meant "no security label", then a single CREATE_CHILD_SA
>>> would be sufficient. It would also simplify the IKE state machine for this case.
>>>
>>> Are there any reasons I'm not aware of?
>>
>> If new implementations start using this, it would be incompatible with
>> old implementations that would reject any TS set with unknown TS_TYPE,
>> and would also lead to two attempts.
>
> I don't buy this argument - with old implementations two attempts are unavoidable.
>
>> We also wanted to avoid ambiguity
>> with NULL or the empty string.
>
> What ambiguity? There is no ambiguity in representing this in the protocol -
> it's a TS with a type of TS_SECLABEL and no data. If you mean possible ambiguity
> in representation this label inside the code, then I think that it's
> out of scope of the protocol.
>
>> And wanted a clear signal for wanting
>> a TS_SECLABEL to not signify "no sec label". I am nervous that
>> implementations would fail to insist on a label because it got an empty
>> label. So again, defense in depth against sloppy implementers.
>
> My very deep believe is that you cannot stop some implementers from
> doing thing wrong (some are very creative in this regard) :-/
> And I think that adding complexity to the protocol is a penalty
> for those implementers, who strictly follow the spec.
> So I can't buy this argument too, sorry.

We do need to take implementations and common implementation mistakes
into consideration when designing a protocol.
But also, a security label of "nothing" isn't really a valid security
label selector. It is too ambiguous with "no security label". It makes
common sense to me to simply not allow it. And comparing a 0 size NULL
with a zero byte also seems just way to risky. Ideally, I would have
stated "a minimum length of one non-zero octet".

I guess we need to get other people's opinion on this.


>> Note that in all cases I am aware of, there is no use case of "optional
>> security labels" and both ends always need to configure the exact same
>> label. So there is not really a cause of "retrying without security
>> label". I know this might look useful upgrading existing deployments
>> from no label to sec label, but in practise, I have not seen this.
>> People start with insisting proper labels.
>
> I wonder how they deploy this with more-or-less big system.
> Simultaneously upgrade thousands of hosts with no service interruption?

In our implementation you can define two "conns", one with and one
without. And choosing the right one will work. On the responder, there
is a connection switching mechanism that can switch to the better
matching connection once the TS payloads are read from IKE_AUTH. So
first you add all the conns with sec_label. And after a while, you can
just remove all the conns without sec_label.

>> Changed. Old text:
>>
>>     A responder that selected a TS with TS_SECLABEL MUST use the Security
>>     Label for all selector operations on the resulting IPsec SA.  It MUST
>>     NOT select a TS_set with a TS_SECLABEL without using the specified
>>     Security Label, even if it deems the Security Label optional, as the
>>     initiator TS_set with TS_SECLABEL means the initiator mandates using
>>     that Security Label.
>>
>> New text:
>>
>>     A responder that selected a TS with TS_SECLABEL MUST use the Security
>>     Label for all selector operations on the resulting TS. It MUST
>>     NOT select a TS_SECLABEL without using the specified Security Label,
>>     even if it deems the Security Label optional, as the initiator has
>>     indicated (and expects) that Security Label will be set for all
>>     traffic matching the negotiated TS.
>
> I'm a bit confused with the part of \new text:
>
> "...all selector operations on the resulting TS."
> What do you mean? Did you mean
> "on the resulting Traffic Selector"?
> Or am I missing something?

I mean to say, if you pick a TS with TS_SECLABEL, you MUST have a
security label as part of your SPD selector mechanism. You cannot
decide to ignore it and only use IP address based SPD selectors.

In our implementation, using the selector means _setting_ the SElinux
context (sec_label) on the decrypted packet before releasing it to the
OS for further processing by the application. The application might make
security decisions based on the sec_label, so not "applying" the sec_label
negotiated would be a security violation of the negotiated policy.

That is, things might appear to work but in fact might be working
without sec_label security and the remote peer has no way of detecting
this. It is trusting the peer to apply the security policy to the
packets.

If you have a suggested text you prefer, please let me know.

>> (I avoided talking about IPsec SA or Child SA, as one of those _may_
>> include multiple different TS'es)
>
> So what? I think that the essence of this text is that if TS_SECLABEL
> is used, then it is applied for the whole Traffic Selector for this Child SA.
> Am I missing the essence?

I avoided talking about IPsec / Child SA because different ones can have
different negotiated TS_SECLABELS - eg they can be independent from the
exchange we are talking about. (I think we are saying the same thing?)

>>> 6. Section 3.
>>>   Each TS payload (TSi and TSr) MUST contain at least one TS_TYPE of
>>>   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
>>>
>>> This is repeated for the third time in the document. Can you please keep the only
>>> instance of this requirement?
>>
>> Okay, I removed the middle one as it really talked about TS_LABEL
>> properties only. I left the "update RFC 7296" one and this one which is
>> actually about the negotiation.
>
> I still think it's a repetition of a requirement. I believe that properly
> written standard must not contain repetitions of requirements.
> If you really really want to keep it here (do defense against sloppy implementers?),
> then change the text to something like:
>
>    Section XX of this document updates definition of TS payload,
>    so that it must contain at least one TS_TYPE of
>   TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE.
>
> (note lowercase "must" and reference to actual definition).

sure, if that makes you happy. I have no objection.

>>> 7. Section 3.
>>>   A responder MUST create its TS response by selecting one of each
>>>   TS_TYPE present in the offered TS by the initiator.  If it cannot
>>>   select one of each TS_TYPE, it MUST return a TS_UNACCEPTABLE Error
>>>   Notify payload.
>>
>> Changed to:
>>
>>        A responder MUST create each TS response by creating one of more
>>        (narrowed or not) TS_IPV4_ADDR_RANGE or TS_IPV6_ADDR_RANGE entries,
>>        plus one of each further TS_TYPE present in the offered TS by the
>>        initiator. If this is not possible, it MUST return a TS_UNACCEPTABLE
>>        Error Notify payload.
>
> Better. thanks. I'm a bit concerned of the generality of this requirement.
> If tomorrow somebody introduces new TS_TYPE, that will be allowed
> to have multiple values in response, then the text "plus one of each further TS_TYPE"
> will prevent responder from doing that. So this text is true for
> TS_SECLABEL, but is not necessarily true for not yet defined TS_TYPEs.

Yes, so such a new TS_TYPE will have to Update: this document, just like
this one has to Update: 7296. This is exactly the kind of issue Update:
is designed for. The generality is there and we are updating it for
specific TS_TYPEs.

>>> Can you please provide some examples of possible semantics of
>>> different TS_SECLABELs in TSi and TSr? Sending different
>>> security labels in different directions? Just for curiosity.
>>
>> I cannot, but I wanted to ensure not to accidentally forbid it. What
>> we do see with our implementation though, that we end up with two
>> IPsec Sa's where each is only used in one direction. For example,
>> image you have an SElinux context for nfs-server and nfs-client. What
>> happens is that the NFS client triggers one label on the outgoing
>> connection, triggers ACQUIRE, sets up an IPsec SA with a label
>> "nfs-client". The first packet hits the NFS server, which to reply
>> hits a different SElinux context of "nfs-server". So it will trigger
>> an ACQUIRE and setup a second IPsec SA with a label "nfs-server". Both
>> IPsec SA's will only be used in one direction. I did not add any
>> of this into the document, as it is very SElinux specific, where as
>> the draft is agnostic on the meaning of SEC_LABEL and allows for
>> other mechanisms that might not have this complexity.
>
> I understand your example, but I failed to understand how it is aligned
> with the current document. In particular, my understanding
> of the negotiation process is that the initiator includes
> several possible seclabels and the responder selects one of them,
> which means that both agreed to use the selected seclabel
> in both directions.

It does. If both endpoints have an "nfs-client" and "nfs-server" role.

But you are now getting very close to "interpreting sec_labels", which
the IKE stack should not do :)

> If my understanding is wrong and you meant that
> the initiator can use "any" of the proposed seclabels,
> while responder can only use one of them - which
> it has selected, then you must explain this in more details.

Your understanding is right. It is just that the "nfs-server" might
not have any "nfs-client" traffic since it is a server and not a client.

> Moreover, I failed to understand what the responder
> has to do in this situation if its policy allows initiator
> to use only one seclabel. You describe a similar case
> for the initiator, but not for the responder.

traffic covered has 1 seclabel. If the initiator sends multiple
acceptable ones, the responder picks one. I thought this was clear
in the document?

In our implementation, this never happens and there is only ever
one sec_label the initiator proposes. It receives a seperate
ACQUIRE for each sec_label and sets up individual Child SA's for
each sec_label. But that is our implementation. I again did not
want to exclude other implementations with different mechanisms
on their sec_label to be limited to our personal requirements.
It just seemed that allowing multiple sec_labels within one
Child SA seemed dangerous, and one would be better of defining
a third type of sec_label value that incorporations the two
base types of sec_label one wants to include. Eg if you want
the connection to accept SECPOL1 and SECPOL2, define a label
SECPOL3 that means "SECPOL1 or SECPOL2", or even call it
"SECPOL1|SECPOL2".

If the WG believes we should be more generic and allow picking
multiple ones, this can be changed.

> So, I believe that unless more clarifications are
> added to the document and all these cases are
> described in details, this para must be removed,
> because it describes the case that contradicts
> to the rest of the document and cannot be
> implemented using this document.

I don't understand what you mean?

>> I used the RFC 7296 language in the new text:
>>
>>       The mechanism of narrowing of Traffic Selectors with
>>       TS_IPV4_ADDR_RANGE and TS_IPV6_ADDR_RANGE does not apply to
>>       TS_SECLABEL as the Security Label itself is not interpreted and
>>       cannot be narrowed. It MUST be matched exactly. Since a rekey
>>       MUST NOT narrow down the Traffic Selectors narrower than the scope
>>       currently in use, the only valid choice of TS_SECLABEL for a rekey
>>       is the identical TS_SECLABEL that is in use by the Child SA being
>>       rekeyed. If the TS_LABEL is missing from the TS during the rekey
>>       negotiation, the negotiation MUST fail with TS_UNACCEPTABLE.
>
> I think that this part
>
>     Since a rekey
>      MUST NOT narrow down the Traffic Selectors narrower than the scope
>      currently in use, the only valid choice of TS_SECLABEL
>
> must be change to
>
>      According to RFC 7296  Section 2.9.2, a rekey operation
>      must not narrow down the Traffic Selectors narrower than the scope
>      currently in use. For this reason the only valid choice of TS_SECLABEL
>
> So, it's clear that this document doesn't impose any new requirement
> here, it only refers to RFC 7296's one.

I'll make that change.

Paul