Internet DRAFT - draft-belgaied-ipv6-lsopt
draft-belgaied-ipv6-lsopt
Network Working Group K. Belgaied
Internet Draft Sun Microsystems Inc.
draft-belgaied-ipv6-lsopt-00.txt G. Winiger
Sun Microsystems Inc.
February 2001
Generalized Labeled Security Option
for IPv6
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet Draft expires August 22, 2001.
Abstract
This memo describes a new IPv6 Hop-by-Hop Option type used as an
explicit security label. The hosts supporting Labeled Security
add this option to the packets they originate in order to convey the
sensitivity of the data. The routers that recognize this
option will use it to make routing decision, in conformance with a
pre-established policy. The IPSec protection requirements and a
transition scheme from the existing IPv4 security options to the LS
option are also proposed.
draft-belgaied-ipv6-lsopt-00.txt [Page 1]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
Table of Contents
1. Introduction
2. LS option specification
2.1. Syntax
2.2. Alignment
2.3. Order and coexistence of Tags
3. Functional specification
3.1. Domain of Interpretation
3.2. Interface protection table
3.3. Host behavior
3.3.1 Originating host
3.3.2 Destination host
3.4 Router behavior
4. Deployment considerations
4.1 Policy information setting
4.2 IPv4 Security Options Transition
4.3 Key management
5. Security Considerations
6. IANA Considerations
7. References
8. Acknowledgments and Authors' Addresses
draft-belgaied-ipv6-lsopt-00.txt [Page 2]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
1. Introduction
Information in a multilevel security environment is labeled. The
label of a process may represent the credentials of that process.
The label on an object (file, device, ...) may represent the
sensitivity, as in the Bell and Lapadula model [BL73], the
integrity, as in the Biba model [Bib77], or other security
attributes of the data.
Multilevel secure operating systems enforce a set of mandatory
access control rules, in order to guarantee that information is
protected to a certain level of assurance, that can be evaluated
according to predefined criteria [LSPP], [DoD85].
In order to enforce those access controls across a network,
routing needs to be controlled so as to select specific
network links in accordance with the security policy [DoD87],
and host need to be able to retrieve the security attributes of
data coming from the network, and to communicate those of
their own processes when they access data at remote hosts.
Making the security attributes of the information available to the
entities that need it can be achieved by either explicitly or
implicitly labeling the IP packets, as discussed in [RFC-1457],
Security Labeling Framework for the Internet.
Dedicating an IPSec security association for each sensitivity
level is one way of implicit labeling [RFC-2401]. I has the advantage
of tying the security attribute of the information to an SA, thus
guaranteeing that the former is always protected by the latter.
The implicit labeling has the following limitations though:
. Scalability. Implicit binding of security attributes to SAs may
be sufficient when there is a small set of values for those
attributes. Communicating LS systems may exchange data at a wide
range of sensitivities, produced by processes with varying
credentials, and would need a separate SA for each combination.
. Practical consideration. Although an IPSec SA can scale down to
selectively protect a single socket (one connection / liaison),
it is more efficient in practice to aggregate the flows by broader
selectors, like host or subnet addresses or transport level port
numbers, due to the cost of the SA establishment including the key
management.
. Routers cannot figure out the security attributes of the packets,
unless they are members of the security association.
IPv4 had previous experience with explicit labeling:
[RFC-1108] defined the IPSO, a security option in the IPv4 header
that can be used for a small number of possible labels mainly in
use by the US Government.
An IETF working group, cipso, was later formed to propose an IP
labeling scheme more suitable to commercial use, and did produce
an Internet draft, the Common IP Security Option specification.
draft-belgaied-ipv6-lsopt-00.txt [Page 3]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
Although the IETF draft expired, the proposal was adopted in 1994 by
the US Government as a Federal Information Processing Standard
(FIPS) [CIPSO].
IPv6 [RFC2460] offers a convenient mechanism to carry ancillary data
with packets, using options in the hop-by-hop and the destination
extension headers. Such an option seems to be the natural choice
for use as security label for IPv6 packets.
The remainder of this memo proposes a generalized approach to
the explicit labeling for IPv6 packet and to the migration of the
currently most used labeling IPv4 options (CIPSO and IPSO) to the
LS IPv6 option. It applies mainly to the [BL] model, although
it may be adopted for an integrity model with some limitations.
We'll also discuss the IPSec [RFC-2401] protection requirements when
operating in the real world, outside the assumptions of a Trusted
Computing Base [DoD85].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC-2119].
Unless otherwise stated, references to the link-local, site-local
or global addressing scopes mean both unicast and multicast address
types, as defined in [RFC-2373].
2. LS option specification
2.1. Syntax
The general format of an LS option is:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LSOPT type | Opt Data len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Domain of Interpretation (len = 4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Variable Length Option Data .
. .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
All the fields are stored in the network-byte order.
LSOPT type's value is an octet value to be requested from IANA,
with the following constraints:
. First 2 MSB are 00, instructing the non supporting nodes to skip
over this option and continue processing the header
. The next MSB is 0, indicating that the Option Data does not change
en-route
draft-belgaied-ipv6-lsopt-00.txt [Page 4]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
The Opt Data length is expressed in octets.
The Domain of Interpretation field is a 4 octet integer that
identifies the semantics of the option data to follow. Communicating
nodes have to agree on a common interpretation of the LS option
before acting upon it.
The value DOI=0 is dedication for the transition from IPv4 security
options.
This specification proposes also to reserve the values 1-255.
The option Data option is a list of self-describing tags.
Each tag has the following format:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+---------+-+
| Tag Type | Tag Length | Tag Information |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+---------+-+
The Tag Type (TT) identifies the type of the information in the
Tag Info (TI) field. Tag length (TL) to total length of the tag,
expressed in octets.
The following types are predefined in this document. The
implementations are required to use them in the way indicated herein.
All these tag types can be used in both hop-by-hop and destination
headers, unless otherwise specified.
We also provide how entities of each type are compared.
TT 1: The tag is a hierarchical 2-octet entity.
TL is 4.
This can be thought of as a level or classification.
The comparison of fields of this type is the conventional
mathematical relation (<=, <, >, >=, ==, !=)
TT 2: Non-hierarchical bit-vector.
TL is a variable number of octets. TL MUST be an even number.
This type is intended for categories/compartments bit sets.
The comparison of fields of this type is the inclusion
relation.
TT 3: Enumeration.
TL is a variable number of octets.
This is a list of items. Each item is a short. It is a
compact way of coding categories and compartments.
The comparison of fields of this type is the inclusion
relation.
TT 4: List of ranges.
TL is a variable number of octets. TL must be a 4n+2 integer.
Each range has 2 shorts: lower and upper boundaries of the
draft-belgaied-ipv6-lsopt-00.txt [Page 5]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
interval. The intervals MUST NOT overlap.
The ranges are intended as an efficient grouping of categories
and compartments.
The comparison of fields of this type is the inclusion
relation.
TT 5: IPv4-Compatible option.
TL is a variable number of octets. TL must be an even
number.
This tag contains an IPv4 security option.
The intent of this tag is to provide an easy transition to IPv6
for the LS systems that already use legacy IPv4 options.
TT 6: Destination-only data
TL is a variable number of octets in this TI. TL must be an
even number.
Only the destinations that understand the DOI are able to
interpret it.
This option is not understood by routers when present in a
hop-by-hop header and MUST be skipped.
TT 7-255: Available for future use, to be requested from IANA.
2.2 Alignment
The DOI MUST be aligned on an 8n+4 octet boundary.
If the packet contains other options in the hop-by-hop extension
header, Pad1 or PadN options MUST be used in order to ensure the
DOI in the LS option fall in that boundary, in accordance with
the formatting guidelines in [RFC2460]
Tags MUST be aligned so that their fields fall in their natural
boundaries.
2.3 Order and coexistence of Tags
For implementation efficiency, fields with fixed size (TT1) MUST
appear first, when present.
The LS option MAY carry more than one tag of the same type, however,
only the first tag of that type will be used for consistency checks
at the interfaces.
In order to avoid ambiguity, IPv4 compatibility tags MUST NOT be
used with other tags.
draft-belgaied-ipv6-lsopt-00.txt [Page 6]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
3. Functional specification
3.1 Domain of Interpretation
Communicating hosts sharing the same set of security policies and a
common interpretation of security attributes will use a unique value
of the DOI in the labels of the packets they exchange.
The DOI identifies the security domain made of that collection of
hosts.
For example, a label with a classification field TT1=5, may mean
"public information" for a company A. Another company, B, may choose
to assign the "competition-sensitive information" meaning to the
same value, TT1=5. Obviously A and B cannot use TT1=5 to
label packets between them. However, if A and B agree on a common
set of labels and how to interpret them, they have to choose a
unique DOI value, C, that identifies that common understanding.
A and B will have to choose different DOI values for communication
within their respective domains.
A host can be a member of several domains, and use a different DOI
value for communicating with peers in each.
When A and B in the example above use the services of an application
server provided by an outsourcing company, the server can be a
member of the 3 domains, A, B and the C. It will use labels with DOI
A to communicate with A, for instance, and apply the policy
enforcement checks suitable for DOI A, in choosing routes or offering
the appropriate IPSec protection,
The server will use the DOI C for packets addressed to a multicast
group containing both A and B.
3.2 Interface protection table
An implementation that supports the LS option may associate with
each network interface a table that specifies what domains of
interpretations are supported and what are the constraints on the
packets coming through or going out of that interface, for a given
DOI.
An example of such a table would look like:
DOI | Constraints
----------+-----------------------------------
doi1 | TT1: [min-max]
| TT2: <some bit vector V]
| TT3: {item1, ..., itemN}
| TT4: [r11,r12], .... [r1N-r1M]
----------+-----------------------------------
doi2 | TT1: ....
.
.
.
draft-belgaied-ipv6-lsopt-00.txt [Page 7]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
A label is admitted through an interface if it passes the constraints
defined on that interface, for the label's DOI.
If the node does not recognize the DOI of the packet then it MUST
be discarded.
For the predefined tag types, passing the constraint means:
TT1: the tag value is within the range.
TT2: All the bits set in the packet label bit vector MUST be set in
the interface's bit vector.
TT3: All the items enumerated in the label belong to either a TT3 or
a TT4 on the interface.
TT4: All the items in the ranges enumerated in the label belong to
either a TT3 or a TT4 on the interface.
The way of checking the destination-only tags is part of the
agreement between the endpoints.
3.3 Host behavior
The implementation SHOULD use the LS option in a destination
extension header when:
. The security information is relevant to the endpoint only.
. Non trusted entities can access the packet en route, mandating
the use of ESP's [RFC-2406] protection in order to preserve
confidentiality.
. The destination address is a link-local one.
The following is the typical sequence of operations a sending and
receiving host will perform, including the ICMPv6 packets to be
generated [RFC-2463]:
3.3.1 Originating host:
. Choose a route to destination and an outgoing interface that
conforms the security attributes of the packet to be sent.
. If no route was found, locally generate an ICMPv6 error message
with type 1: Destination unreachable, code 1: communication
with destination administratively prohibited.
. Create the LS option from the packet's security attributes,
and add it to the packet in the appropriate extension header.
. Calculate and add the ESP and or the AH [RFC-2402] header as
necessary.
. Send the packet out.
draft-belgaied-ipv6-lsopt-00.txt [Page 8]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
3.3.2 Destination host:
. Authenticate the packet and log an audit record on failure.
. Check if the packet was allowed through the incoming interface
and log an audit record on failure.
If the failure was due to an unrecognized DOI for this
interface then send back an ICMPv6 error message with
type 1 and code 1. If the incoming packet was encrypted, then
the returned ICMPv6 MUST NOT contain any clear portion of the
original packet.
Rationale: The packet was authentic, so the failure is either
due to a subject on the originating host attempting to defy
the security policy, or there is a misconfiguration in the
network. In both cases, the ICMPv6 is useful to the
originating host'administrator to help identify the
violating subject, or to figure out which nodes have the
wrong settings on their interface protection tables.
. Retreive the security attributes from the label and deliver
the packet to the right client.
3.4 Router behavior
One of the design considerations was to suggest a way for routers
to implement the support for the LS option, without requiring that
they understand the meaning of the labels, yet enforce the label
checks necessary for the security policy in a multilevel security
environment.
Routers that do not understand the LS option will simply skip over
it, as mandated by the choice of the LS option type.
A router needs to trust the authenticity and integrity of a
packet before making routing decision based on the content of its
label. This is a strong assumption, however there are situations
when it may apply. Examples include operating in a restricted
environment where there is control on what devices are physically
sharing the network, and on what privileges processes are granted.
Another example is when the router is acting as the secure gateway
that will provide the IPSec protection and possibly add the security
label on behalf of non LS hosts. A multi-site organization
usually has very good control on who accesses what inside
each site, but needs secure gateways to communicate between sites.
A router ([RFC2401] and [DoD87]) may associate with each
interface a set of sensitivity information allowed to or forbidden
from flowing through that interface.
draft-belgaied-ipv6-lsopt-00.txt [Page 9]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
The router MUST perform the accreditation checks described in the
previous section on both the incoming and outgoing interface for all
the site-local packets. When discarding violating packets, the
routers MUST send an ICMPv6 Type 1, code 1 back to the originator
of the packet.
When routing OUT non-site local packets, if the router is acting as
the secure gateway that will add the ESP or AH header, then it MUST
use the explicit label on the packet to:
. Select the right security association to use for the flow to be
protected, in accordance with the security policy.
. perform the incoming interface accreditation checks.
When routing IN non-site local packets, if the router is acting as
the secure gateway at the receiving end of the SA, then it MUST
. Retrieve the explicit label from the packet (after decryption and
authentication)
. forward the packet in using a route and an interface permitted for
the packet.
IPSec authentication failure MUST NOT generate an ICMPv6 back,
however, the implementations SHOULD increment a counter of the
number of such failures, and, optionally, log an audit record.
The router MUST send an ICMPv6 Type 1, code 1 back to the originator
of an authentic packets failing the forwarding accreditation checks,
however, it MUST NOT send any decrypted portion of the original
one.
In all the other cases, routers MUST skip the LS option.
There are three reasons for this recommendation:
. Although it is possible to have enough control inside a site, and
therefore trust the clear header on a packet, it is impossible to
to guarantee that condition across the Internet, without the
router being involved in at least an AH SA.
. Doing anything other than silently skipping the option for alien
packets opens an easy denial of service exposure.
. There is no global registration for the registration for the DOI
values and the way to interpret them, so a router is unlikely
to choose the same interpretation meant by the originator of the
packet.
4. Deployment considerations
4.1 Policy information setting
The mechanism of distributing the security policy constraints on all
the nodes of a site implementing the LS option is beyond the scope
of this memo. However, one way to approach this problem is to use a
mechanism similar to the RSVP [RFC-2205]. Both situation face the
problem of segregating the treatment one flow of information gets.
In one case, it is based on the resources reserved for that flow,
draft-belgaied-ipv6-lsopt-00.txt [Page 10]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
in the other case it is based on its security attributes.
Similarly to what is proposed for RSVP in [RFC-2749], the LS case
may use the framework provided by the Common Open Policy Service
protocol (COPS) [RFC-2748].
A central PDP (Policy Decision Point) node would have knowledge of
the topology of a site and sensitivity associated with each link
in that site (identified by its prefixes, for example), and the
hosts and routers would, acting as PEPs (Policy Enforcement Points),
use the attributes of a link in order to set the protection table on
their interfaces connected to that link.
4.2 IPv4 Security Options Transition
The following are optional guidelines for the existing
implementations that use IPv4 security options and wish to migrate
to IPv6, in the order of preference:
. Use implicit labeling if the amount of security information is
small enough.
. Translate the IPv4 option in order to map to the proposed format.
A separate document specifying the translation of legacy IPv4
option should be proposed.
. Use the DOI=0 dedicated for the IPv4 options compatible mode
only, and use a Tag type 5 to carry the full IPv4 option inside
an LS option. The tag will have the same syntax and semantics
of the IPv4 option, and MUST be interpreted by the supporting nodes
as if it came in an IPv4 packet.
4.3 Key management
During the deployment, the key management traffic MUST NOT introduce
an additional vulnerability to the flows to be protected by SAs
established using that key management. Ideally, the key management
traffic follows the trusted path reserved for information at
the highest sensitivity it will help protect. However, since the SAs
are yet to be established, the labels on the key management packets
are not protected, and not guaranteed any authenticity. Solving this
issue is beyond the scope of this document, but the users should be
aware of its existence.
5. Security Considerations
When deploying this explicit labeling scheme, the authenticity and
the integrity of the labels and the data being labeled MUST be
guaranteed. Unless operating inside a perimeter of trust that
isolates the network, AH must be used, as required by [RFC2401].
The implementations SHOULD make the requirement for
AH when LS option is present as a configurable parameter, leaving
draft-belgaied-ipv6-lsopt-00.txt [Page 11]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
that policy choice to the discretion of the administrator.
The immutability requirement is a potential limitation to the use of
the LS option as an integrity label. When data is handled by an
entity with an integrity label lower than the integrity label of the
data, the data has to be relabeled with the integrity label of the
entity. This limitation can be overcome by the use of ESP when the
inegrity label is in a destination extention header (the case of
link local scope) and the use of both AH and ESP when the label is
in the hop-by-hop header (site or global scope). The confidence that
is placed in encrypted and authentic data is therefore preserved,
eliminating the need for relabeling.
6. IANA Considerations
The value of the LS option type is to be registered and maintained
by IANA.
New reserved DOI values, and new tag types are to be assigned via
IETF Consensus as defined in RFC 2434 [RFC-2434].
7. References
[BL73] Bell, D.E. & LaPadula, L.J., "Secure Computer Systems:
Mathematical Foundations and Model", Technical Report
M74-244, The MITRE Corporation, Bedford, MA, May 1973.
[Bib77] Biba, K. J. "Integrity Considerations for Secure Computer
Systems", MTR-3153, The Mitre Corporation, April 1977.
[CIPSO] National Institute of Standards and Technology, "Standard
Security Label for Information Transfer", Federal
Information Processing Standard Publication 188, 1994
September 6.
[DoD85] US National Computer Security Center, "Department of
Defense Trusted Computer System Evaluation Criteria", DoD
5200.28-STD, US Department of Defense, Ft. Meade, MD.,
December 1985. (aka the Orange Book)
[DoD87] US National Computer Security Center, "Trusted Network
Interpretation of the Trusted Computer System Evaluation
Criteria", NCSC-TG-005, Version 1, US Department of
Defense, Ft. Meade, MD., 31 July 1987. (aka the Red Book)
[LSPP] Information Systems Security Organization. "Labeled
Security Protection Profile". National Security Agency,
Ft. Meade, MD., 8 October 1999.
draft-belgaied-ipv6-lsopt-00.txt [Page 12]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
[RFC-1108] Kent, Stephen. "U.S. Department of Defense Security
Options for the Internet Protocol", RFC 1108, November
1991
[RFC-1457] Housley, Russell. "Security Label Framework for the
Internet", RFC 1457, May 1993.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997.
[RFC-2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S. and
S. Jamin, "Resource ReSerVation Protocol (RSVP) -
Functional Specification", RFC 2205, September 1997.
[RFC-2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998.
[RFC-2401] Kent, S., and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC-2402] Kent, S., and R. Atkinson, "IP Authentication Header",
RFC 2402, November 1998.
[RFC-2406] Kent, S., and R. Atkinson, "IP Encapsulating Security
Payload", RFC 2402, November 1998.
[RFC-2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[RFC-2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC-2463] Conta, A. and S. Deering, "Internet Control Message
Protocol (ICMPv6) for the Internet Protocol Version 6
(IPv6) Specification", RFC 2463, December 1998.
[RFC-2748] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R.
and A. Sastry, "The COPS (Common Open Policy Service)
Protocol", RFC 2748, January 2000.
[RFC-2749] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R.
and A. Sastry, "COPS Usage for RSVP", RFC 2749, January
2000.
draft-belgaied-ipv6-lsopt-00.txt [Page 13]
�
INTERNET-DRAFT Generalized LS Option for IPv6 Feb. 22, 2001
8. Acknowledgments and Authors' Addresses
Many thanks to Erik Nordmark and Dan McDonald for their feedback,
suggestions, and comments that helped writing this draft.
Kais Belgaied
Sun Microsystems, Inc.
901 San Antonio Road
M/S USJC01-201.
Palo Alto, CA 94303, USA
email: kais.belgaied@sun.com
Gary Winiger
Sun Microsystems, Inc.
901 San Antonio Road
M/S USJC01-201.
Palo Alto, CA 94303, USA
email: gary.winiger@sun.com
draft-belgaied-ipv6-lsopt-00.txt [Page 14]
