Some initial questions/comments:
1. security label is defined as opaque data in the draft, but then how would 
narrowing work in an inter-op way with opaque data? Or should we define the 
format for some common use cases (like security enforcement, QoS ...) , and 
adding a sub-type in TS_SECLABEL
2. currently there are TSi (44) and TSr (45) payload, does it make sense to 
include TS_SECLABEL in either TSi or TSr? Is there semantic to have separate 
"initiator SECLABEL" and "responder SECLABEL"? Or does it make more sense to 
only allow single TS_SECLABEL per message/CHILD_SA, and create a new TS payload 
type , put TS_SECLABEL in it ?

> -----Original Message-----
> From: IPsec [] On Behalf Of Paul Wouters
> Sent: Monday, March 05, 2018 7:36 AM
> To: WG <>
> Cc: Sahana Prasad <>
> Subject: [IPsec] Fwd: New Version Notification for draft-sprasad-ipsecme-
> labeled-ipsec-00.txt (fwd)
> Sahana and I wrote the initial draft for Labeled IPsec. I'm not sure why it 
> didn't
> auto-email the list, so links follow below. Please discuss :)
> Paul
> A new version of I-D, draft-sprasad-ipsecme-labeled-ipsec-00.txt
> has been successfully submitted by Sahana Prasad and posted to the IETF
> repository.
> Name:         draft-sprasad-ipsecme-labeled-ipsec
> Revision:     00
> Title:                Labeled IPsec Traffic Selector support for IKEv2
> Document date:        2018-03-04
> Group:                Individual Submission
> Pages:                6
> URL:  
> labeled-ipsec-00.txt
> Status:         
> ipsec/
> Htmlized:
> ipsec-00
> Htmlized:
> labeled-ipsec-00
> Abstract:
>     Some IPsec implementations support Security Labels otherwise known as
>     Security Contexts, to be configured as a selector within the Security
>     Policy Database (SPD) for IPsec SAs.  This document adds support to
>     IKEv2 to negotiate these Security Labels or Contexts using a new
>     Traffic Selector (TS) Type TS_SECLABEL.  The approach is named
>     "Labeled IPsec".  It assumes that the SPD processing of RFC 4303 is
>     already extended to support Security Labels.  This document only adds
>     the ability for IKE to negotiate the Security Labels used with the
>     SPD.
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> The IETF Secretariat
> _______________________________________________
> IPsec mailing list
IPsec mailing list

Reply via email to