rfc1038.txt

RFC 的详细文档！

Network Working Group                                       M. St. Johns
Request for Comments: 1038                                          IETF
                                                            January 1988


                    Draft Revised IP Security Option


Status of this Memo

   This RFC is a pre-publication draft of the revised Internet Protocol
   Security Option.  This draft reflects the version as approved by
   the Protocol Standards Steering Group.  It is provided for
   informational purposes only.  The final version of this document will
   be available from Navy Publications and should not differ from
   this document in any major fashion.

   This document will be published as a change to the MIL-STD 1777,
   "Internet Protocol".  Distribution of this memo is unlimited.

9.3.13.1 Internet Options Defined.

   The following internet options are defined:

        CLASS NUMBER LENGTH DESCRIPTION
        _____ ______ ______ ___________

        0      00000   -    End of Option list:  This option occupies
                            only 1 octet; it has no length octet.
        0      00001   -    No Operation:  This option occupies only 1
                            octet; it has no length octet.
        0      00010   var. Basic Security:  Used to carry security
                            level and accrediting authority flags.
        0      00011   var. Loose Source Routing:  Used to route the
                            datagram based on information supplied by
                            the source.
        0      00101   var. Extended Security:  Used to carry additional
                            security information as required by
                            registered authorities.
        0      01001   var. Strict Source Routing:  Used to route the
                            datagram based on information supplied by
                            the source.
        0      00111   var. Record Route:  Used to trace the route a
                            datagram takes.
        0      01000    4   Stream ID:  Used to carry the stream
                            identifier.
        2      00100   var. Internet Timestamp:  Used to accumulate
                            timing information in transit.



St. Johns                                                       [Page 1]

RFC 1038            Draft Revised IP Security Option        January 1988


9.3.15.3  DoD Basic Security.

     Option type:  130      Option length: variable; minimum length:  4

   The option identifies the U.S. security level to which the datagram
   is to be protected, and the accrediting authorities whose protection
   rules apply to each datagram.

   The option is used by accredited trusted components of an internet
   to:

     a.  Validate the datagram as appropriate for transmission from the
         source.

     b.  Guarantee that the route taken by the datagram (including the
         destination) is protected to the level required by all
         indicated accrediting authorities.

     c.  Supply common label information required by computer security
         models.

     This option must be copied on fragmentation.  This option appears
     at most once in a datagram.

   The format of this option is as follows:


   +--------------+-----------+-------------+-------------//----------+
   |  10000010    |  XXXXXXXX | SSSSSSSS    |  AAAAAAA[1]    AAAAAAA0 |
   |              |           |             |         [0]             |
   +--------------+-----------+-------------+-------------//----------+
      TYPE = 130   LENGTH      CLASSIFICATION      PROTECTION
                   VARIABLE      PROTECTION         AUTHORITY
                                   LEVEL              FLAGS

                   FIGURE 10-A.  SECURITY OPTION FORMAT

9.3.15.3.1  Length.

   The length of the option is variable.  The minimum length option is
   4.

9.3.15.3.2  Classification Protection Level.

   This field specifies the U.S. classification level to which the
   datagram should be protected.  The information in the datagram should
   be assumed to be at this level until and unless it is regraded in
   accordance with the procedures of all indicated protecting



St. Johns                                                       [Page 2]

RFC 1038            Draft Revised IP Security Option        January 1988


   authorities.  This field specifies one of the four U.S.
   classification levels, and is encoded as follows:

                 11011110   -   Top Secret
                 10101101   -   Secret
                 01111010   -   Confidential
                 01010101   -   Unclassified

9.3.15.3.3  Protection Authorities Flags.

   This field indicates the National Access Program(s) with accrediting
   authority whose rules apply to the protection of the datagram.

      a.  Field Length:  This field is variable in length.  The low-
      order bit (Bit 7) of each octet is encoded as "zero" if it is the
      final octet in the field, or as "one" if there are additional
      octets.  Currently, only one octet is needed for this field
      (because there are less than seven authorities), and the final bit
      of the first octet is coded as "zero".

      b.  Source Flags:  The first seven bits (Bits 0 through 6) in each
      octet are source flags which are each associated with an authority
      as indicated below.  The bit corresponding to an authority is
      "one" if the datagram is to be protected in accordance with the
      rules of that authority.

9.3.15.3.4  Usage Rules.

   Use of the option requires that a host be aware of 1) the
   classification level, or levels, at which it is permitted to operate,
   and 2) the protection authorities responsible for its certification.
   The achievement of this is implementation dependent.  Rules for use
   of the option for different types of hosts are given below.

9.3.15.3.4.1  Unclassified Hosts, including gateways.

      a.  Output:  Unclassified hosts may either use or not use the
      option.  If it is used, classification level must be unclassified,
      bit 0 of the accreditation field (GENSER) must be one, and all
      other bits of the accreditation field must be 0.  While use of the
      option is permitted, it is recommended that unclassified hosts
      interested in maximizing interoperability with existing non-
      compliant implementations not use the option.

      b.  Input:  Unclassified hosts should accept for further
      processing IP datagrams without the option.  If the option is
      present on an incoming IP datagram, then the datagram is accepted
      for further processing only if the classification level is



St. Johns                                                       [Page 3]

RFC 1038            Draft Revised IP Security Option        January 1988


      unclassified, bit 0 of the accreditation field (GENSER) is one,
      and all other bits of the accreditation field are zero.
      Otherwise, the out-of-range procedure is followed.

9.3.15.3.4.2  Hosts accredited in the Dedicated, System-High, or
Compartmented Modes at a classification level higher than unclassified.

      a.  Output.  The use of the option is mandatory.  The
      classification level should be the dedicated level for dedicated
      hosts and the system-high level for system-high and compartmented
      hosts.  The accrediting authority flags should be one for all
      authorities which have accredited the hosts, and zero for all
      other authorities.

      b.  Input.  If 1) the option is present, 2) the classification
      level matches the host classification level, and 3) the
      accrediting authority flags for all accrediting authorities of the
      receiving host are one, and all others are zero, the IP datagram
      should be accepted for further processing.  Otherwise, the out-
      of-range procedure is followed.

9.3.15.3.4.3  Hosts accredited in the Multi-Level or Controlled Mode for
network transmission.