📄 rfc1108.txt
字号:
Network Working Group S. Kent
Request for Comments: 1108 BBN Communications
Obsoletes: RFC 1038 November 1991
U.S. Department of Defense
Security Options for the Internet Protocol
Status of this Memo
This RFC specifies an IAB standards track protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "IAB Official Protocol
Standards" for the standardization state and status of this protocol.
Distribution of this memo is unlimited.
Abstract
This RFC specifies the U.S. Department of Defense Basic Security
Option and the top-level description of the Extended Security Option
for use with the Internet Protocol. This RFC obsoletes RFC 1038
"Revised IP Security Option", dated January 1988.
1. DoD Security Options Defined
The following two internet protocol options are defined for use on
Department of Defense (DoD) common user data networks:
CF CLASS # TYPE LENGTH DESCRIPTION
1 0 2 130 var. DoD Basic Security: Used to carry the
classification level and protection
authority flags.
1 0 5 133 var. DoD Extended Security: Used to carry
additional security information as
required by registered authorities.
CF = Copy on Fragmentation
2. DoD Basic Security Option
This option identifies the U.S. classification level at which the
datagram is to be protected and the authorities whose protection
rules apply to each datagram.
Kent [Page 1]
RFC 1108 U.S. DOD Security Option November 1991
This option is used by end systems and intermediate systems of an
internet to:
a. Transmit from source to destination in a network standard
representation the common security labels required by computer
security models,
b. Validate the datagram as appropriate for transmission from
the source and delivery to the destination,
c. Ensure that the route taken by the datagram is protected to
the level required by all protection authorities indicated on
the datagram. In order to provide this facility in a general
Internet environment, interior and exterior gateway protocols
must be augmented to include security label information in
support of routing control.
The DoD Basic Security option must be copied on fragmentation. This
option appears at most once in a datagram. Some security systems
require this to be the first option if more than one option is
carried in the IP header, but this is not a generic requirement
levied by this specification.
The format of the DoD Basic Security option is as follows:
+------------+------------+------------+-------------//----------+
| 10000010 | XXXXXXXX | SSSSSSSS | AAAAAAA[1] AAAAAAA0 |
| | | | [0] |
+------------+------------+------------+-------------//----------+
TYPE = 130 LENGTH CLASSIFICATION PROTECTION
LEVEL AUTHORITY
FLAGS
FIGURE 1. DoD BASIC SECURITY OPTION FORMAT
2.1. Type
The value 130 identifies this as the DoD Basic Security Option.
2.2. Length
The length of the option is variable. The minimum length of the
option is 3 octets, including the Type and Length fields (the
Protection Authority field may be absent). A length indication of
less than 3 octets should result in error processing as described in
Section 2.8.1.
Kent [Page 2]
RFC 1108 U.S. DOD Security Option November 1991
2.3. Classification Level
Field Length: One Octet
This field specifies the (U.S.) classification level at which the
datagram must be protected. The information in the datagram must be
protected at this level. The field is encoded as shown in Table 1
and the order of values in this table defines the ordering for
comparison purposes. The bit string values in this table were chosen
to achieve a minimum Hamming distance of four (4) between any two
valid values. This specific assignment of classification level names
to values has been defined for compatibility with security devices
which have already been developed and deployed.
"Reserved" values in the table must be treated as invalid until such
time they are assigned to named classification levels in a successor
to this document. A datagram containing a value for this field which
is either not in this table or which is listed as "reserved" is in
error and must be processed according to the "out-of-range"
procedures defined in section 2.8.1.
A classification level value from the Basic Security Option in a
datagram may be checked for equality against any of the (assigned)
values in Table 1 by performing a simple bit string comparison.
However, because of the sparseness of the classification level
encodings, range checks involving a value from this field must not be
performed based solely using arithmetic comparisons (as such
comparisons would encompass invalid and or unassigned values within
the range). The details of how ordered comparisons are performed for
this field within a system is a local matter, subject to the
requirements set forth in this paragraph.
Table 1. Classification Level Encodings
Value Name
00000001 - (Reserved 4)
00111101 - Top Secret
01011010 - Secret
10010110 - Confidential
01100110 - (Reserved 3)
11001100 - (Reserved 2)
10101011 - Unclassified
11110001 - (Reserved 1)
Kent [Page 3]
RFC 1108 U.S. DOD Security Option November 1991
2.4. Protection Authority Flags
Field Length: Variable
This field identifies the National Access Programs or Special Access
Programs which specify protection rules for transmission and
processing of the information contained in the datagram. Note that
protection authority flags do NOT represent accreditation
authorities, though the semantics are superficially similar. In
order to maintain architectural consistency and interoperability
throughout DoD common user data networks, users of these networks
should submit requirements for additional Protection Authority Flags
to DISA DISDB, Washington, D.C. 20305-2000, for review and approval.
Such review and approval should be sought prior to design,
development or deployment of any system which would make use of
additional facilities based on assignment of new protection authority
flags. As additional flags are approved and assigned, they will be
published, along with the values defined above, in the Assigned
Numbers RFC edited by the Internet Assigned Numbers Authority (IANA).
a. Field Length: This field is variable in length. The low-
order bit (Bit 7) of each octet is encoded as "0" if it is the
final octet in the field or as "1" if there are additional
octets. Initially, only one octet is required for this field
(because there are fewer than seven authorities defined), thus
the final bit of the first octet is encoded as "0". However,
minimally compliant implementations must be capable of
processing a protection authority field consisting of at least 2
octets (representing up to 14 protection authorities).
Implementations existing prior to the issuance of this RFC, and
which process fewer protection authority than specified here,
will be considered minimally compliant so long as such
implementations process the flags in accordance with the RFC.
This field must be a minimally encoded representation, i.e., no
trailing all-zero octets should be emitted. If the length of
this field as indicated by this extensible encoding is not
consistent with the length field for the option, the datagram is
in error and the procedure described in Section 2.8.1 must be
followed. (Figure 2 illustrates the relative significance of
the bits within an octet).
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
High-order | | | | | | | | | Low-order
+---+---+---+---+---+---+---+---+
Figure 2. Significance of Bits
Kent [Page 4]
RFC 1108 U.S. DOD Security Option November 1991
b. Source Flags: The first seven bits (Bits 0 through 6) in
each octet are flags. Each flag is associated with an
authority. Protection Authority flags currently assigned are
indicated in Table 2. The bit corresponding to an authority is
"1" if the datagram is to be protected in accordance with the
rules of that authority. More than one flag may be present in a
single instance of this option if the data contained in the
datagram should be protected according to rules established by
multiple authorities. Table 3 identifies a point of contact for
each of the authorities listed in Table 2. No "unassigned" bits
in this or other octets in the Protection Authority Field shall
be considered valid Protection Authority flags until such time
as such bits are assigned and the assignments are published in
the Assigned Numbers RFC. Thus a datagram containing flags for
unassigned bits in this field for this option is in error and
must be processed according to the "out-of-range" procedures
defined in section 2.8.1.
Two protection authority flag fields can be compared for
equality (=) via simple bit string matching. No relative
ordering between two protection authority flag fields is
defined. Because these flags represent protection authorities,
security models such as Bell-LaPadula do not apply to
interpretation of this field. However, the symbol "=<" refers
to set inclusion when comparing a protection authority flag
field to a set of such fields. Means for effecting these tests
within a system are a local matter, subject to the requirements
set forth in this paragraph.
Table 2 - Protection Authority Bit Assignments
BIT
NUMBER AUTHORITY
0 GENSER
1 SIOP-ESI
2 SCI
3 NSA
4 DOE
5, 6 Unassigned
7 Field Termination Indicator
Kent [Page 5]
RFC 1108 U.S. DOD Security Option November 1991
Table 3 - Protection Authority Points of Contact
AUTHORITY POINT OF CONTACT
GENSER Designated Approving Authority
per DOD 5200.28
SIOP-ESI Department of Defense
Organization of the
Joint Chiefs of Staff
Attn: J6
Washington, DC 20318-6000
SCI Director of Central Intelligence
Attn: Chairman, Information
Handling Committee, Intelligence
Community Staff
Washington, D.C. 20505
NSA National Security Agency
9800 Savage Road
Attn: T03
Ft. Meade, MD 20755-6000
DOE Department of Energy
Attn: DP343.2
Washington, DC 20545
2.5. System Security Configuration Parameters
Use of the Basic Security Option (BSO) by an end or intermediate
system requires that the system configuration include the parameters
described below. These parameters are critical to secure processing
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -