rfc1108.txt

<VC++网络游戏建摸与实现>源代码

   of the BSO, and thus must be protected from unauthorized
   modification.  Note that compliant implementations must allow a
   minimum of 14 distinct Protection Authority flags (consistent with
   the Protection Authority field size defined in Section 2.4) to be set
   independently in any parameter involving Protection Authority flag
   fields.

        a. SYSTEM-LEVEL-MAX: This parameter specifies the highest
        Classification Level (see Table 1) which may be present in the
        classification level field of the Basic Security Option in any
        datagram transmitted or received by the system.

        b. SYSTEM-LEVEL-MIN: This parameter specifies the lowest
        Classification Level (see Table 1) which may be present in the
        classification level field of the Basic Security Option in any



Kent                                                            [Page 6]

RFC 1108                U.S. DOD Security Option           November 1991


        datagram transmitted by the system.

        c. SYSTEM-AUTHORITY-IN:  This parameter is a set, each member of
        which is a Protection Authority flag field.  The set enumerates
        all of the Protection Authority flag fields which may be present
        in the Protection Authority field of the Basic Security Option
        in any datagram received by this system.  A compliant
        implementation must be capable of representing at least 256
        distinct Protection Authority flag fields (each field must be
        capable of representing 14 distinct Protection Authority flags)
        in this set.  Each element of the enumerated set may be a
        combination of multiple protection authority flags.

        Set elements representing multiple Protection Authorities are
        formed by ORing together the flags that represent each
        authority.  Thus, for example, a set  element representing
        datagrams to be protected according to NSA and SCI rules might
        be represented as "00110000" while an element representing
        protection mandated by NSA, DOE and SIOP-ESI might be
        represented as "01011000".  (These examples illustrate 8-bit set
        elements apropos the minimal encodings for currently defined
        Protection Authority flags.  If additional flags are defined
        beyond the first byte of the Protection Authority Field, longer
        encodings for set elements may be required.)

        It is essential that implementations of the Internet Protocol
        Basic Security Option provide a convenient and compact way for
        system security managers to express which combinations of flags
        are allowed.  The details of such an interface are outside the
        scope of this RFC, however, enumeration of bit patterns is NOT a
        recommended interface.  As an alternative, one might consider a
        notation of the form COMB(GENSER,NSA,SCI)+COMB(SIOP-ESI,NSA,SCI)
        in which "COMB" means ANY combination of the flags referenced as
        parameters of the COMB function are allowed and "+" means "or".

        d. SYSTEM-AUTHORITY-OUT:  This parameter is a set, each member
        of which is a Protection Authority flag field.  The set
        enumerates all of the Protection Authority flag fields which may
        be present in the Protection Authority field of the Basic
        Security Option in any datagram transmitted by this system.  A
        compliant implementation must be capable of representing at
        least 256 distinct Protection Authority flag fields in this set.
        Explicit enumeration of all authorized Protection Authority
        field flags permits great flexibility, and in particular does
        not impose set inclusion restrictions on this parameter.

   The following configuration parameters are defined for each network
   port present on the system.  The term "port" is used here to refer



Kent                                                            [Page 7]

RFC 1108                U.S. DOD Security Option           November 1991


   either to a physical device interface (which may represent multiple
   IP addresses) or to a single IP address (which may be served via
   multiple physical interfaces).  In general the former interpretation
   will apply and is consistent with the Trusted Network Interpretation
   of the Trusted Computer Systems Evaluation Criteria (TNI) concept of
   a "communications channel" or "I/O device."  However, the latter
   interpretation also may be valid depending on local system security
   capabilities.  Note that some combinations of port parameter values
   are appropriate only if the port is "single level," i.e., all data
   transmitted or received via the port is accurately characterized by
   exactly one Classification Level and Protection Authority Flag field.

        e. PORT-LEVEL-MAX: This parameter specifies the highest
        Classification Level (see Table 1) which may be present in the
        classification level field of the Basic Security Option in any
        datagram transmitted or received by the system via this network
        port.

        f. PORT-LEVEL-MIN: This parameter specifies the lowest
        Classification Level (see Table 1) which may be present in the
        classification level field of the Basic Security Option in any
        datagram transmitted by the system via this network port.

        g. PORT-AUTHORITY-IN:  This parameter is a set each member of
        which is a Protection Authority flag field.  The set enumerates
        all of the Protection Authority flag fields which may be present
        in the Protection Authority field of the Basic Security Option
        in any datagram received via this port.  A compliant
        implementation must be capable of representing at least 256
        distinct Protection Authority flag fields in this set.

        h. PORT-AUTHORITY-OUT:  This parameter is a set each member of
        which is a Protection Authority flag field.  The set enumerates
        all of the Protection Authority flag fields which may be present
        in the Protection Authority field of the Basic Security Option
        in any datagram transmitted via this port.  A compliant
        implementation must be capable of representing at least 256
        distinct Protection Authority flag fields in this set.

        i. PORT-AUTHORITY-ERROR:  This parameter is a single Protection
        Authority flag field assigned to transmitted ICMP error messages
        (see Section 2.8).  The PORT-AUTHORITY-ERROR value is selected
        from the set of values which constitute PORT-AUTHORITY-OUT.
        Means for selecting the PORT-AUTHORITY-ERROR value within a
        system are a local matter subject to local security policies.

        j. PORT-IMPLICIT-LABEL:  This parameter specifies a single
        Classification Level and a Protection Authority flag field



Kent                                                            [Page 8]

RFC 1108                U.S. DOD Security Option           November 1991


        (which may be null) to be associated with all unlabelled
        datagrams received via the port.  This parameter is meaningful
        only if PORT-BSO-REQUIRED-RECEIVE = FALSE, otherwise receipt of
        an unlabelled datagram results in an error response.

        k. PORT-BSO-REQUIRED-RECEIVE:  This parameter is a boolean which
        indicates whether all datagrams received via this network port
        must contain a Basic Security Option.

        l. PORT-BSO-REQUIRED-TRANSMIT:  This parameter is a boolean
        which indicates whether all datagrams transmitted via this
        network port must contain a Basic Security Option.   If this
        parameter is set to FALSE, then PORT-BSO-REQUIRED-RECEIVE should
        also be set to FALSE (to avoid communication failures resulting
        from asymmetric labelling constraints).

   In every intermediate or end system, the following relationship must
   hold for these parameters for all network interfaces.  The symbol
   ">=" is interpreted relative to the linear ordering defined for
   security levels specified in Section 2.3 for the "LEVEL" parameters,
   and as set inclusion for the "AUTHORITY" parameters.

           SYSTEM-LEVEL-MAX >= PORT-LEVEL-MAX >=
                   PORT-LEVEL-MIN >= SYSTEM-LEVEL-MIN

           SYSTEM-AUTHORITY-IN >= PORT-AUTHORITY-IN
                            and
           SYSTEM-AUTHORITY-OUT >= PORT-AUTHORITY-OUT

2.6.  Configuration Considerations

   Systems which do not maintain separation for different security
   classification levels of data should have only trivial ranges for the
   LEVEL parameters, i.e., SYSTEM-LEVEL-MAX = PORT-LEVEL-MAX = PORT-
   LEVEL-MIN = SYSTEM-LEVEL-MIN.

   Systems which do maintain separation for different security
   classification levels of data may have non-trivial ranges for the
   LEVEL parameters, e.g., SYSTEM-LEVEL-MAX >= PORT-LEVEL-MAX >= PORT-
   LEVEL-MIN >= SYSTEM-LEVEL-MIN.

2.7.  Processing the Basic Security Option

   For systems implementing the Basic Security Option, the parameters
   PORT-BSO-REQUIRED-TRANSMIT and PORT-BSO-REQUIRED-RECEIVE are used to
   specify the local security policy with regard to requiring the
   presence of this option on transmitted and received datagrams,
   respectively, on a per-port basis.  Each datagram transmitted or



Kent                                                            [Page 9]

RFC 1108                U.S. DOD Security Option           November 1991


   received by the system must be processed in accordance with the per-
   port and system-wide security parameters configured for the system.

   Systems which process only Unclassified data may or may not be
   configured to generate the BSO on transmitted datagrams.  Such
   systems also may or may not require a BSO to be present on received
   datagrams.  However, all systems must be capable of accepting
   datagrams containing this option, irrespective of whether the option
   is processed or not.

   In general, systems which process classified data must generate this
   option for transmitted datagrams.  The only exception to this rule
   arises in (dedicated or system high [DoD 5200.28]) networks where
   traffic may be implicitly labelled rather than requiring each
   attached system to generate explicit labels.  If the local security
   policy permits receipt of datagrams without the option, each such
   datagram is presumed to be implicitly labelled based on the port via
   which the datagram is received.  A per-port parameter (PORT-
   IMPLICIT-LABEL) specifies the label to be associated with such
   datagrams upon receipt.  Note that a datagram transmitted in response
   to receipt of an implicitly labelled datagram, may, based on local
   policy, require an explicit Basic Security Option.

2.7.1.  Handling Unclassified Datagrams

   If an unmarked datagram is received via a network port for which
   PORT-BSO-REQUIRED = FALSE and PORT-IMPLICIT-LABEL = UNCLASSIFIED (NO
   FLAGS), the datagram shall be processed as though no Protection
   Authority Flags were set.  Thus there are two distinct, valid
   representations for Unclassified datagrams to which no Protection
   Authority rules apply (an unmarked datagram as described here and a
   datagram containing an explicit BSO with Classification Level set to
   Unclassified and with no Protection Authority flags set).  Note that
   a datagram also may contain a Basic Security Option in which the
   Classification Level is Unclassified and one or more Protection
   Authority Field Flags are set.  Such datagrams are explicitly
   distinct from the equivalence class noted above (datagrams marked
   Unclassified with no Protection Authority field flags set and
   datagrams not containing a Basic Security Option).

2.7.2.  Input Processing

   Upon receipt of any datagram a system compliant with this RFC must
   perform the following actions.  First, if PORT-BSO-REQUIRED-RECEIVE =
   TRUE for this port, then any received datagram must contain a Basic
   Security Option and a missing BSO results in an ICMP error response
   as specified in Section 2.8.1.  A received datagram which contains a
   Basic Security Option must be processed as described below.  This



Kent                                                           [Page 10]

RFC 1108                U.S. DOD Security Option           November 1991


   algorithm assumes that the IP header checksum has already been
   verified and that, in the course of processing IP options, this
   option has been encountered.  The value of the Classification Level
   field from the option will be designated "DG-LEVEL" and the value of
   the Protection Authority Flags field will be designated "DG-
   AUTHORITY."

   Step 1. Check that DG-LEVEL is a valid security classification level,
           i.e., it must be one of the (non-reserved) values from Table
           1.  If this test fails execute the out-of-range procedure in
           Section 2.8.1.

   Step 2. Check that PORT-LEVEL-MAX >= DG-LEVEL.  If this test fails,
           execute out-of-range procedure specified in Section 2.8.2.

   Step 3. Check that DG-AUTHORITY =< PORT-AUTHORITY-IN.  If this test
           fails, execute out-of-range procedure specified in Section
           2.8.2.

2.7.3.  Output Processing

   Any system which implements the Basic Security Option must adhere to
   a fundamental rule with regard to transmission of datagrams, i.e., no
   datagram shall be transmitted with a Basic Security Option the value
   of which is outside of the range for which the system is configured.
   Thus for every datagram transmitted by a system the following must
   hold: PORT-LEVEL-MAX >= DG-LEVEL >= PORT-LEVEL-MIN and DG-AUTHORITY
   =< PORT-AUTHORITY-OUT.  It is a local matter as to what procedures
   are followed by a system which detects at attempt to transmit a
   datagram for which these relationships do not hold.

   If a port is configured to allow both labelled and unlabelled
   datagrams (PORT-BSO-REQUIRED-TRANSMIT = FALSE) to be transmitted, the
   question arises as to whether a label should be affixed.  In
   recognition of the lack of widespread implementation or use of this
   option, especially in unclassified networks, this RFC recommends that
   the default be transmission of unlabelled datagrams.  If the
   destination requires all datagrams to be labelled on input, then it
   will respond with an ICMP error message (see Section 2.8.1) and the
   originator can respond by labelling successive packets transmitted to
   this destination.

   To support this mode of operation, a system which allows transmission
   of both labelled and unlabelled datagrams must maintain state
   information (a cache) so that the system can associate the use of
   labels with specific destinations, e.g., in response to receipt of an
   ICMP error message as specified in Section 2.8.1.  This requirement
   for maintaining a per-destination cache is very much analogous to



Kent                                                           [Page 11]

RFC 1108                U.S. DOD Security Option           November 1991


   that imposed for processing the IP source route option or for
   maintaining first hop routing information (RFC 1122).  This RFC does
   not specify which protocol module must maintain the per-destination
   cache (e.g., IP vs.  TCP or UDP) but security engineering constraints
   may dictate an IP implementation in trusted systems.  This RFC also
   does not specify a cache maintenance algorithm, though use of a timer
   and activity flag may be appropriate.

2.8.  Error Procedures

   Datagrams received with errors in the Basic Security Option or which
   are out of range for the network port via which they are received,
   should not be delivered to user processes.  Local policy will specify
   whether logging and/or notification of a system security officer is
   required in response to receipt of such datagrams.  The following are
   the least restrictive actions permitted by this protocol.  Individual