📄 rfc1038.txt
字号:
a. Output. The use of the option is mandatory. The classification level of an IP datagram should be within the range of levels for which the host is accredited. The protection authorities flags should be one for all authorities under whose rules the datagram should be protected. b. Input. In the specific case where a multi-level or controlled host is accredited to directly interface with an unclassified environment, the host may accept IP datagrams without a basic security option. Such datagrams should be assumed to be implicitly labelled unclassified, GENSER, and should be so labelled explicitly if they are later output. In all other cases, the IP datagrams should have the basic security option on input, and the out-of-range procedure should be followed if it is not. There are two cases to be considered where the option is present. The first case is where the system environment permits the values in the option to be trusted to be correct for some range of values; the second is where the values cannot be trusted to be correct. For each multi-level or controlled host, every input channel for IP datagrams must be considered and classed appropriately. If a channel does have a trusted range, then the values of both the classification level and the protection authorities are checked to insure that they fall within that range and the range of accredited values for theSt. Johns [Page 4]
RFC 1038 Draft Revised IP Security Option January 1988 receiving host. If within both ranges, the IP datagram is accepted for further processing; otherwise the out-of-range procedure is followed. If the label cannot be trusted, then the receiving host must possess some accredited means of knowing what the correct marking should be (e.g., a trusted channel to a system-high host at a known level). On receipt of an IP datagram, the host compares the actual values in the option to the correct values. If the values match, the datagram is accepted for further processing; otherwise, the out-of-range procedure is followed.9.3.15.3.4.4 Out-Of-Range Procedure. If an IP datagram is received which does not meet the input requirements, then: a) The data field should be overwritten with ones. b) If the problem is a missing required Basic or Extended security option, an ICMP "parameter problem" message is sent to the originating host with the code field set to 1 (one) to indicate "missing required option" and the pointer field set to the option type of the missing option. Otherwise, an ICMP "parameter problem" message is sent to the originating host with code field set to 0 (zero) and with the pointer field pointing to the position of the out-of-range security option. c) If the receiving host has an interface to a local security officer or equivalent, the problem should be identified across that interface in an appropriate way.9.3.15.3.4.5 Trusted Intermediary Procedure. Certain devices in the internet may act as intermediaries to validate that communications between two hosts are authorized, based on a combination of knowledge of the hosts and the values in the IP security option. These devices may receive IP datagrams which are in range for the intermediate device, but are either not within the acceptable range for the sender, or for the ultimate receiver. In the former case, the datagram should be treated as described above for an out-of-range option. In the latter case, a "destination unreachable" ICMP message should be sent, with the code value of 10 (ten), indicating "Communication with Destination Host Administratively Prohibited".St. Johns [Page 5]
RFC 1038 Draft Revised IP Security Option January 19889.3.15.4 DoD Extended Security Option Option type: 133 Option length: variable This option permits additional security related information, beyond that present in the Basic Security Option, to be supplied in an IP datagram to meet the needs of registered authorities. If this option is required by an authority for a specific system, it must be specified explicitly in any Request for Proposal. It is not otherwise required. This option must be copied on fragmentation. This option may appear multiple times within a datagram. The format for this option is as follows: +------------+-------------+-------------+--------//-------+ | 10000101 | 000LLLLL | AAAAAAAA | add sec info | +------------+-------------+-------------+--------//-------+ type = 133 LENGTH = Var. ADDITIONAL ADDITIONAL SECURITY SECURITY INFO INFO AUTHORITY CODE FIGURE 10-B.9.3.15.4.1 Additional Security Info Authority Code. length = 8 bits The values of this field are assigned by DCA Code R130, Washington, D.C. 20305-2000. Each value corresponds to a requestor who, once assigned, becomes the authority for the remainder of the option definition for that value.9.3.15.4.2 Additional Security Information. length - variable This field contains any additional security information as specified by the authority.St. Johns [Page 6]
RFC 1038 Draft Revised IP Security Option January 1988 BIT NUMBER AUTHORITY 0 GENSER 1 SIOP 2 DSCCS-SPINTCOM 3 DSCCS-CRITICOM 4-7 Unassigned AUTHORITY SOURCE OF ANNEX DESCRIBING CURRENT CODING OF ADDITIONAL SECURITY INFORMATION GENSER National Access Program, less SIOP Defense Communications Agency ATTN: Code R130 Washington, DC 20305 SIOP National Access Program Department of Defense Organization of the Joint Chiefs of Staff Attn: J6T Washington, DC DSCCS-SPINTCOM National Access Program Defense Intelligence Agency Attn: DSE4 Bolling AFB, MD DSCCS-CRITICOM National Access Program National Security Agency 9800 Savage Road Attn: T03 Ft. Meade, MD 20755-6000St. Johns [Page 7]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -