Network Working Group J. Walker
Request for Comments: 4261 A. Kulkarni, Ed.
Updates: 2748 Intel Corp.
Category: Standards Track December 2005
Common Open Policy Service (COPS)
Over Transport Layer Security (TLS)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes how to use Transport Layer Security (TLS) to
secure Common Open Policy Service (COPS) connections over the
Internet.
This document also updates RFC 2748 by modifying the contents of the
Client-Accept message.
Walker & Kulkarni Standards Track [Page 1]
RFC 4261 COPS Over TLS December 2005
Table Of Contents
1. Introduction ....................................................2
2. COPS Over TLS ...................................................3
3. Separate Ports versus Upward Negotiation ........................3
4. COPS/TLS Objects and Error codes ................................4
4.1. The TLS Message Integrity Object (Integrity-TLS) ...........4
4.2. Error Codes ................................................4
5. COPS/TLS Secure Connection Initiation ...........................5
5.1. PEP Initiated Security Negotiation .........................5
5.2. PDP Initiated Security Negotiation .........................6
6. Connection Closure ..............................................7
6.1. PEP System Behavior ........................................7
6.2. PDP System Behavior ........................................8
7. Endpoint Identification and Access Control ......................8
7.1. PEP Identity ...............................................9
7.2. PDP Identity ...............................................9
8. Cipher Suite Requirements ......................................10
9. Backward Compatibility .........................................10
10. IANA Considerations ...........................................10
11. Security Considerations .......................................11
12. Acknowledgements ..............................................11
13. References ....................................................12
13.1. Normative References .....................................12
13.2. Informative References ...................................12
1. Introduction
COPS [RFC2748] was designed to distribute clear-text policy
information from a centralized Policy Decision Point (PDP) to a set
of Policy Enforcement Points (PEP) in the Internet. COPS provides
its own security mechanisms to protect the per-hop integrity of the
deployed policy. However, the use of COPS for sensitive applications
(e.g., some types of security policy distribution) requires
additional security measures, such as data confidentiality. This is
because some organizations find it necessary to hide some or all of
their security policies, e.g., because policy distribution to devices
such as mobile platforms can cross domain boundaries.
TLS [RFC2246] was designed to provide channel-oriented security. TLS
standardizes SSL and may be used with any connection-oriented
service. TLS provides mechanisms for both one- and two-way
authentication, dynamic session keying, and data stream privacy and
integrity.
This document describes how to use COPS over TLS. "COPS over TLS" is
abbreviated COPS/TLS.
Walker & Kulkarni Standards Track [Page 2]
RFC 4261 COPS Over TLS December 2005
Glossary
COPS - Common Open Policy Service. See [RFC2748].
COPS/TCP - A plain-vanilla implementation of COPS.
COPS/TLS - A secure implementation of COPS using TLS.
PDP - Policy Decision Point. Also referred to as the Policy Server.
See [RFC2753].
PEP - Policy Enforcement Point. Also referred to as the Policy
Client. See [RFC2753].
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
datatracker.ietf.org