datatracker.ietf.org
Sign in
Version 5.7.4, 2014-11-12
Report a bug

Common Open Policy Service (COPS) Over Transport Layer Security (TLS)
RFC 4261

Document type: RFC - Proposed Standard (December 2005; No errata)
Updates RFC 2748
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4261 (Proposed Standard)
Responsible AD: Bert Wijnen
Send notices to: amol.kulkarni@intel.com, scott.hahn@intel.com

Network Working Group                                          J. Walker
Request for Comments: 4261                              A. Kulkarni, Ed.
Updates: 2748                                                Intel Corp.
Category: Standards Track                                  December 2005

                   Common Open Policy Service (COPS)
                  Over Transport Layer Security (TLS)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes how to use Transport Layer Security (TLS) to
   secure Common Open Policy Service (COPS) connections over the
   Internet.

   This document also updates RFC 2748 by modifying the contents of the
   Client-Accept message.

Walker & Kulkarni           Standards Track                     [Page 1]
RFC 4261                     COPS Over TLS                 December 2005

Table Of Contents

   1. Introduction ....................................................2
   2. COPS Over TLS ...................................................3
   3. Separate Ports versus Upward Negotiation ........................3
   4. COPS/TLS Objects and Error codes ................................4
      4.1. The TLS Message Integrity Object (Integrity-TLS) ...........4
      4.2. Error Codes ................................................4
   5. COPS/TLS Secure Connection Initiation ...........................5
      5.1. PEP Initiated Security Negotiation .........................5
      5.2. PDP Initiated Security Negotiation .........................6
   6. Connection Closure ..............................................7
      6.1. PEP System Behavior ........................................7
      6.2. PDP System Behavior ........................................8
   7. Endpoint Identification and Access Control ......................8
      7.1. PEP Identity ...............................................9
      7.2. PDP Identity ...............................................9
   8. Cipher Suite Requirements ......................................10
   9. Backward Compatibility .........................................10
   10. IANA Considerations ...........................................10
   11. Security Considerations .......................................11
   12. Acknowledgements ..............................................11
   13. References ....................................................12
      13.1. Normative References .....................................12
      13.2. Informative References ...................................12

1.  Introduction

   COPS [RFC2748] was designed to distribute clear-text policy
   information from a centralized Policy Decision Point (PDP) to a set
   of Policy Enforcement Points (PEP) in the Internet.  COPS provides
   its own security mechanisms to protect the per-hop integrity of the
   deployed policy.  However, the use of COPS for sensitive applications
   (e.g., some types of security policy distribution) requires
   additional security measures, such as data confidentiality.  This is
   because some organizations find it necessary to hide some or all of
   their security policies, e.g., because policy distribution to devices
   such as mobile platforms can cross domain boundaries.

   TLS [RFC2246] was designed to provide channel-oriented security.  TLS
   standardizes SSL and may be used with any connection-oriented
   service.  TLS provides mechanisms for both one- and two-way
   authentication, dynamic session keying, and data stream privacy and
   integrity.

   This document describes how to use COPS over TLS.  "COPS over TLS" is
   abbreviated COPS/TLS.

Walker & Kulkarni           Standards Track                     [Page 2]
RFC 4261                     COPS Over TLS                 December 2005

Glossary

   COPS - Common Open Policy Service.  See [RFC2748].

   COPS/TCP - A plain-vanilla implementation of COPS.

   COPS/TLS - A secure implementation of COPS using TLS.

   PDP - Policy Decision Point.  Also referred to as the Policy Server.
         See [RFC2753].

   PEP - Policy Enforcement Point.  Also referred to as the Policy
         Client.  See [RFC2753].

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

[include full document text]