Registry Specification for Mandatory Access Control (MAC) Security Label Formats
draft-ietf-nfsv4-lfs-registry-00

The information below is for an old version of the document
Document Type Active Internet-Draft (nfsv4 WG)
Last updated 2014-05-02
Stream IETF
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd None
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
NFSv4                                                         D. Quigley
Internet-Draft
Intended status: Standards Track                                   J. Lu
Expires: November 2, 2014                                         Oracle
                                                               T. Haynes
                                                            Primary Data
                                                            May 01, 2014

Registry Specification for Mandatory Access Control (MAC) Security Label
                                Formats
                  draft-ietf-nfsv4-lfs-registry-00.txt

Abstract

   In the past Mandatory Access Control (MAC) systems have used very
   rigid policies which were hardcoded into the particular protocol and
   platform.  As MAC systems are more widely deployed additional
   flexibility in mechanism and policy is required.  Where traditional
   trusted systems implemented Multi-Level Security (MLS) and integrity
   models, modern systems have expanded to include technologies such as
   type enforcement.  Due to the wide range of policies and mechanisms
   it has proven through past efforts to be virtually impossible to
   accomodate all parties in one security label format and model.

   To allow multiple MAC mechanisms and label formats in a network, this
   document proposes a registry of label format specifications.  This
   registry contains several identifiers to accomodate both integer and
   string preferences and associates those identifiers with an extensive
   document outlining the exact syntax and use of the particular label
   format.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 2, 2014.

Quigley, et al.         Expires November 2, 2014                [Page 1]
Internet-Draft            Labeled NFS Registry                  May 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Requirements Language . . . . . . . . . . . . . . . . . . . .   4
   4.  Exisiting Label Format Specifications . . . . . . . . . . . .   4
     4.1.  Commercial IP Security Option (CIPSO) . . . . . . . . . .   4
     4.2.  Common Architecture Label IPv6 Security Option (CALIPSO)    4
     4.3.  Flux Advanced Security Kernel (FLASK) . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
     6.1.  Initial Registry  . . . . . . . . . . . . . . . . . . . .   5
     6.2.  Adding a New Entry to the Registry  . . . . . . . . . . .   5
     6.3.  Obsoleting a Label Format Selector  . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .   7
   Appendix B.  RFC Editor Notes . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   With the acceptance of security labels in several mainstream
   operating systems the need to communicate labels between these
   systems becomes more important.  In a typical client and server
   scenario, the client request to the server acts as a subject trying
   to access an object on the server [RFC7204].  Unfortunately these
   systems are diverse enough that attempts at establishing one common
   label format have been unsucessful.  The reason for this is that
Show full document text