Registry Specification for Mandatory Access Control (MAC) Security Label Formats
draft-ietf-nfsv4-lfs-registry-05

The information below is for an old version of the document
Document Type Active Internet-Draft (nfsv4 WG)
Last updated 2015-04-09
Stream IETF
Intended RFC status Proposed Standard
Formats plain text pdf html bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Spencer Shepler
Shepherd write-up Show (last changed 2014-11-18)
IESG IESG state IESG Evaluation::AD Followup
Consensus Boilerplate Yes
Telechat date
Needs 5 more YES or NO OBJECTION positions to pass.
Responsible AD Martin Stiemerling
Send notices to "Spencer Shepler" <spencer.shepler@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state None
NFSv4                                                         D. Quigley
Internet-Draft
Intended status: Standards Track                                   J. Lu
Expires: October 10, 2015                                         Oracle
                                                               T. Haynes
                                                            Primary Data
                                                          April 08, 2015

Registry Specification for Mandatory Access Control (MAC) Security Label
                                Formats
                  draft-ietf-nfsv4-lfs-registry-05.txt

Abstract

   In the past Mandatory Access Control (MAC) systems have used very
   rigid policies which were implemented in particular protocols and
   platforms.  As MAC systems became more widely deployed, additional
   flexibility in mechanism and policy will be required.  While
   traditional trusted systems implemented Multi-Level Security (MLS)
   and integrity models, modern systems have expanded to include
   technologies such as type enforcement.  Due to the wide range of
   policies and mechanisms which need to be accommodated, it is unlikely
   that use of a single security label format and model will be viable.

   To allow multiple MAC mechanisms and label formats to co-exist in a
   network, this document proposes a registry of label format
   specifications.  This registry would contain label format identifiers
   and would provide for the association of each such identifier with a
   corresponding extensive document document outlining the exact syntax
   and use of the particular label format.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 10, 2015.

Quigley, et al.         Expires October 10, 2015                [Page 1]
Internet-Draft            Labeled NFS Registry                April 2015

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Exisiting Label Format Specifications . . . . . . . . . . . .   4
     3.1.  IP Security Option (IPSO), Basic Security Option (BSO)  .   4
     3.2.  Commercial IP Security Option (CIPSO) . . . . . . . . . .   4
     3.3.  Common Architecture Label IPv6 Security Option (CALIPSO)    5
     3.4.  Flux Advanced Security Kernel (FLASK) . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Initial Registry  . . . . . . . . . . . . . . . . . . . .   6
     5.2.  Adding a New Entry to the Registry  . . . . . . . . . . .   6
     5.3.  Obsoleting a Label Format Specifier . . . . . . . . . . .   7
     5.4.  Modifying an Existing Entry in the Registry . . . . . . .   7
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .   9
   Appendix B.  RFC Editor Notes . . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   With the acceptance of security labels in several mainstream
   operating systems the need to communicate labels between these
   systems becomes more important.  In a typical client and server
   scenario, the client request to the server acts as a subject trying
   to access an object on the server [RFC7204].  Unfortunately these
   systems are diverse enough that attempts at establishing one common
Show full document text