U.S. Department of Defense Security Options for the Internet Protocol
RFC 1108

Document Type RFC - Historic (November 1991; No errata)
Obsoletes RFC 1038
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1108 (Historic)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            S. Kent
Request for Comments: 1108                            BBN Communications
Obsoletes: RFC 1038                                        November 1991

                       U.S. Department of Defense
               Security Options for the Internet Protocol

Status of this Memo

   This RFC specifies an IAB standards track protocol for the Internet
   community, and requests discussion and suggestions for improvements.
   Please refer to the current edition of the "IAB Official Protocol
   Standards" for the standardization state and status of this protocol.
   Distribution of this memo is unlimited.

Abstract

   This RFC specifies the U.S. Department of Defense Basic Security
   Option and the top-level description of the Extended Security Option
   for use with the Internet Protocol.  This RFC obsoletes RFC 1038
   "Revised IP Security Option", dated January 1988.

1.  DoD Security Options Defined

   The following two internet protocol options are defined for use on
   Department of Defense (DoD) common user data networks:

   CF  CLASS  #  TYPE  LENGTH   DESCRIPTION

   1     0    2   130   var.    DoD Basic Security:  Used to carry the
                                classification level and protection
                                authority flags.

   1     0    5   133   var.    DoD Extended Security:  Used to carry
                                additional security information as
                                required by registered authorities.

   CF = Copy on Fragmentation

2.  DoD Basic Security Option

   This option identifies the U.S. classification level at which the
   datagram is to be protected and the authorities whose protection
   rules apply to each datagram.

Kent                                                            [Page 1]
RFC 1108                U.S. DOD Security Option           November 1991

   This option is used by end systems and intermediate systems of an
   internet to:

        a.  Transmit from source to destination in a network standard
        representation the common security labels required by computer
        security models,

        b.  Validate the datagram as appropriate for transmission from
        the source and delivery to the destination,

        c.  Ensure that the route taken by the datagram is protected to
        the level required by all protection authorities indicated on
        the datagram.  In order to provide this facility in a general
        Internet environment, interior and exterior gateway protocols
        must be augmented to include security label information in
        support of routing control.

   The DoD Basic Security option must be copied on fragmentation.  This
   option appears at most once in a datagram.  Some security systems
   require this to be the first option if more than one option is
   carried in the IP header, but this is not a generic requirement
   levied by this specification.

   The format of the DoD Basic Security option is as follows:

      +------------+------------+------------+-------------//----------+
      |  10000010  |  XXXXXXXX  |  SSSSSSSS  |  AAAAAAA[1]    AAAAAAA0 |
      |            |            |            |         [0]             |
      +------------+------------+------------+-------------//----------+
        TYPE = 130     LENGTH   CLASSIFICATION         PROTECTION
                                     LEVEL              AUTHORITY
                                                          FLAGS

                    FIGURE 1.  DoD BASIC SECURITY OPTION FORMAT

2.1.  Type

   The value 130 identifies this as the DoD Basic Security Option.

2.2.  Length

   The length of the option is variable.  The minimum length of the
   option is 3 octets, including the Type and Length fields (the
   Protection Authority field may be absent).  A length indication of
   less than 3 octets should result in error processing as described in
   Section 2.8.1.

Kent                                                            [Page 2]
RFC 1108                U.S. DOD Security Option           November 1991

2.3.  Classification Level

        Field Length:  One Octet

   This field specifies the (U.S.) classification level at which the
   datagram must be protected.  The information in the datagram must be
   protected at this level.  The field is encoded as shown in Table 1
   and the order of values in this table defines the ordering for
   comparison purposes.  The bit string values in this table were chosen
   to achieve a minimum Hamming distance of four (4) between any two
   valid values.  This specific assignment of classification level names
   to values has been defined for compatibility with security devices
   which have already been developed and deployed.

   "Reserved" values in the table must be treated as invalid until such
   time they are assigned to named classification levels in a successor
   to this document.  A datagram containing a value for this field which
Show full document text