U.S. Department of Defense Security Options for the Internet Protocol
RFC 1108
Document | Type |
RFC - Historic
(November 1991; No errata)
Obsoletes RFC 1038
|
|
---|---|---|---|
Authors | |||
Last updated | 2013-03-02 | ||
Stream | Legacy | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | Legacy state | (None) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | RFC 1108 (Historic) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group S. Kent Request for Comments: 1108 BBN Communications Obsoletes: RFC 1038 November 1991 U.S. Department of Defense Security Options for the Internet Protocol Status of this Memo This RFC specifies an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "IAB Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This RFC specifies the U.S. Department of Defense Basic Security Option and the top-level description of the Extended Security Option for use with the Internet Protocol. This RFC obsoletes RFC 1038 "Revised IP Security Option", dated January 1988. 1. DoD Security Options Defined The following two internet protocol options are defined for use on Department of Defense (DoD) common user data networks: CF CLASS # TYPE LENGTH DESCRIPTION 1 0 2 130 var. DoD Basic Security: Used to carry the classification level and protection authority flags. 1 0 5 133 var. DoD Extended Security: Used to carry additional security information as required by registered authorities. CF = Copy on Fragmentation 2. DoD Basic Security Option This option identifies the U.S. classification level at which the datagram is to be protected and the authorities whose protection rules apply to each datagram. Kent [Page 1] RFC 1108 U.S. DOD Security Option November 1991 This option is used by end systems and intermediate systems of an internet to: a. Transmit from source to destination in a network standard representation the common security labels required by computer security models, b. Validate the datagram as appropriate for transmission from the source and delivery to the destination, c. Ensure that the route taken by the datagram is protected to the level required by all protection authorities indicated on the datagram. In order to provide this facility in a general Internet environment, interior and exterior gateway protocols must be augmented to include security label information in support of routing control. The DoD Basic Security option must be copied on fragmentation. This option appears at most once in a datagram. Some security systems require this to be the first option if more than one option is carried in the IP header, but this is not a generic requirement levied by this specification. The format of the DoD Basic Security option is as follows: +------------+------------+------------+-------------//----------+ | 10000010 | XXXXXXXX | SSSSSSSS | AAAAAAA[1] AAAAAAA0 | | | | | [0] | +------------+------------+------------+-------------//----------+ TYPE = 130 LENGTH CLASSIFICATION PROTECTION LEVEL AUTHORITY FLAGS FIGURE 1. DoD BASIC SECURITY OPTION FORMAT 2.1. Type The value 130 identifies this as the DoD Basic Security Option. 2.2. Length The length of the option is variable. The minimum length of the option is 3 octets, including the Type and Length fields (the Protection Authority field may be absent). A length indication of less than 3 octets should result in error processing as described in Section 2.8.1. Kent [Page 2] RFC 1108 U.S. DOD Security Option November 1991 2.3. Classification Level Field Length: One Octet This field specifies the (U.S.) classification level at which the datagram must be protected. The information in the datagram must be protected at this level. The field is encoded as shown in Table 1 and the order of values in this table defines the ordering for comparison purposes. The bit string values in this table were chosen to achieve a minimum Hamming distance of four (4) between any two valid values. This specific assignment of classification level names to values has been defined for compatibility with security devices which have already been developed and deployed. "Reserved" values in the table must be treated as invalid until such time they are assigned to named classification levels in a successor to this document. A datagram containing a value for this field whichShow full document text