Security Label Framework for the Internet
RFC 1457

Document Type RFC - Informational (May 1993; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1457 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         R. Housley
Request for Comments: 1457             Xerox Special Information Systems
                                                                May 1993

               Security Label Framework for the Internet

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Acknowledgements

   The members of the Privacy and Security Research Group and the
   attendees of the invitational Security Labels Workshop (hosted by the
   National Institute of Standards and Technology) helped me organize my
   thoughts on this subject.  The ideas of these professionals are
   scattered throughout the memo.

1.0  Introduction

   This memo presents a security labeling framework for the Internet.
   The framework is intended to help protocol designers determine what,
   if any, security labeling should be supported by their protocols.
   The framework should also help network architects determine whether
   or not a particular collection of protocols fulfill their security
   labeling requirements.  The Open Systems Interconnection Reference
   Model [1] provides the structure for the presentation, therefore OSI
   protocol designers may also find this memo useful.

2.0  Security Labels

   Data security is the set of measures taken to protect data from
   accidental, unauthorized, intentional, or malicious modification,
   destruction, or disclosure.  Data security is also the condition that
   results from the establishment and maintenance of protective measures
   [2].  Given this two-pronged definition for data security, this memo
   examines security labeling as one mechanism which provides data
   security.  In general, security labeling by itself does not provide
   sufficient data security; it must be complemented by other security
   mechanisms.

   In data communication protocols, security labels tell the protocol
   processing how to handle the data transferred between two systems.
   That is, the security label indicates what measures need to be taken
   to preserve the condition of security.  Handling means the activities

Housley                                                         [Page 1]
RFC 1457       Security Label Framework for the Internet        May 1993

   performed on data such as collecting, processing, transferring,
   storing, retrieving, sorting, transmitting, disseminating, and
   controlling [3].

   The definition of data security includes protection from modification
   and destruction.  In computer systems, this is protection from
   writing and deleting.  These protections implement the data integrity
   service defined in the OSI Security Architecture [4].

   Biba [5] has defined a data integrity model which includes security
   labels.  The Biba model specifies rule-based controls for writing and
   deleting necessary to preserve data integrity.  The model also
   specifies rule-based controls for reading to prevent a high integrity
   process from relying on data that has less integrity than the
   process.

   The definition of data security also includes protection from
   disclosure.  In computer systems, this is protection from reading.
   This protection is the data confidentiality service defined in the
   OSI Security Architecture [4].

   Bell and LaPadula [6] defined a data confidentiality model which
   includes security labels.  The Bell and LaPadula model specifies
   rule-based controls for reading necessary to preserve data
   confidentiality.  The model also specifies rule-based controls for
   writing to ensure that data is not copied to a container where
   confidentiality can not be guaranteed.

   In both the Biba model and the Bell and LaPadula model, the security
   label is an attribute of the data.  In general, the security label
   associated with the data remains constant.  Exceptions will be
   discussed later in the memo, but relabeling is always the result of
   some network entity handling the data.  Since the security label is
   an attribute of data, it should be bound to the data.  When data
   moves through the network, the integrity security service [4] is
   generally used to accomplish this binding.  If the communications
   environment does not include a protocol which provides the integrity
   security service to bind the security label to the data, then the
   communications environment should include other mechanisms to
   preserve this binding.

2.1  Integrity Labels

   Integrity labels are security labels which support data integrity
   models, like the Biba model.  The integrity label tells the degree of
   confidence that may be placed in the data and also indicates which
   measures the data requires for protection from modification and
   destruction.

Housley                                                         [Page 2]
RFC 1457       Security Label Framework for the Internet        May 1993
Show full document text