^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) IETF CIPSO Working Group
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 1. Status
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) This Internet Draft provides the high level specification for a Commercial
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) IP Security Option (CIPSO). This draft reflects the version as approved by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) the CIPSO IETF Working Group. Distribution of this memo is unlimited.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) This document is an Internet Draft. Internet Drafts are working documents
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) of the Internet Engineering Task Force (IETF), its Areas, and its Working
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) Groups. Note that other groups may also distribute working documents as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) Internet Drafts.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) Internet Drafts are draft documents valid for a maximum of six months.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) Internet Drafts may be updated, replaced, or obsoleted by other documents
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) at any time. It is not appropriate to use Internet Drafts as reference
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) material or to cite them other than as a "working draft" or "work in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) progress."
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) Please check the I-D abstract listing contained in each Internet Draft
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) directory to learn the current status of this or any other Internet Draft.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 2. Background
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) Currently the Internet Protocol includes two security options. One of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) these options is the DoD Basic Security Option (BSO) (Type 130) which allows
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) IP datagrams to be labeled with security classifications. This option
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) provides sixteen security classifications and a variable number of handling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) restrictions. To handle additional security information, such as security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) categories or compartments, another security option (Type 133) exists and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) is referred to as the DoD Extended Security Option (ESO). The values for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) the fixed fields within these two options are administered by the Defense
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) Information Systems Agency (DISA).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) Computer vendors are now building commercial operating systems with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) mandatory access controls and multi-level security. These systems are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) no longer built specifically for a particular group in the defense or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) intelligence communities. They are generally available commercial systems
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) for use in a variety of government and civil sector environments.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) The small number of ESO format codes can not support all the possible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) applications of a commercial security option. The BSO and ESO were
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) designed to only support the United States DoD. CIPSO has been designed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) to support multiple security policies. This Internet Draft provides the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) format and procedures required to support a Mandatory Access Control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) security policy. Support for additional security policies shall be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) defined in future RFCs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) Internet Draft, Expires 15 Jan 93 [PAGE 1]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 3. CIPSO Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) Option type: 134 (Class 0, Number 6, Copy on Fragmentation)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) Option length: Variable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) This option permits security related information to be passed between
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) systems within a single Domain of Interpretation (DOI). A DOI is a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) collection of systems which agree on the meaning of particular values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) in the security option. An authority that has been assigned a DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) identifier will define a mapping between appropriate CIPSO field values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) and their human readable equivalent. This authority will distribute that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) mapping to hosts within the authority's domain. These mappings may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) sensitive, therefore a DOI authority is not required to make these
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) mappings available to anyone other than the systems that are included in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) the DOI.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) This option MUST be copied on fragmentation. This option appears at most
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) once in a datagram. All multi-octet fields in the option are defined to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) transmitted in network byte order. The format of this option is as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) +----------+----------+------//------+-----------//---------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) | 10000110 | LLLLLLLL | DDDDDDDDDDDD | TTTTTTTTTTTTTTTTTTTT |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) +----------+----------+------//------+-----------//---------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) TYPE=134 OPTION DOMAIN OF TAGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) LENGTH INTERPRETATION
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) Figure 1. CIPSO Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 3.1 Type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) This field is 1 octet in length. Its value is 134.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 3.2 Length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) This field is 1 octet in length. It is the total length of the option
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) including the type and length fields. With the current IP header length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) restriction of 40 octets the value of this field MUST not exceed 40.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 3.3 Domain of Interpretation Identifier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) This field is an unsigned 32 bit integer. The value 0 is reserved and MUST
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) not appear as the DOI identifier in any CIPSO option. Implementations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) should assume that the DOI identifier field is not aligned on any particular
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) byte boundary.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) To conserve space in the protocol, security levels and categories are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) represented by numbers rather than their ASCII equivalent. This requires
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) a mapping table within CIPSO hosts to map these numbers to their
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) corresponding ASCII representations. Non-related groups of systems may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) Internet Draft, Expires 15 Jan 93 [PAGE 2]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) have their own unique mappings. For example, one group of systems may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) use the number 5 to represent Unclassified while another group may use the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) number 1 to represent that same security level. The DOI identifier is used
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) to identify which mapping was used for the values within the option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 3.4 Tag Types
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) A common format for passing security related information is necessary
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) for interoperability. CIPSO uses sets of "tags" to contain the security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) information relevant to the data in the IP packet. Each tag begins with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) a tag type identifier followed by the length of the tag and ends with the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) actual security information to be passed. All multi-octet fields in a tag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) are defined to be transmitted in network byte order. Like the DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) identifier field in the CIPSO header, implementations should assume that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) all tags, as well as fields within a tag, are not aligned on any particular
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) octet boundary. The tag types defined in this document contain alignment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) bytes to assist alignment of some information, however alignment can not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) be guaranteed if CIPSO is not the first IP option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) CIPSO tag types 0 through 127 are reserved for defining standard tag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) formats. Their definitions will be published in RFCs. Tag types whose
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) identifiers are greater than 127 are defined by the DOI authority and may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) only be meaningful in certain Domains of Interpretation. For these tag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) types, implementations will require the DOI identifier as well as the tag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) number to determine the security policy and the format associated with the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) tag. Use of tag types above 127 are restricted to closed networks where
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) interoperability with other networks will not be an issue. Implementations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) that support a tag type greater than 127 MUST support at least one DOI that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) requires only tag types 1 to 127.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) Tag type 0 is reserved. Tag types 1, 2, and 5 are defined in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) Internet Draft. Types 3 and 4 are reserved for work in progress.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) The standard format for all current and future CIPSO tags is shown below:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) +----------+----------+--------//--------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) | TTTTTTTT | LLLLLLLL | IIIIIIIIIIIIIIII |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) +----------+----------+--------//--------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) TAG TAG TAG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) TYPE LENGTH INFORMATION
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) Figure 2: Standard Tag Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) In the three tag types described in this document, the length and count
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) restrictions are based on the current IP limitation of 40 octets for all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) IP options. If the IP header is later expanded, then the length and count
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) restrictions specified in this document may increase to use the full area
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) provided for IP options.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 3.4.1 Tag Type Classes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) Tag classes consist of tag types that have common processing requirements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) and support the same security policy. The three tags defined in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) Internet Draft belong to the Mandatory Access Control (MAC) Sensitivity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) Internet Draft, Expires 15 Jan 93 [PAGE 3]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) class and support the MAC Sensitivity security policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 3.4.2 Tag Type 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) This is referred to as the "bit-mapped" tag type. Tag type 1 is included
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) in the MAC Sensitivity tag type class. The format of this tag type is as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) +----------+----------+----------+----------+--------//---------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) | 00000001 | LLLLLLLL | 00000000 | LLLLLLLL | CCCCCCCCCCCCCCCCC |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) +----------+----------+----------+----------+--------//---------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) TAG TAG ALIGNMENT SENSITIVITY BIT MAP OF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) TYPE LENGTH OCTET LEVEL CATEGORIES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) Figure 3. Tag Type 1 Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 3.4.2.1 Tag Type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) This field is 1 octet in length and has a value of 1.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 3.4.2.2 Tag Length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) This field is 1 octet in length. It is the total length of the tag type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) including the type and length fields. With the current IP header length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) restriction of 40 bytes the value within this field is between 4 and 34.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 3.4.2.3 Alignment Octet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) This field is 1 octet in length and always has the value of 0. Its purpose
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) is to align the category bitmap field on an even octet boundary. This will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) speed many implementations including router implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 3.4.2.4 Sensitivity Level
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) This field is 1 octet in length. Its value is from 0 to 255. The values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) are ordered with 0 being the minimum value and 255 representing the maximum
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 3.4.2.5 Bit Map of Categories
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) The length of this field is variable and ranges from 0 to 30 octets. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) provides representation of categories 0 to 239. The ordering of the bits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) is left to right or MSB to LSB. For example category 0 is represented by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) the most significant bit of the first byte and category 15 is represented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) by the least significant bit of the second byte. Figure 4 graphically
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) shows this ordering. Bit N is binary 1 if category N is part of the label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) for the datagram, and bit N is binary 0 if category N is not part of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) label. Except for the optimized tag 1 format described in the next section,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) Internet Draft, Expires 15 Jan 93 [PAGE 4]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) minimal encoding SHOULD be used resulting in no trailing zero octets in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) category bitmap.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) octet 0 octet 1 octet 2 octet 3 octet 4 octet 5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX . . .
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) bit 01234567 89111111 11112222 22222233 33333333 44444444
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) number 012345 67890123 45678901 23456789 01234567
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) Figure 4. Ordering of Bits in Tag 1 Bit Map
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 3.4.2.6 Optimized Tag 1 Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) Routers work most efficiently when processing fixed length fields. To
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) support these routers there is an optimized form of tag type 1. The format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) does not change. The only change is to the category bitmap which is set to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) a constant length of 10 octets. Trailing octets required to fill out the 10
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) octets are zero filled. Ten octets, allowing for 80 categories, was chosen
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) because it makes the total length of the CIPSO option 20 octets. If CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) is the only option then the option will be full word aligned and additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) filler octets will not be required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 3.4.3 Tag Type 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) This is referred to as the "enumerated" tag type. It is used to describe
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) large but sparsely populated sets of categories. Tag type 2 is in the MAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) Sensitivity tag type class. The format of this tag type is as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) +----------+----------+----------+----------+-------------//-------------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) | 00000010 | LLLLLLLL | 00000000 | LLLLLLLL | CCCCCCCCCCCCCCCCCCCCCCCCCC |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) +----------+----------+----------+----------+-------------//-------------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) TAG TAG ALIGNMENT SENSITIVITY ENUMERATED
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) TYPE LENGTH OCTET LEVEL CATEGORIES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) Figure 5. Tag Type 2 Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 3.4.3.1 Tag Type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) This field is one octet in length and has a value of 2.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 3.4.3.2 Tag Length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) This field is 1 octet in length. It is the total length of the tag type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) including the type and length fields. With the current IP header length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) restriction of 40 bytes the value within this field is between 4 and 34.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 3.4.3.3 Alignment Octet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) This field is 1 octet in length and always has the value of 0. Its purpose
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) is to align the category field on an even octet boundary. This will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) Internet Draft, Expires 15 Jan 93 [PAGE 5]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) speed many implementations including router implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 3.4.3.4 Sensitivity Level
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) This field is 1 octet in length. Its value is from 0 to 255. The values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) are ordered with 0 being the minimum value and 255 representing the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) maximum value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) 3.4.3.5 Enumerated Categories
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) In this tag, categories are represented by their actual value rather than
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) by their position within a bit field. The length of each category is 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) octets. Up to 15 categories may be represented by this tag. Valid values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) for categories are 0 to 65534. Category 65535 is not a valid category
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) value. The categories MUST be listed in ascending order within the tag.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 3.4.4 Tag Type 5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) This is referred to as the "range" tag type. It is used to represent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) labels where all categories in a range, or set of ranges, are included
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) in the sensitivity label. Tag type 5 is in the MAC Sensitivity tag type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) class. The format of this tag type is as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) +----------+----------+----------+----------+------------//-------------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) | 00000101 | LLLLLLLL | 00000000 | LLLLLLLL | Top/Bottom | Top/Bottom |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) +----------+----------+----------+----------+------------//-------------+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) TAG TAG ALIGNMENT SENSITIVITY CATEGORY RANGES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) TYPE LENGTH OCTET LEVEL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) Figure 6. Tag Type 5 Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 3.4.4.1 Tag Type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) This field is one octet in length and has a value of 5.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 3.4.4.2 Tag Length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) This field is 1 octet in length. It is the total length of the tag type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) including the type and length fields. With the current IP header length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) restriction of 40 bytes the value within this field is between 4 and 34.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) 3.4.4.3 Alignment Octet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) This field is 1 octet in length and always has the value of 0. Its purpose
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) is to align the category range field on an even octet boundary. This will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) speed many implementations including router implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) Internet Draft, Expires 15 Jan 93 [PAGE 6]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 3.4.4.4 Sensitivity Level
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) This field is 1 octet in length. Its value is from 0 to 255. The values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) are ordered with 0 being the minimum value and 255 representing the maximum
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) 3.4.4.5 Category Ranges
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) A category range is a 4 octet field comprised of the 2 octet index of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) highest numbered category followed by the 2 octet index of the lowest
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) numbered category. These range endpoints are inclusive within the range of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) categories. All categories within a range are included in the sensitivity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) label. This tag may contain a maximum of 7 category pairs. The bottom
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) category endpoint for the last pair in the tag MAY be omitted and SHOULD be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) assumed to be 0. The ranges MUST be non-overlapping and be listed in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) descending order. Valid values for categories are 0 to 65534. Category
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 65535 is not a valid category value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 3.4.5 Minimum Requirements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) A CIPSO implementation MUST be capable of generating at least tag type 1 in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) the non-optimized form. In addition, a CIPSO implementation MUST be able
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) to receive any valid tag type 1 even those using the optimized tag type 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) format.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 4. Configuration Parameters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) The configuration parameters defined below are required for all CIPSO hosts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) gateways, and routers that support multiple sensitivity labels. A CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) host is defined to be the origination or destination system for an IP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) datagram. A CIPSO gateway provides IP routing services between two or more
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) IP networks and may be required to perform label translations between
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) networks. A CIPSO gateway may be an enhanced CIPSO host or it may just
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) provide gateway services with no end system CIPSO capabilities. A CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) router is a dedicated IP router that routes IP datagrams between two or more
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) IP networks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) An implementation of CIPSO on a host MUST have the capability to reject a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) datagram for reasons that the information contained can not be adequately
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) protected by the receiving host or if acceptance may result in violation of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) the host or network security policy. In addition, a CIPSO gateway or router
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) MUST be able to reject datagrams going to networks that can not provide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) adequate protection or may violate the network's security policy. To
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) provide this capability the following minimal set of configuration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) parameters are required for CIPSO implementations:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) HOST_LABEL_MAX - This parameter contains the maximum sensitivity label that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) a CIPSO host is authorized to handle. All datagrams that have a label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) greater than this maximum MUST be rejected by the CIPSO host. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) parameter does not apply to CIPSO gateways or routers. This parameter need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) not be defined explicitly as it can be implicitly derived from the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) PORT_LABEL_MAX parameters for the associated interfaces.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) Internet Draft, Expires 15 Jan 93 [PAGE 7]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) HOST_LABEL_MIN - This parameter contains the minimum sensitivity label that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) a CIPSO host is authorized to handle. All datagrams that have a label less
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) than this minimum MUST be rejected by the CIPSO host. This parameter does
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) not apply to CIPSO gateways or routers. This parameter need not be defined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) explicitly as it can be implicitly derived from the PORT_LABEL_MIN
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) parameters for the associated interfaces.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) PORT_LABEL_MAX - This parameter contains the maximum sensitivity label for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) all datagrams that may exit a particular network interface port. All
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) outgoing datagrams that have a label greater than this maximum MUST be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) rejected by the CIPSO system. The label within this parameter MUST be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) less than or equal to the label within the HOST_LABEL_MAX parameter. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) parameter does not apply to CIPSO hosts that support only one network port.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) PORT_LABEL_MIN - This parameter contains the minimum sensitivity label for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) all datagrams that may exit a particular network interface port. All
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) outgoing datagrams that have a label less than this minimum MUST be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) rejected by the CIPSO system. The label within this parameter MUST be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) greater than or equal to the label within the HOST_LABEL_MIN parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) This parameter does not apply to CIPSO hosts that support only one network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) port.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) PORT_DOI - This parameter is used to assign a DOI identifier value to a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) particular network interface port. All CIPSO labels within datagrams
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) going out this port MUST use the specified DOI identifier. All CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) hosts and gateways MUST support either this parameter, the NET_DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) parameter, or the HOST_DOI parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) NET_DOI - This parameter is used to assign a DOI identifier value to a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) particular IP network address. All CIPSO labels within datagrams destined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) for the particular IP network MUST use the specified DOI identifier. All
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) CIPSO hosts and gateways MUST support either this parameter, the PORT_DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) parameter, or the HOST_DOI parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) HOST_DOI - This parameter is used to assign a DOI identifier value to a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) particular IP host address. All CIPSO labels within datagrams destined for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) the particular IP host will use the specified DOI identifier. All CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) hosts and gateways MUST support either this parameter, the PORT_DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) parameter, or the NET_DOI parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) This list represents the minimal set of configuration parameters required
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) to be compliant. Implementors are encouraged to add to this list to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) provide enhanced functionality and control. For example, many security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) policies may require both incoming and outgoing datagrams be checked against
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) the port and host label ranges.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) 4.1 Port Range Parameters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) The labels represented by the PORT_LABEL_MAX and PORT_LABEL_MIN parameters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) MAY be in CIPSO or local format. Some CIPSO systems, such as routers, may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) want to have the range parameters expressed in CIPSO format so that incoming
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) labels do not have to be converted to a local format before being compared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) against the range. If multiple DOIs are supported by one of these CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) Internet Draft, Expires 15 Jan 93 [PAGE 8]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) systems then multiple port range parameters would be needed, one set for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) each DOI supported on a particular port.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) The port range will usually represent the total set of labels that may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) exist on the logical network accessed through the corresponding network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) interface. It may, however, represent a subset of these labels that are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) allowed to enter the CIPSO system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) 4.2 Single Label CIPSO Hosts
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) CIPSO implementations that support only one label are not required to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) support the parameters described above. These limited implementations are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) only required to support a NET_LABEL parameter. This parameter contains
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) the CIPSO label that may be inserted in datagrams that exit the host. In
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) addition, the host MUST reject any incoming datagram that has a label which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) is not equivalent to the NET_LABEL parameter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) 5. Handling Procedures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) This section describes the processing requirements for incoming and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) outgoing IP datagrams. Just providing the correct CIPSO label format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) is not enough. Assumptions will be made by one system on how a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) receiving system will handle the CIPSO label. Wrong assumptions may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) lead to non-interoperability or even a security incident. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) requirements described below represent the minimal set needed for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) interoperability and that provide users some level of confidence.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) Many other requirements could be added to increase user confidence,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) however at the risk of restricting creativity and limiting vendor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) participation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) 5.1 Input Procedures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) All datagrams received through a network port MUST have a security label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) associated with them, either contained in the datagram or assigned to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) receiving port. Without this label the host, gateway, or router will not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) have the information it needs to make security decisions. This security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) label will be obtained from the CIPSO if the option is present in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) datagram. See section 4.1.2 for handling procedures for unlabeled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) datagrams. This label will be compared against the PORT (if appropriate)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) and HOST configuration parameters defined in section 3.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) If any field within the CIPSO option, such as the DOI identifier, is not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) recognized the IP datagram is discarded and an ICMP "parameter problem"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) (type 12) is generated and returned. The ICMP code field is set to "bad
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) parameter" (code 0) and the pointer is set to the start of the CIPSO field
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) that is unrecognized.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) If the contents of the CIPSO are valid but the security label is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) outside of the configured host or port label range, the datagram is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) discarded and an ICMP "destination unreachable" (type 3) is generated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) and returned. The code field of the ICMP is set to "communication with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) destination network administratively prohibited" (code 9) or to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) Internet Draft, Expires 15 Jan 93 [PAGE 9]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) "communication with destination host administratively prohibited"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) (code 10). The value of the code field used is dependent upon whether
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) the originator of the ICMP message is acting as a CIPSO host or a CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) gateway. The recipient of the ICMP message MUST be able to handle either
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) value. The same procedure is performed if a CIPSO can not be added to an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) IP packet because it is too large to fit in the IP options area.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) If the error is triggered by receipt of an ICMP message, the message
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) is discarded and no response is permitted (consistent with general ICMP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) processing rules).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) 5.1.1 Unrecognized tag types
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) The default condition for any CIPSO implementation is that an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) unrecognized tag type MUST be treated as a "parameter problem" and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) handled as described in section 4.1. A CIPSO implementation MAY allow
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) the system administrator to identify tag types that may safely be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) ignored. This capability is an allowable enhancement, not a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) requirement.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) 5.1.2 Unlabeled Packets
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) A network port may be configured to not require a CIPSO label for all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) incoming datagrams. For this configuration a CIPSO label must be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) assigned to that network port and associated with all unlabeled IP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) datagrams. This capability might be used for single level networks or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) networks that have CIPSO and non-CIPSO hosts and the non-CIPSO hosts
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) all operate at the same label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) If a CIPSO option is required and none is found, the datagram is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) discarded and an ICMP "parameter problem" (type 12) is generated and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) returned to the originator of the datagram. The code field of the ICMP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) is set to "option missing" (code 1) and the ICMP pointer is set to 134
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) (the value of the option type for the missing CIPSO option).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) 5.2 Output Procedures
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) A CIPSO option MUST appear only once in a datagram. Only one tag type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) from the MAC Sensitivity class MAY be included in a CIPSO option. Given
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) the current set of defined tag types, this means that CIPSO labels at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) first will contain only one tag.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) All datagrams leaving a CIPSO system MUST meet the following condition:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) PORT_LABEL_MIN <= CIPSO label <= PORT_LABEL_MAX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) If this condition is not satisfied the datagram MUST be discarded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) If the CIPSO system only supports one port, the HOST_LABEL_MIN and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) HOST_LABEL_MAX parameters MAY be substituted for the PORT parameters in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) the above condition.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) The DOI identifier to be used for all outgoing datagrams is configured by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) Internet Draft, Expires 15 Jan 93 [PAGE 10]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) the administrator. If port level DOI identifier assignment is used, then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) the PORT_DOI configuration parameter MUST contain the DOI identifier to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) use. If network level DOI assignment is used, then the NET_DOI parameter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) MUST contain the DOI identifier to use. And if host level DOI assignment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) is employed, then the HOST_DOI parameter MUST contain the DOI identifier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) to use. A CIPSO implementation need only support one level of DOI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) assignment.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) 5.3 DOI Processing Requirements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) A CIPSO implementation MUST support at least one DOI and SHOULD support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) multiple DOIs. System and network administrators are cautioned to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) ensure that at least one DOI is common within an IP network to allow for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) broadcasting of IP datagrams.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) CIPSO gateways MUST be capable of translating a CIPSO option from one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) DOI to another when forwarding datagrams between networks. For
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) efficiency purposes this capability is only a desired feature for CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) routers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) 5.4 Label of ICMP Messages
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) The CIPSO label to be used on all outgoing ICMP messages MUST be equivalent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) to the label of the datagram that caused the ICMP message. If the ICMP was
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) generated due to a problem associated with the original CIPSO label then the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) following responses are allowed:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) a. Use the CIPSO label of the original IP datagram
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) b. Drop the original datagram with no return message generated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) In most cases these options will have the same effect. If you can not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) interpret the label or if it is outside the label range of your host or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) interface then an ICMP message with the same label will probably not be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) able to exit the system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) 6. Assignment of DOI Identifier Numbers =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) Requests for assignment of a DOI identifier number should be addressed to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) the Internet Assigned Numbers Authority (IANA).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) 7. Acknowledgements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) Much of the material in this RFC is based on (and copied from) work
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) done by Gary Winiger of Sun Microsystems and published as Commercial
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) IP Security Option at the INTEROP 89, Commercial IPSO Workshop.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) 8. Author's Address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) To submit mail for distribution to members of the IETF CIPSO Working
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) Group, send mail to: cipso@wdl1.wdl.loral.com.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) Internet Draft, Expires 15 Jan 93 [PAGE 11]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) CIPSO INTERNET DRAFT 16 July, 1992
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) To be added to or deleted from this distribution, send mail to:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) cipso-request@wdl1.wdl.loral.com.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) 9. References
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) RFC 1038, "Draft Revised IP Security Option", M. St. Johns, IETF, January
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) 1988.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) RFC 1108, "U.S. Department of Defense Security Options
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) for the Internet Protocol", Stephen Kent, IAB, 1 March, 1991.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) Internet Draft, Expires 15 Jan 93 [PAGE 12]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791)
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags