| Related sites for http://www.faqs.org/rfcs/rfc1038.html |
| MVS_Library_Analysis_Program Software for large-scale analysis of link edited load modules and JCL and procedure libraries in z/OS. OIC Programming Services is primarily a consulting firm offering z/OS, PC and Web applications a | | Spb_Software_House Offshore consulting company located in St.Petersburg, Russia. Provides outsourcing of embedded software for Pocket PC and Palm. | | Lildemon\'s_PHP_Scripting_Resources About lildemon. Showcases PHP scripts and tutorials by various authors, with discussion on forums for those who need help. Photo Albums. HalfLife related. Links. | | Net/Effect_Corporation Provides data networking and telecommunications services . | | Cam_Cruiser Slide show of images from webcams around the world. | | ServDirect UNIX shell provider. | | Carlton,_David Personal info. One from GDB developers. Also working on interpreter for the Z-Machine byte-code language. Go game resources. | | AC_Microwave_GmbH Offers the LINMIC+/N microwave and RF IC design suite; mostly electromagnetics-based. | | Assignment_#1__The_Leda_Programming_Language_Web_Page Leda language overview. | | LinuxTag European Linux conference for businesses (website in German, some parts translated to English). | | Autohotkey Open source (GPL) keyboard, joystick, and mouse remapper with a regular scripting language plus compiler. Compatible with AutoIt v2. | | Neopia\'s_Hidden_Meadows A place to get quick information on the latest happing in Neopia, with forums, graphics, daily links and freebies, and news about upcoming events. | | adLDAP A PHP class that provides LDAP authentication with Active Directory. | | Free_Flash_Designs Free flash banners for web sites, code is supplied so that anyone can have a flash enhanced website. | | NEZamp NSF plugin for Winamp that supports many on-cart sound producing devices in Famicom carts. | | alt_binaries_cd_image This document attempts to answer frequently asked questions related to this newsgroup and provides information on getting parts, recreating an image and burning a CD, and also on posting files. | | GFI_-_Security_and_Messaging_Software Software for Windows 2000/NT. Developers of fax server software for Exchange, email security, content checking and anti-virus software for Exchange Server and network security and ISA Server. | | MailGoGoGo MailGoGoGo prevents unwanted e-mail from reaching an inbox. Available for Macintosh and Windows. | | Digisoft_77 PHP Shopping Cart. It use MySQL and not requiring knowledge of HTML or programming. Demo available. [Commercial] | | Coballes,_Alain_-_Mind_Murder An Experimental/folio site. |
|
RFC 1038 (rfc1038) - Draft revised IP security option@import 'http://faqs.org/abstracts/css/default.css';@import 'http://faqs.org/search.css';function erfc(s){document.write("[ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ]Alternate Formats: rfc1038.txt | rfc1038.txt.pdfRFC 1038 - Draft revised IP security optionSearch the Archives  Display RFC by number RFC1038 - Draft revised IP security optionNetwork Working Group M. St. JohnsRequest for Comments: 1038 IETF January 1988 Draft Revised IP Security OptionStatus of this Memo This RFC is a pre-publication draft of the revised Internet Protocol Security Option. This draft reflects the version as approved by the Protocol Standards Steering Group. It is provided for informational purposes only. The final version of this document will be available from Navy Publications and should not differ from this document in any major fashion. This document will be published as a change to the MIL-STD 1777, "Internet Protocol". Distribution of this memo is unlimited.9.3.13.1 Internet Options Defined. The following internet options are defined: CLASS NUMBER LENGTH DESCRIPTION _____ ______ ______ ___________ 0 00000 - End of Option list: This option occupies only 1 octet; it has no length octet. 0 00001 - No Operation: This option occupies only 1 octet; it has no length octet. 0 00010 var. Basic Security: Used to carry security level and accrediting authority flags. 0 00011 var. Loose Source Routing: Used to route the datagram based on information supplied by the source. 0 00101 var. Extended Security: Used to carry additional security information as required by registered authorities. 0 01001 var. Strict Source Routing: Used to route the datagram based on information supplied by the source. 0 00111 var. Record Route: Used to trace the route a datagram takes. 0 01000 4 Stream ID: Used to carry the stream identifier. 2 00100 var. Internet Timestamp: Used to accumulate timing information in transit.9.3.15.3 DoD Basic Security. Option type: 130 Option length: variable; minimum length: 4 The option identifies the U.S. security level to which the datagram is to be protected, and the accrediting authorities whose protection rules apply to each datagram. The option is used by accredited trusted components of an internet to: a. Validate the datagram as appropriate for transmission from the source. b. Guarantee that the route taken by the datagram (including the destination) is protected to the level required by all indicated accrediting authorities. c. Supply common label information required by computer security models. This option must be copied on fragmentation. This option appears at most once in a datagram. The format of this option is as follows: +--------------+-----------+-------------+-------------//----------+ | 10000010 | XXXXXXXX | SSSSSSSS | AAAAAAA[1] AAAAAAA0 | | | | | [0] | +--------------+-----------+-------------+-------------//----------+ TYPE = 130 LENGTH CLASSIFICATION PROTECTION VARIABLE PROTECTION AUTHORITY LEVEL FLAGS FIGURE 10-A. SECURITY OPTION FORMAT9.3.15.3.1 Length. The length of the option is variable. The minimum length option is 4.9.3.15.3.2 Classification Protection Level. This field specifies the U.S. classification level to which the datagram should be protected. The information in the datagram should be assumed to be at this level until and unless it is regraded in accordance with the procedures of all indicated protecting authorities. This field specifies one of the four U.S. classification levels, and is encoded as follows: 11011110 - Top Secret 10101101 - Secret 01111010 - Confidential 01010101 - Unclassified9.3.15.3.3 Protection Authorities Flags. This field indicates the National Access Program(s) with accrediting authority whose rules apply to the protection of the datagram. a. Field Length: This field is variable in length. The low- order bit (Bit 7) of each octet is encoded as "zero" if it is the final octet in the field, or as "one" if there are additional octets. Currently, only one octet is needed for this field (because there are less than seven authorities), and the final bit of the first octet is coded as "zero". b. Source Flags: The first seven bits (Bits 0 through 6) in each octet are source flags which are each associated with an authority as indicated below. The bit corresponding to an authority is "one" if the datagram is to be protected in accordance with the rules of that authority.9.3.15.3.4 Usage Rules. Use of the option requires that a host be aware of 1) the classification level, or levels, at which it is permitted to operate, and 2) the protection authorities responsible for its certification. The achievement of this is implementation dependent. Rules for use of the option for different types of hosts are given below.9.3.15.3.4.1 Unclassified Hosts, including gateways. a. Output: Unclassified hosts may either use or not use the option. If it is used, classification level must be unclassified, bit 0 of the accreditation field (GENSER) must be one, and all other bits of the accreditation field must be 0. While use of the option is permitted, it is recommended that unclassified hosts interested in maximizing interoperability with existing non- compliant implementations not use the option. b. Input: Unclassified hosts should accept for further processing IP datagrams without the option. If the option is present on an incoming IP datagram, then the datagram is accepted for further processing only if the classification level is unclassified, bit 0 of the accreditation field (GENSER) is one, and all other bits of the accreditation field are zero. Otherwise, the out-of-range procedure is followed.9.3.15.3.4.2 Hosts accredited in the Dedicated, System-High, orCompartmented Modes at a classification level higher than unclassified. a. Output. The use of the option is mandatory. The classification level should be the dedicated level for dedicated hosts and the system-high level for system-high and compartmented hosts. The accrediting authority flags should be one for all authorities which have accredited the hosts, and zero for all other authorities. b. Input. If 1) the option is present, 2) the classification level matches the host classification level, and 3) the accrediting authority flags for all accrediting authorities of the receiving host are one, and all others are zero, the IP datagram should be accepted for further processing. Otherwise, the out- of-range procedure is followed.9.3.15.3.4.3 Hosts accredited in the Multi-Level or Controlled Mode fornetwork transmission. a. Output. The use of the option is mandatory. The classification level of an IP datagram should be within the range of levels for which the host is accredited. The protection authorities flags should be one for all authorities under whose rules the datagram should be protected. b. Input. In the specific case where a multi-level or controlled host is accredited to directly interface with an unclassified environment, the host may accept IP datagrams without a basic security option. Such datagrams should be assumed to be implicitly labelled unclassified, GENSER, and should be so labelled explicitly if they are later output. In all other cases, the IP datagrams should have the basic security option on input, and the out-of-range procedure should be followed if it is not. There are two cases to be considered where the option is present. The first case is where the system environment permits the values in the option to be trusted to be correct for some range of values; the second is where the values cannot be trusted to be correct. For each multi-level or controlled host, every input channel for IP datagrams must be considered and classed appropriately. If a channel does have a trusted range, then the values of both the classification level and the protection authorities are checked to insure that they fall within that range and the range of accredited values for the receiving host. If within both ranges, the IP datagram is accepted for further processing; otherwise the out-of-range procedure is followed. If the label cannot be trusted, then the receiving host must possess some accredited means of knowing what the correct marking should be (e.g., a trusted channel to a system-high host at a known level). On receipt of an IP datagram, the host compares the actual values in the option to the correct values. If the values match, the datagram is accepted for further processing; otherwise, the out-of-range procedure is followed.9.3.15.3.4.4 Out-Of-Range Procedure. If an IP datagram is received which does not meet the input requirements, then: a) The data field should be overwritten with ones. b) If the problem is a missing required Basic or Extended security option, an ICMP "parameter problem" message is sent to the originating host with the code field set to 1 (one) to indicate "missing required option" and the pointer field set to the option type of the missing option. Otherwise, an ICMP "parameter problem" message is sent to the originating host with code field set to 0 (zero) and with the pointer field pointing to the position of the out-of-range security option. c) If the receiving host has an interface to a local security officer or equivalent, the problem should be identified across that interface in an appropriate way.9.3.15.3.4.5 Trusted Intermediary Procedure. Certain devices in the internet may act as intermediaries to validate that communications between two hosts are authorized, based on a combination of knowledge of the hosts and the values in the IP security option. These devices may receive IP datagrams which are in range for the intermediate device, but are either not within the acceptable range for the sender, or for the ultimate receiver. In the former case, the datagram should be treated as described above for an out-of-range option. In the latter case, a "destination unreachable" ICMP message should be sent, with the code value of 10 (ten), indicating "Communication with Destination Host Administratively Prohibited".9.3.15.4 DoD Extended Security Option Option type: 133 Option length: variable This option permits additional security related information, beyond that present in the Basic Security Option, to be supplied in an IP datagram to meet the needs of registered authorities. If this option is required by an authority for a specific system, it must be specified explicitly in any Request for Proposal. It is not otherwise required. This option must be copied on fragmentation. This option may appear multiple times within a datagram. The format for this option is as follows: +------------+-------------+-------------+--------//-------+ | 10000101 | 000LLLLL | AAAAAAAA | add sec info | +------------+-------------+-------------+--------//-------+ type = 133 LENGTH = Var. ADDITIONAL ADDITIONAL SECURITY SECURITY INFO INFO AUTHORITY CODE FIGURE 10-B.9.3.15.4.1 Additional Security Info Authority Code. length = 8 bits The values of this field are assigned by DCA Code R130, Washington, D.C. 20305-2000. Each value corresponds to a requestor who, once assigned, becomes the authority for the remainder of the option definition for that value.9.3.15.4.2 Additional Security Information. length - variable This field contains any additional security information as specified by the authority. BIT NUMBER AUTHORITY 0 GENSER 1 SIOP 2 DSCCS-SPINTCOM 3 DSCCS-CRITICOM 4-7 Unassigned AUTHORITY SOURCE OF ANNEX DESCRIBING CURRENT CODING OF ADDITIONAL SECURITY INFORMATION GENSER National Access Program, less SIOP Defense Communications Agency ATTN: Code R130 Washington, DC 20305 SIOP National Access Program Department of Defense Organization of the Joint Chiefs of Staff Attn: J6T Washington, DC DSCCS-SPINTCOM National Access Program Defense Intelligence Agency Attn: DSE4 Bolling AFB, MD DSCCS-CRITICOM National Access Program National Security Agency 9800 Savage Road Attn: T03 Ft. Meade, MD 20755-6000 Previous: RFC 1037 - NFILE - a file access protocol Next: RFC 1039 - DoD statement on Open Systems Interconnection protocols [ RFC Index | RFC Search | Usenet FAQs | Web FAQs | Documents | Cities ] © 2008 FAQS.ORG. All rights reserved. |
|
