Lines Matching refs:of
14 the CIPSO IETF Working Group. Distribution of this memo is unlimited.
17 of the Internet Engineering Task Force (IETF), its Areas, and its Working
21 Internet Drafts are draft documents valid for a maximum of six months.
28 directory to learn the current status of this or any other Internet Draft.
35 Currently the Internet Protocol includes two security options. One of
38 provides sixteen security classifications and a variable number of handling
49 for use in a variety of government and civil sector environments.
51 The small number of ESO format codes can not support all the possible
52 applications of a commercial security option. The BSO and ESO were
77 systems within a single Domain of Interpretation (DOI). A DOI is a
78 collection of systems which agree on the meaning of particular values
89 transmitted in network byte order. The format of this option is as follows:
109 This field is 1 octet in length. It is the total length of the option
111 restriction of 40 octets the value of this field MUST not exceed 40.
114 3.3 Domain of Interpretation Identifier
124 corresponding ASCII representations. Non-related groups of systems may
136 have their own unique mappings. For example, one group of systems may
145 for interoperability. CIPSO uses sets of "tags" to contain the security
147 a tag type identifier followed by the length of the tag and ends with the
153 bytes to assist alignment of some information, however alignment can not
159 only be meaningful in certain Domains of Interpretation. For these tag
162 tag. Use of tag types above 127 are restricted to closed networks where
180 restrictions are based on the current IP limitation of 40 octets for all
188 Tag classes consist of tag types that have common processing requirements
208 in the MAC Sensitivity tag type class. The format of this tag type is as
223 This field is 1 octet in length and has a value of 1.
228 This field is 1 octet in length. It is the total length of the tag type
230 restriction of 40 bytes the value within this field is between 4 and 34.
235 This field is 1 octet in length and always has the value of 0. Its purpose
247 3.4.2.5 Bit Map of Categories
249 The length of this field is variable and ranges from 0 to 30 octets. This
250 provides representation of categories 0 to 239. The ordering of the bits
252 the most significant bit of the first byte and category 15 is represented
253 by the least significant bit of the second byte. Figure 4 graphically
254 shows this ordering. Bit N is binary 1 if category N is part of the label
255 for the datagram, and bit N is binary 0 if category N is not part of the
276 Figure 4. Ordering of Bits in Tag 1 Bit Map
282 support these routers there is an optimized form of tag type 1. The format
284 a constant length of 10 octets. Trailing octets required to fill out the 10
286 because it makes the total length of the CIPSO option 20 octets. If CIPSO
294 large but sparsely populated sets of categories. Tag type 2 is in the MAC
295 Sensitivity tag type class. The format of this tag type is as follows:
309 This field is one octet in length and has a value of 2.
314 This field is 1 octet in length. It is the total length of the tag type
316 restriction of 40 bytes the value within this field is between 4 and 34.
321 This field is 1 octet in length and always has the value of 0. Its purpose
347 by their position within a bit field. The length of each category is 2
356 labels where all categories in a range, or set of ranges, are included
358 class. The format of this tag type is as follows:
372 This field is one octet in length and has a value of 5.
377 This field is 1 octet in length. It is the total length of the tag type
379 restriction of 40 bytes the value within this field is between 4 and 34.
384 This field is 1 octet in length and always has the value of 0. Its purpose
409 A category range is a 4 octet field comprised of the 2 octet index of the
410 highest numbered category followed by the 2 octet index of the lowest
411 numbered category. These range endpoints are inclusive within the range of
413 label. This tag may contain a maximum of 7 category pairs. The bottom
422 A CIPSO implementation MUST be capable of generating at least tag type 1 in
440 An implementation of CIPSO on a host MUST have the capability to reject a
442 protected by the receiving host or if acceptance may result in violation of
446 provide this capability the following minimal set of configuration
507 This list represents the minimal set of configuration parameters required
520 against the range. If multiple DOIs are supported by one of these CIPSO
535 The port range will usually represent the total set of labels that may
537 interface. It may, however, represent a subset of these labels that are
559 interoperability and that provide users some level of confidence.
561 however at the risk of restricting creativity and limiting vendor
579 parameter" (code 0) and the pointer is set to the start of the CIPSO field
582 If the contents of the CIPSO are valid but the security label is
583 outside of the configured host or port label range, the datagram is
585 and returned. The code field of the ICMP is set to "communication with
599 (code 10). The value of the code field used is dependent upon whether
600 the originator of the ICMP message is acting as a CIPSO host or a CIPSO
601 gateway. The recipient of the ICMP message MUST be able to handle either
605 If the error is triggered by receipt of an ICMP message, the message
631 returned to the originator of the datagram. The code field of the ICMP
633 (the value of the option type for the missing CIPSO option).
640 the current set of defined tag types, this means that CIPSO labels at
669 to use. A CIPSO implementation need only support one level of DOI
678 broadcasting of IP datagrams.
680 CIPSO gateways MUST be capable of translating a CIPSO option from one
686 5.4 Label of ICMP Messages
689 to the label of the datagram that caused the ICMP message. If the ICMP was
693 a. Use the CIPSO label of the original IP datagram
697 interpret the label or if it is outside the label range of your host or
702 6. Assignment of DOI Identifier Numbers =
704 Requests for assignment of a DOI identifier number should be addressed to
710 Much of the material in this RFC is based on (and copied from) work
711 done by Gary Winiger of Sun Microsystems and published as Commercial
717 To submit mail for distribution to members of the IETF CIPSO Working
740 RFC 1108, "U.S. Department of Defense Security Options