Blame view

Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt 28 KB
8802f616f   Paul Moore   [NetLabel]: docum...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
  IETF CIPSO Working Group
  16 July, 1992
  
  
  
                   COMMERCIAL IP SECURITY OPTION (CIPSO 2.2)
  
  
  
  1.    Status
  
  This Internet Draft provides the high level specification for a Commercial
  IP Security Option (CIPSO).  This draft reflects the version as approved by
  the CIPSO IETF Working Group.  Distribution of this memo is unlimited.
  
  This document is an Internet Draft.  Internet Drafts are working documents
  of the Internet Engineering Task Force (IETF), its Areas, and its Working
  Groups. Note that other groups may also distribute working documents as
  Internet Drafts.
  
  Internet Drafts are draft documents valid for a maximum of six months.
  Internet Drafts may be updated, replaced, or obsoleted by other documents
  at any time.  It is not appropriate to use Internet Drafts as reference
  material or to cite them other than as a "working draft" or "work in
  progress."
  
  Please check the I-D abstract listing contained in each Internet Draft
  directory to learn the current status of this or any other Internet Draft.
  
  
  
  
  2.    Background
  
  Currently the Internet Protocol includes two security options.  One of
  these options is the DoD Basic Security Option (BSO) (Type 130) which allows
  IP datagrams to be labeled with security classifications.  This option
  provides sixteen security classifications and a variable number of handling
  restrictions.  To handle additional security information, such as security
  categories or compartments, another security option (Type 133) exists and
  is referred to as the DoD Extended Security Option (ESO).  The values for
  the fixed fields within these two options are administered by the Defense
  Information Systems Agency (DISA).
  
  Computer vendors are now building commercial operating systems with
  mandatory access controls and multi-level security.  These systems are
  no longer built specifically for a particular group in the defense or
  intelligence communities.  They are generally available commercial systems
  for use in a variety of government and civil sector environments.
  
  The small number of ESO format codes can not support all the possible
  applications of a commercial security option.  The BSO and ESO were
  designed to only support the United States DoD.  CIPSO has been designed
  to support multiple security policies.  This Internet Draft provides the
  format and procedures required to support a Mandatory Access Control
  security policy.  Support for additional security policies shall be
  defined in future RFCs.
  
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 1]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  
  3.    CIPSO Format
  
  Option type: 134 (Class 0, Number 6, Copy on Fragmentation)
  Option length: Variable
  
  This option permits security related information to be passed between
  systems within a single Domain of Interpretation (DOI).  A DOI is a
  collection of systems which agree on the meaning of particular values
  in the security option.  An authority that has been assigned a DOI
  identifier will define a mapping between appropriate CIPSO field values
  and their human readable equivalent.  This authority will distribute that
  mapping to hosts within the authority's domain.  These mappings may be
  sensitive, therefore a DOI authority is not required to make these
  mappings available to anyone other than the systems that are included in
  the DOI.
  
  This option MUST be copied on fragmentation.  This option appears at most
  once in a datagram.  All multi-octet fields in the option are defined to be
  transmitted in network byte order.  The format of this option is as follows:
  
  +----------+----------+------//------+-----------//---------+
  | 10000110 | LLLLLLLL | DDDDDDDDDDDD | TTTTTTTTTTTTTTTTTTTT |
  +----------+----------+------//------+-----------//---------+
  
    TYPE=134    OPTION    DOMAIN OF               TAGS
                LENGTH    INTERPRETATION
  
  
                  Figure 1. CIPSO Format
  
  
  3.1    Type
  
  This field is 1 octet in length.  Its value is 134.
  
  
  3.2    Length
  
  This field is 1 octet in length.  It is the total length of the option
  including the type and length fields.  With the current IP header length
  restriction of 40 octets the value of this field MUST not exceed 40.
  
  
  3.3    Domain of Interpretation Identifier
  
  This field is an unsigned 32 bit integer.  The value 0 is reserved and MUST
  not appear as the DOI identifier in any CIPSO option.  Implementations
  should assume that the DOI identifier field is not aligned on any particular
  byte boundary.
  
  To conserve space in the protocol, security levels and categories are
  represented by numbers rather than their ASCII equivalent.  This requires
  a mapping table within CIPSO hosts to map these numbers to their
  corresponding ASCII representations.  Non-related groups of systems may
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 2]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  have their own unique mappings.  For example, one group of systems may
  use the number 5 to represent Unclassified while another group may use the
  number 1 to represent that same security level.  The DOI identifier is used
  to identify which mapping was used for the values within the option.
  
  
  3.4    Tag Types
  
  A common format for passing security related information is necessary
  for interoperability.  CIPSO uses sets of "tags" to contain the security
  information relevant to the data in the IP packet.  Each tag begins with
  a tag type identifier followed by the length of the tag and ends with the
  actual security information to be passed.  All multi-octet fields in a tag
  are defined to be transmitted in network byte order.  Like the DOI
  identifier field in the CIPSO header, implementations should assume that
  all tags, as well as fields within a tag, are not aligned on any particular
  octet boundary.   The tag types defined in this document contain alignment
  bytes to assist alignment of some information, however alignment can not
  be guaranteed if CIPSO is not the first IP option.
  
  CIPSO tag types 0 through 127 are reserved for defining standard tag
  formats.  Their definitions will be published in RFCs.  Tag types whose
  identifiers are greater than 127 are defined by the DOI authority and may
  only be meaningful in certain Domains of Interpretation.  For these tag
  types, implementations will require the DOI identifier as well as the tag
  number to determine the security policy and the format associated with the
  tag.  Use of tag types above 127 are restricted to closed networks where
  interoperability with other networks will not be an issue.  Implementations
  that support a tag type greater than 127 MUST support at least one DOI that
  requires only tag types 1 to 127.
  
  Tag type 0 is reserved. Tag types 1, 2, and 5 are defined in this
  Internet Draft.  Types 3 and 4 are reserved for work in progress.
  The standard format for all current and future CIPSO tags is shown below:
  
  +----------+----------+--------//--------+
  | TTTTTTTT | LLLLLLLL | IIIIIIIIIIIIIIII |
  +----------+----------+--------//--------+
      TAG       TAG         TAG
      TYPE      LENGTH      INFORMATION
  
      Figure 2:  Standard Tag Format
  
  In the three tag types described in this document, the length and count
  restrictions are based on the current IP limitation of 40 octets for all
  IP options.  If the IP header is later expanded, then the length and count
  restrictions specified in this document may increase to use the full area
  provided for IP options.
  
  
  3.4.1    Tag Type Classes
  
  Tag classes consist of tag types that have common processing requirements
  and support the same security policy.  The three tags defined in this
  Internet Draft belong to the Mandatory Access Control (MAC) Sensitivity
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 3]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  class and support the MAC Sensitivity security policy.
  
  
  3.4.2    Tag Type 1
  
  This is referred to as the "bit-mapped" tag type.  Tag type 1 is included
  in the MAC Sensitivity tag type class.  The format of this tag type is as
  follows:
  
  +----------+----------+----------+----------+--------//---------+
  | 00000001 | LLLLLLLL | 00000000 | LLLLLLLL | CCCCCCCCCCCCCCCCC |
  +----------+----------+----------+----------+--------//---------+
  
      TAG       TAG      ALIGNMENT  SENSITIVITY    BIT MAP OF
      TYPE      LENGTH   OCTET      LEVEL          CATEGORIES
  
              Figure 3. Tag Type 1 Format
  
  
  3.4.2.1    Tag Type
  
  This field is 1 octet in length and has a value of 1.
  
  
  3.4.2.2    Tag Length
  
  This field is 1 octet in length.  It is the total length of the tag type
  including the type and length fields.  With the current IP header length
  restriction of 40 bytes the value within this field is between 4 and 34.
  
  
  3.4.2.3    Alignment Octet
  
  This field is 1 octet in length and always has the value of 0.  Its purpose
  is to align the category bitmap field on an even octet boundary.  This will
  speed many implementations including router implementations.
  
  
  3.4.2.4    Sensitivity Level
  
  This field is 1 octet in length.  Its value is from 0 to 255.  The values
  are ordered with 0 being the minimum value and 255 representing the maximum
  value.
  
  
  3.4.2.5    Bit Map of Categories
  
  The length of this field is variable and ranges from 0 to 30 octets.  This
  provides representation of categories 0 to 239.  The ordering of the bits
  is left to right or MSB to LSB.  For example category 0 is represented by
  the most significant bit of the first byte and category 15 is represented
  by the least significant bit of the second byte.  Figure 4 graphically
  shows this ordering.  Bit N is binary 1 if category N is part of the label
  for the datagram, and bit N is binary 0 if category N is not part of the
  label.  Except for the optimized tag 1 format described in the next section,
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 4]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  minimal encoding SHOULD be used resulting in no trailing zero octets in the
  category bitmap.
  
          octet 0  octet 1  octet 2  octet 3  octet 4  octet 5
          XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX . . .
  bit     01234567 89111111 11112222 22222233 33333333 44444444
  number             012345 67890123 45678901 23456789 01234567
  
              Figure 4. Ordering of Bits in Tag 1 Bit Map
  
  
  3.4.2.6    Optimized Tag 1 Format
  
  Routers work most efficiently when processing fixed length fields.  To
  support these routers there is an optimized form of tag type 1.  The format
  does not change.  The only change is to the category bitmap which is set to
  a constant length of 10 octets.  Trailing octets required to fill out the 10
  octets are zero filled.  Ten octets, allowing for 80 categories, was chosen
  because it makes the total length of the CIPSO option 20 octets.  If CIPSO
  is the only option then the option will be full word aligned and additional
  filler octets will not be required.
  
  
  3.4.3    Tag Type 2
  
  This is referred to as the "enumerated" tag type.  It is used to describe
  large but sparsely populated sets of categories.  Tag type 2 is in the MAC
  Sensitivity tag type class.  The format of this tag type is as follows:
  
  +----------+----------+----------+----------+-------------//-------------+
  | 00000010 | LLLLLLLL | 00000000 | LLLLLLLL | CCCCCCCCCCCCCCCCCCCCCCCCCC |
  +----------+----------+----------+----------+-------------//-------------+
  
      TAG       TAG      ALIGNMENT  SENSITIVITY         ENUMERATED
      TYPE      LENGTH   OCTET      LEVEL               CATEGORIES
  
                  Figure 5. Tag Type 2 Format
  
  
  3.4.3.1     Tag Type
  
  This field is one octet in length and has a value of 2.
  
  
  3.4.3.2    Tag Length
  
  This field is 1 octet in length. It is the total length of the tag type
  including the type and length fields.  With the current IP header length
  restriction of 40 bytes the value within this field is between 4 and 34.
  
  
  3.4.3.3    Alignment Octet
  
  This field is 1 octet in length and always has the value of 0.  Its purpose
  is to align the category field on an even octet boundary.  This will
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 5]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  speed many implementations including router implementations.
  
  
  3.4.3.4    Sensitivity Level
  
  This field is 1 octet in length. Its value is from 0 to 255.  The values
  are ordered with 0 being the minimum value and 255 representing the
  maximum value.
  
  
  3.4.3.5    Enumerated Categories
  
  In this tag, categories are represented by their actual value rather than
  by their position within a bit field.  The length of each category is 2
  octets.  Up to 15 categories may be represented by this tag.  Valid values
  for categories are 0 to 65534.  Category 65535 is not a valid category
  value.  The categories MUST be listed in ascending order within the tag.
  
  
  3.4.4    Tag Type 5
  
  This is referred to as the "range" tag type.  It is used to represent
  labels where all categories in a range, or set of ranges, are included
  in the sensitivity label.  Tag type 5 is in the MAC Sensitivity tag type
  class.  The format of this tag type is as follows:
  
  +----------+----------+----------+----------+------------//-------------+
  | 00000101 | LLLLLLLL | 00000000 | LLLLLLLL |  Top/Bottom | Top/Bottom  |
  +----------+----------+----------+----------+------------//-------------+
  
      TAG       TAG      ALIGNMENT  SENSITIVITY        CATEGORY RANGES
      TYPE      LENGTH   OCTET      LEVEL
  
                       Figure 6. Tag Type 5 Format
  
  
  3.4.4.1     Tag Type
  
  This field is one octet in length and has a value of 5.
  
  
  3.4.4.2    Tag Length
  
  This field is 1 octet in length. It is the total length of the tag type
  including the type and length fields.  With the current IP header length
  restriction of 40 bytes the value within this field is between 4 and 34.
  
  
  3.4.4.3    Alignment Octet
  
  This field is 1 octet in length and always has the value of 0.  Its purpose
  is to align the category range field on an even octet boundary.  This will
  speed many implementations including router implementations.
  
  
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 6]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  3.4.4.4    Sensitivity Level
  
  This field is 1 octet in length. Its value is from 0 to 255.  The values
  are ordered with 0 being the minimum value and 255 representing the maximum
  value.
  
  
  3.4.4.5    Category Ranges
  
  A category range is a 4 octet field comprised of the 2 octet index of the
  highest numbered category followed by the 2 octet index of the lowest
  numbered category.  These range endpoints are inclusive within the range of
  categories.  All categories within a range are included in the sensitivity
  label.  This tag may contain a maximum of 7 category pairs.  The bottom
  category endpoint for the last pair in the tag MAY be omitted and SHOULD be
  assumed to be 0.  The ranges MUST be non-overlapping and be listed in
  descending order.  Valid values for categories are 0 to 65534.  Category
  65535 is not a valid category value.
  
  
  3.4.5     Minimum Requirements
  
  A CIPSO implementation MUST be capable of generating at least tag type 1 in
  the non-optimized form.  In addition, a CIPSO implementation MUST be able
  to receive any valid tag type 1 even those using the optimized tag type 1
  format.
  
  
  4.    Configuration Parameters
  
  The configuration parameters defined below are required for all CIPSO hosts,
  gateways, and routers that support multiple sensitivity labels.  A CIPSO
  host is defined to be the origination or destination system for an IP
  datagram.  A CIPSO gateway provides IP routing services between two or more
  IP networks and may be required to perform label translations between
  networks.  A CIPSO gateway may be an enhanced CIPSO host or it may just
  provide gateway services with no end system CIPSO capabilities.  A CIPSO
  router is a dedicated IP router that routes IP datagrams between two or more
  IP networks.
  
  An implementation of CIPSO on a host MUST have the capability to reject a
  datagram for reasons that the information contained can not be adequately
  protected by the receiving host or if acceptance may result in violation of
  the host or network security policy.  In addition, a CIPSO gateway or router
  MUST be able to reject datagrams going to networks that can not provide
  adequate protection or may violate the network's security policy.  To
  provide this capability the following minimal set of configuration
  parameters are required for CIPSO implementations:
  
  HOST_LABEL_MAX - This parameter contains the maximum sensitivity label that
  a CIPSO host is authorized to handle.  All datagrams that have a label
  greater than this maximum MUST be rejected by the CIPSO host.  This
  parameter does not apply to CIPSO gateways or routers.  This parameter need
  not be defined explicitly as it can be implicitly derived from the
  PORT_LABEL_MAX parameters for the associated interfaces.
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 7]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  
  HOST_LABEL_MIN - This parameter contains the minimum sensitivity label that
  a CIPSO host is authorized to handle.  All datagrams that have a label less
  than this minimum MUST be rejected by the CIPSO host.  This parameter does
  not apply to CIPSO gateways or routers.  This parameter need not be defined
  explicitly as it can be implicitly derived from the PORT_LABEL_MIN
  parameters for the associated interfaces.
  
  PORT_LABEL_MAX - This parameter contains the maximum sensitivity label for
  all datagrams that may exit a particular network interface port.  All
  outgoing datagrams that have a label greater than this maximum MUST be
  rejected by the CIPSO system.  The label within this parameter MUST be
  less than or equal to the label within the HOST_LABEL_MAX parameter.  This
  parameter does not apply to CIPSO hosts that support only one network port.
  
  PORT_LABEL_MIN - This parameter contains the minimum sensitivity label for
  all datagrams that may exit a particular network interface port.  All
  outgoing datagrams that have a label less than this minimum MUST be
  rejected by the CIPSO system.  The label within this parameter MUST be
  greater than or equal to the label within the HOST_LABEL_MIN parameter.
  This parameter does not apply to CIPSO hosts that support only one network
  port.
  
  PORT_DOI - This parameter is used to assign a DOI identifier value to a
  particular network interface port.  All CIPSO labels within datagrams
  going out this port MUST use the specified DOI identifier.  All CIPSO
  hosts and gateways MUST support either this parameter, the NET_DOI
  parameter, or the HOST_DOI parameter.
  
  NET_DOI - This parameter is used to assign a DOI identifier value to a
  particular IP network address.  All CIPSO labels within datagrams destined
  for the particular IP network MUST use the specified DOI identifier.  All
  CIPSO hosts and gateways MUST support either this parameter, the PORT_DOI
  parameter, or the HOST_DOI parameter.
  
  HOST_DOI - This parameter is used to assign a DOI identifier value to a
  particular IP host address.  All CIPSO labels within datagrams destined for
  the particular IP host will use the specified DOI identifier.  All CIPSO
  hosts and gateways MUST support either this parameter, the PORT_DOI
  parameter, or the NET_DOI parameter.
  
  This list represents the minimal set of configuration parameters required
  to be compliant.  Implementors are encouraged to add to this list to
  provide enhanced functionality and control.  For example, many security
  policies may require both incoming and outgoing datagrams be checked against
  the port and host label ranges.
  
  
  4.1    Port Range Parameters
  
  The labels represented by the PORT_LABEL_MAX and PORT_LABEL_MIN parameters
  MAY be in CIPSO or local format.  Some CIPSO systems, such as routers, may
  want to have the range parameters expressed in CIPSO format so that incoming
  labels do not have to be converted to a local format before being compared
  against the range.  If multiple DOIs are supported by one of these CIPSO
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 8]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  systems then multiple port range parameters would be needed, one set for
  each DOI supported on a particular port.
  
  The port range will usually represent the total set of labels that may
  exist on the logical network accessed through the corresponding network
  interface.  It may, however, represent a subset of these labels that are
  allowed to enter the CIPSO system.
  
  
  4.2    Single Label CIPSO Hosts
  
  CIPSO implementations that support only one label are not required to
  support the parameters described above.  These limited implementations are
  only required to support a NET_LABEL parameter.  This parameter contains
  the CIPSO label that may be inserted in datagrams that exit the host.  In
  addition, the host MUST reject any incoming datagram that has a label which
  is not equivalent to the NET_LABEL parameter.
  
  
  5.    Handling Procedures
  
  This section describes the processing requirements for incoming and
  outgoing IP datagrams.  Just providing the correct CIPSO label format
  is not enough.  Assumptions will be made by one system on how a
  receiving system will handle the CIPSO label.  Wrong assumptions may
  lead to non-interoperability or even a security incident.  The
  requirements described below represent the minimal set needed for
  interoperability and that provide users some level of confidence.
  Many other requirements could be added to increase user confidence,
  however at the risk of restricting creativity and limiting vendor
  participation.
  
  
  5.1    Input Procedures
  
  All datagrams received through a network port MUST have a security label
  associated with them, either contained in the datagram or assigned to the
  receiving port.  Without this label the host, gateway, or router will not
  have the information it needs to make security decisions.  This security
  label will be obtained from the CIPSO if the option is present in the
  datagram.  See section 4.1.2 for handling procedures for unlabeled
  datagrams.  This label will be compared against the PORT (if appropriate)
  and HOST configuration parameters defined in section 3.
  
  If any field within the CIPSO option, such as the DOI identifier, is not
  recognized the IP datagram is discarded and an ICMP "parameter problem"
  (type 12) is generated and returned.  The ICMP code field is set to "bad
  parameter" (code 0) and the pointer is set to the start of the CIPSO field
  that is unrecognized.
  
  If the contents of the CIPSO are valid but the security label is
  outside of the configured host or port label range, the datagram is
  discarded and an ICMP "destination unreachable" (type 3) is generated
  and returned.  The code field of the ICMP is set to "communication with
  destination network administratively prohibited" (code 9) or to
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 9]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  "communication with destination host administratively prohibited"
  (code 10).  The value of the code field used is dependent upon whether
  the originator of the ICMP message is acting as a CIPSO host or a CIPSO
  gateway.  The recipient of the ICMP message MUST be able to handle either
  value.  The same procedure is performed if a CIPSO can not be added to an
  IP packet because it is too large to fit in the IP options area.
  
  If the error is triggered by receipt of an ICMP message, the message
  is discarded and no response is permitted (consistent with general ICMP
  processing rules).
  
  
  5.1.1    Unrecognized tag types
  
  The default condition for any CIPSO implementation is that an
  unrecognized tag type MUST be treated as a "parameter problem" and
  handled as described in section 4.1.  A CIPSO implementation MAY allow
  the system administrator to identify tag types that may safely be
  ignored.  This capability is an allowable enhancement, not a
  requirement.
  
  
  5.1.2    Unlabeled Packets
  
  A network port may be configured to not require a CIPSO label for all
  incoming  datagrams.  For this configuration a CIPSO label must be
  assigned to that network port and associated with all unlabeled IP
  datagrams.  This capability might be used for single level networks or
  networks that have CIPSO and non-CIPSO hosts and the non-CIPSO hosts
  all operate at the same label.
  
  If a CIPSO option is required and none is found, the datagram is
  discarded and an ICMP "parameter problem" (type 12) is generated and
  returned to the originator of the datagram.  The code field of the ICMP
  is set to "option missing" (code 1) and the ICMP pointer is set to 134
  (the value of the option type for the missing CIPSO option).
  
  
  5.2    Output Procedures
  
  A CIPSO option MUST appear only once in a datagram.  Only one tag type
  from the MAC Sensitivity class MAY be included in a CIPSO option.  Given
  the current set of defined tag types, this means that CIPSO labels at
  first will contain only one tag.
  
  All datagrams leaving a CIPSO system MUST meet the following condition:
  
          PORT_LABEL_MIN <= CIPSO label <= PORT_LABEL_MAX
  
  If this condition is not satisfied the datagram MUST be discarded.
  If the CIPSO system only supports one port, the HOST_LABEL_MIN and the
  HOST_LABEL_MAX parameters MAY be substituted for the PORT parameters in
  the above condition.
  
  The DOI identifier to be used for all outgoing datagrams is configured by
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 10]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  the administrator.  If port level DOI identifier assignment is used, then
  the PORT_DOI configuration parameter MUST contain the DOI identifier to
  use.  If network level DOI assignment is used, then the NET_DOI parameter
  MUST contain the DOI identifier to use.  And if host level DOI assignment
  is employed, then the HOST_DOI parameter MUST contain the DOI identifier
  to use.  A CIPSO implementation need only support one level of DOI
  assignment.
  
  
  5.3    DOI Processing Requirements
  
  A CIPSO implementation MUST support at least one DOI and SHOULD support
  multiple DOIs.  System and network administrators are cautioned to
  ensure that at least one DOI is common within an IP network to allow for
  broadcasting of IP datagrams.
  
  CIPSO gateways MUST be capable of translating a CIPSO option from one
  DOI to another when forwarding datagrams between networks.  For
  efficiency purposes this capability is only a desired feature for CIPSO
  routers.
  
  
  5.4    Label of ICMP Messages
  
  The CIPSO label to be used on all outgoing ICMP messages MUST be equivalent
  to the label of the datagram that caused the ICMP message.  If the ICMP was
  generated due to a problem associated with the original CIPSO label then the
  following responses are allowed:
  
    a.  Use the CIPSO label of the original IP datagram
    b.  Drop the original datagram with no return message generated
  
  In most cases these options will have the same effect.  If you can not
  interpret the label or if it is outside the label range of your host or
  interface then an ICMP message with the same label will probably not be
  able to exit the system.
  
  
  6.    Assignment of DOI Identifier Numbers                                   =
  
  Requests for assignment of a DOI identifier number should be addressed to
  the Internet Assigned Numbers Authority (IANA).
  
  
  7.    Acknowledgements
  
  Much of the material in this RFC is based on (and copied from) work
  done by Gary Winiger of Sun Microsystems and published as Commercial
  IP Security Option at the INTEROP 89, Commercial IPSO Workshop.
  
  
  8.    Author's Address
  
  To submit mail for distribution to members of the IETF CIPSO Working
  Group, send mail to: cipso@wdl1.wdl.loral.com.
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 11]
  
  
  
  CIPSO INTERNET DRAFT                                         16 July, 1992
  
  
  
  
  To be added to or deleted from this distribution, send mail to:
  cipso-request@wdl1.wdl.loral.com.
  
  
  9.    References
  
  RFC 1038, "Draft Revised IP Security Option", M. St. Johns, IETF, January
  1988.
  
  RFC 1108, "U.S. Department of Defense Security Options
  for the Internet Protocol", Stephen Kent, IAB, 1 March, 1991.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  Internet Draft, Expires 15 Jan 93                                 [PAGE 12]