[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 RFC 5570

Network Working Group                                         M. StJohns
Internet-Draft                             R. Atkinson, Extreme Networks
draft-stjohns-sipso-03.txt                 G. Thomas, US Dept of Defense
Expires: 21 NOV 2008                                         21 May 2008


                       Common Architecture Label
                          IPv6 Security Option
                               (CALIPSO)



Status of this Memo

   This is an Internet-Draft.

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering Task
   Force (IETF), its areas, and its working groups. Note that other groups
   may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any time.
   It is inappropriate to use Internet-Drafts as reference material or
   to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


ABSTRACT


     This document describes an optional method for encoding
   explicit packet Sensitivity Labels on IPv6 packets.  It is
   intended for use only within Multi-Level secure (MLS)
   networking environments that are both trusted and
   trustworthy.






StJohns Et Alia                                                 [Page 1]

Internet-Draft                                               21 MAY 2008


1.  INTRODUCTION


        The original IPv4 specification in RFC-791 includes an
   option for labeling the sensitivity of IP packets. That
   option was revised by RFC-1038 and later by
   RFC-1108. [RFC-791][RFC-1038][RFC-1108]

       One or another IP Sensitivity Label option has been in
   limited deployment for about two decades, most usually in
   governmental or military internal networks.  There are also
   some commercial sector deployments, where corporate security
   policies require Mandatory Access Controls be applied to
   sensitive data.  For example, some banks use MLS technology
   to compartment information known to their investment banking
   staff, so that their trading staff is unaware of that
   information.  This option, like its IPv4 predecessors,
   is nearly always deployed within private internetworks,
   disconnected from the global Internet.  This document
   specifies the explicit packet labeling extensions for
   IPv6 packets.


1.1 History


        This document is a direct descendent of RFC-1038 and
   RFC-1108 and is a close cousin to the work done in the
   Commercial IP Security Option (CIPSO) Working Group of the
   Trusted Systems Interoperability Group (TSIG).[FIPS-188] The
   IP Security options defined by 1038 was designed with one
   specific purpose in mind: to support the fielding of an IPv4
   packet encryption device called a BLACKER.[RFC-1038] Because
   of this, the definitions and assumptions in those documents
   were necessarily focused on the US Department of Defense and
   the BLACKER device.  Today, packet Sensitivity Labeling is
   most commonly deployed within Multi-Level Secure (MLS)
   environments, often composed of Compartmented Mode
   Workstations (CMWs) connected via a Local Area Network
   (LAN).  So the mechanism defined here is accordingly more
   general than RFC-1038 or RFC-1108 were.

         Also, the deployment of Compartmented Mode
   Workstations ran into operational constraints caused by the
   limited, and relatively small, space available for IPv4
   options.  This caused one non-IETF specification for IPv4
   packet labeling to have a large number of sub-options.  A
   very unfortunate side-effect of having sub-options within an



StJohns Et Alia                                                 [Page 2]

Internet-Draft                                               21 MAY 2008


   IPv4 label option was that it became much more challenging
   to implement Intermediate System support for Mandatory
   Access Controls (e.g. in a router or MLS guard system) and
   still be able to forward traffic at, or near, wire-speed.

        In the last decade, typical Ethernet link speeds
   have changed from 10 Mbps half-duplex to 1 Gbps full-duplex.
   The 10 Gbps full- duplex Ethernet standard is widely
   available today in routers, Ethernet switches, and even in
   servers.  The IEEE is actively developing standards for both
   40 Gbps Ethernet and 100 Gbps Ethernet as of this writing.
   Forwarding at those speeds typically requires support from
   ASICs; supporting more complex packet formats usually
   require significantly more gates than supporting simpler
   packet formats.  So the pressure to have a single simple
   option format has only increased in the past decade.

        When IPv6 was initially being developed, it was
   anticipated that the availability of IP Security, in
   particular the Encapsulating Security Payload (ESP) and the
   IP Authentication Header (AH), would obviate the need for
   explicit packet Sensitivity Labels with IPv6. [RFC-1825,
   IPSEC, AH, ESP] For MLS IPv6 deployments where the use of AH
   or ESP is practical, use of AH and/or ESP is recommended.
   However, some applications (e.g. distributed file systems),
   most often those not designed for use with Compartmented
   Mode Workstations or other Multi-Level Secure (MLS)
   computers, multiplex different transactions at different
   sensitivity levels and/or with different privileges over a
   single IP communications session (e.g. with the User
   Datagram Protocol).  In order to maintain data Sensitivity
   Labeling for such applications, in order to be able to
   implement routing and Mandatory Access Control decisions in
   routers and guards on a per-IP-packet basis, and for other
   reasons, there is a need to have a mechanism for explicitly
   labeling the sensitivity information for each IPv6 packet.


1.2.  Intent


        This document describes a generic way of labeling IPv6
   datagrams to reflect their particular sensitivity.
   Provision is made for separating data based on domain of
   interpretation (e.g. an agency, a country, an alliance, or a
   coalition), the relative sensitivity (i.e. sensitivity
   levels), and need-to-know or formal access programs
   (i.e. compartments or categories).



StJohns Et Alia                                                 [Page 3]

Internet-Draft                                               21 MAY 2008


        A commonly used method of encoding Releasabilities
   as if they were Compartments is also described.  This usage
   does not have precisely the same semantics as formal
   Releasability policies, but existing Multi-Level Secure
   operating systems do not contain operating system support
   for releasabilities as a separate concept from compartments.
   The semantics for this sort of Releasability encoding is
   close to the formal policies and has been deployed by a
   number of different organisations for at least a decade now.

        In particular, the authors believe that this
   mechanism is suitable for deployment in UN peace-keeping
   operations, in NATO or other coalition operations, in all
   current US Government MLS environments, and for deployment
   in other similar commercial or governmental environments.
   The authors anticipate that this option would not normally
   ever appear on the global public Internet.  However, a clear
   specification for this option is essential for
   interoperability of hosts and routers within such a labelled
   network deployment.

        This option is NOT designed to be an all-purpose
   label option and specifically does not include support for
   generic Domain Type Enforcement (DTE) mechanisms.  If such a
   DTE label option is desired, it ought to be separately
   specified and have its own (i.e. different) IPv6 option
   number.

        The key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
   "MAY", and "OPTIONAL" in this document are to be interpreted
   as described in RFC-2119.[RFC-2119]


1.3 Deployment Examples


        Two deployment scenarios for IP packet sensitivity
   labels are most common.

        In the first scenario, all the connected nodes in
   a given private internetwork are trusted systems that have
   Multi-Level Secure (MLS) operating systems, such as
   Compartmented Mode Workstations (CMWs), that support
   per-packet sensitivity labels.  [TCSEC,CMW,DOD MLOS PP]
   In this type of deployment, all IP packets carried within
   the private internetwork are labelled, the IP routers apply
   mandatory access controls (MAC) based on the packet labels



StJohns Et Alia                                                 [Page 4]

Internet-Draft                                               21 MAY 2008


   and the sensitivity ranges configured into the routers, all
   hosts include packet sensitivity labels in each originated
   packet, and all hosts apply Mandatory Access Controls to
   each received packet.  Packets received by a router or host
   that have a sensitivity label outside the permitted range
   for the receiving interface (or, in the case of a router,
   outside the permitted range for the outgoing interface)
   are dropped because they violate the MAC policy.

        The second scenario is a variation of the first
   where hosts with non-MLS operating systems are present on
   certain subnetworks of the private internetwork.  These
   non-MLS hosts operate in "system high" mode, where all
   information on the system is considered to have the
   sensitivity of the most sensitive data on the system.  In
   this second scenario, each subnetwork that contains any
   single-level hosts has one single "default" Sensitivity
   Label that applies to all of those single-level systems on
   that IP subnetwork.  Because those hosts are unable to
   create packets containing sensitivity labels and are also
   unable to apply MAC enforcement on received packets, IP
   routers connected to such subnetworks need to insert
   sensitivity labels to packets originated by the system-high
   hosts that are to be forwarded off subnet.  For packets
   destined for such IP subnetworks, those last-hop IP routers
   also apply MAC and then either drop (if the packet is not
   permitted on that destination subnet) xor remove sensitivity
   labels and forward packets onto those system-high
   subnetworks (if the packet is permitted on that destination
   network).


2.  DEFINITIONS


        This section defines several terms that are important
   to understanding and correctly implementing this
   specification.  Because of historical variations in
   terminology in different user communities, several terms
   have defined synonyms.


2.1.  Domain of Interpretation


        A Domain of Interpretation (DOI) is a shorthand way of
   identifying the use of a particular labeling,
   classification, and handling system with respect to data,



StJohns Et Alia                                                 [Page 5]

Internet-Draft                                               21 MAY 2008


   the computers and people who process it, and the networks
   that carry it.  The DOI policies, combined with a particular
   Sensitivity Label (which is defined to have meaning within
   that DOI) applied to a datum or collection of data, dictates
   which systems, and ultimately which persons may receive that
   data.  In other words, a label of "SECRET" by itself is not
   meaningful; you also have to know the document or data
   belongs to the US Department of Defense (or some specific
   commercial firm, some other government, or some
   multi-national organisation) before you can decide on who is
   allowed to receive the data.

        A CALIPSO DOI is an opaque identifier that is used as a
   pointer to a particular set of policies which define the
   Sensitivity Levels and Compartments present within the DOI,
   and by inference, to the "real world" (e.g. used on paper
   documents) equivalent labels (See "Sensitivity Label"
   below).  Registering or defining a set of real world
   security policies as a CALIPSO DOI results in a standard way
   of labeling IP data originating from End Systems
   "accredited" or "approved" to operate within that DOI and
   the constraints of those security policies.  For example, if
   one did this for the US Department of Defense, you would
   list all the acceptable labels such as "Secret" and "Top
   Secret", and one would link the CALIPSO DOI to the DOD
   5200.28 and DOD 5200.1R documents which define how to mark
   and protect data with the US Department of Defense (DoD).
   [DoD 5200.28, DoD 5200.1-R]

        The scope of the DOI is dependent on the organization
   creating it.  In some cases, the creator of the DOI might
   not be identical to a given user of the DOI.  For example, a
   multi- national organisation (e.g. NATO) might create a DOI,
   while a given member nation or organisation (e.g. UK MoD)
   might be using that multi-national DOI (posssibly along with
   other DOIs created by others) within its private networks.
   To provide a different example, the US might establish a DOI
   with specific meanings which correspond to the normal way it
   labels classified documents and which would apply primarily
   to the US DOD, but those specific meanings might also apply
   to other associated agencies.  A company or other
   organisation also might establish a DOI which applies only
   to itself.

        Note well: A CALIPSO Domain of Interpretation is
   different from, and is disjoint from, an ISAKMP/IKE Domain
   of Interpretation.  It is important not to confuse the two
   different concepts, even though the terms might



StJohns Et Alia                                                 [Page 6]

Internet-Draft                                               21 MAY 2008


   superficially appear similar.


2.2.  Sensitivity Level


        A Sensitivity Level represents a mandatory separation
   of data based on relative sensitivity.  Sensitivity Levels
   ALWAYS have a specific ordering within a DOI.  Clearance to
   access a specific level of data also implies access to all
   levels whose sensitivity is less than that level.  For
   example, if the A, B, and C are levels, and A is more
   sensitive than B which is in turn more sensitive than C (A >
   B > C), access to data at the B level implies access to C as
   well. As an example, common UK terms for a Sensitivity Level
   include (from low to high) "Unclassified", "Restricted",
   "Confidential", "Secret", and "Most Secret".

   NOTE WELL: A Sensitivity Level is only one component of a
   Sensitivity Label.  It is important not to confuse the two
   terms.  The term "Sensitivity Level" has the same meaning as
   the term "Security Level".


2.3.  Compartment


        A Compartment represents a mandatory segregation of
   data based on formal information categories, formal
   information compartments, or formal access programs for
   specific types of data.  For example, a small startup
   company creates "Finance" and "R&D" compartments to protect
   data critical to its success -- only employees with a
   specific need to know (e.g. the accountants and controller
   for "Finance", specific engineers for "R&D") are given
   access to each compartment.  Each Compartment is separate
   and distinct.  Access to one Compartment does not imply
   access to any other Compartment.  Data may be protected in
   multiple compartments (e.g. "Finance" data about a new "R&D"
   project) at the same time, in which case access to ALL of
   those compartments is required to access the data.
   Employees only possessing clearance for a given sensitivity
   level (i.e. without having clearance for any specific
   compartments at that sensitivity level) do not have access
   to any data classified in any compartments (e.g. SECRET
   FINANCE dominates SECRET).

   NOTE WELL: The term "category" has the same meaning as



StJohns Et Alia                                                 [Page 7]

Internet-Draft                                               21 MAY 2008


   "compartment".  Some user communities have used the term
   "category", while other user communities have used the term
   "compartment", but the terms have identical meaning.


2.4   Releasability


         A Releasability represents a mandatory segregation of
   data, based on a formal decision to release information to
   others.

        Historically, most MLS deployments handled
   Releasability as if it were an inverted Compartment.
   Strictly speaking, this provides slightly different
   semantics, because the formal semantics of a compartment are
   different from the formal semantics of a Releasability.  In
   practice, for some years now some relatively large MLS
   deployments have been encoding Releasabilities as if they
   were inverted Compartments.  The results have been generally
   acceptable and those deployments are generally considered
   successful by their respective user communities.



2.4.1 Releasability Conceptual Example


        For example, two companies (ABC and XYZ) are
   engaging in a technical alliance.  ABC labels all
   information present within its enterprise that is to be
   shared as part of the alliance as REL XYZ (e.g.COMPANY
   CONFIDENTIAL REL XYZ).  However, unlike the compartment
   example above, COMPANY CONFIDENTIAL dominates COMPANY
   CONFIDENTIAL REL XYZ.  This means that XYZ employees granted
   a COMPANY CONFIDENTIAL REL XYZ clearance can only access
   releasable material, while ABC employees with a COMPANY
   CONFIDENTIAL clearance can access all information.  If REL
   XYZ were managed as a compartment, then users granted a
   COMPANY CONFIDENTIAL REL XYZ clearance would have access to
   all of ABC's COMPANY CONFIDENTIAL material, which is
   undesirable.  Releasabilities can be combined (e.g. COMPANY
   CONFIDENTIAL REL XYZ/ABLE).  In this case, users possessing
   a clearance of either COMPANY CONFIDENTIAL, COMPANY
   CONFIDENTIAL REL XYZ, COMPANY CONFIDENTIAL REL ABLE, or
   COMPANY CONFIDENTIAL REL XYZ/ABLE can access this
   information.




StJohns Et Alia                                                 [Page 8]

Internet-Draft                                               21 MAY 2008


2.4.2  Releasability Encoding


   Individual bits in this option's Compartment Bitmap field
   MAY be used to encode "releaseability" information.  The
   process for making this work properly is described below.

   This scheme is carefully designed so that intermediate
   systems need not know whether a given bit in the Compartment
   Bitmap field represents a compartment or a releasability.
   All that an intermediate system needs to do is apply the
   usual comparison (described elsewhere) to determine whether
   a packet's label is in-range for an interface or not.  This
   simplifies both configuration and implementation of a
   label-aware intermediate system.

   Unlike bits that represent compartments, bits that represent
   a releasability are "active low"; subjects who are NOT
   members of that releasability community have their
   respective compartment bit set to 1 in their clearance;
   parties who are members of that community have the
   corresponding compartment bit set to 0.

   If a given releasability bit in the Compartment Bitmap field
   is "0", the information may be released to that community.
   If the compartment bit is "1", the information may not be
   released to that community.


2.4.2  Releasability Encoding Example


   Let bits 0-3 of the Compartment Bitmap field be dedicated to
   controlling releasability to communities A, B, C, and D,
   respectively.

   [Editor's Note:
    Text with specific example of how the bits are used is
    needed.  Ideally, two examples would be helpful.  The
    first example should be a document releasable to no
    community.  The second example is releasable to community
    A and community C, but not to community B and not to
    community D.]

   Note that because of this active low encoding of
   releasability, code which make access control decisions
   based on binary labels does not need to know whether or not
   individual bits of the Compartment Bitmap field are



StJohns Et Alia                                                 [Page 9]

Internet-Draft                                               21 MAY 2008


   dedicated to releasabilities versus dedicated to
   compartments.

   Only administrative interfaces used to present or construct
   binary labels in human-readable form need to understand the
   distinction between releasability bits and non-releasability
   bits.  Implementers are encouraged to describe Releasability
   encoding in the documentation supplied to users of systems
   that implement this specification.


2.5.  Sensitivity Label


        A Sensitivity Label is a quadruple consisting of a DOI,
   a Sensitivity Level, a Compartment Set, and a Releasability
   Set.  The Compartment Set may be the empty set if and only
   if no compartments apply.  A Releasability Set may be the
   empty set if and only if no releasabilities apply.  A DOI
   used within a end system may be implicit or explicit
   depending on its use.  CALIPSO Sensitivity Labels always
   have an explicit DOI.  A CALIPSO Sensitivity Label consists
   of a Sensitivity Label in a particular format (defined
   below).  A CALIPSO Sensitivity Label ALWAYS contains an
   explicit DOI value.  In a CALIPSO Sensitivity Label, the
   Compartment Bitmap field is used to encode both the logical
   Compartment Set and also the logical Releasability Set.

        Hosts using operating systems with MLS capabilities
   that also implement IPv6 normally will be able to include
   CALIPSO labels in packets they originate and will be able to
   enforce MAC policy on the CALIPSO labels in any packets they
   receive.

          Hosts using an operating system that lacks
   Multi-Level Secure capabilities operate in "system high"
   mode.  This means that all data on the system is considered
   to have the Sensitivity Label of the most sensitive data on
   the system.  Such a system normally is neither capable of
   including CALIPSO labels in packets that it originates, nor
   of enforcing CALIPSO labels in packets that it receives.

        Note Well: The term "Security Marking" has the same
   meaning as "Sensitivity Label".







StJohns Et Alia                                                [Page 10]

Internet-Draft                                               21 MAY 2008


2.5.1 Sensitivity Label Comparison

        Two Sensitivity Labels (A and B) can be
   compared. Indeed, Sensitivity Labels exist primarily
   so they can be compared as part of a Mandatory Access
   Control decision.  Comparison is critical to determining
   if a subject (a person, network, etc.) operating at one
   Sensitivity Label (A) should be allowed to access an object
   (file, packet,route, etc) classified at another Sensitivity
   Label (B).  The comparison of two labels (A and B) can
   return one (and only one) of the following results:

     1) A can dominate B (e.g. A=SECRET, B=UNCLASSIFIED);
        A can read B,
     2) B can dominate A (e.g. A=UNCLASSIFIED, B=SECRET);
        A cannot access B,
     3) A equals B (e.g. A=SECRET, B=SECRET);
        A can read/write B,
     xor
     4) A is incomparable to B (e.g. A=SECRET R&D, B=SECRET FINANCE);
        A cannot access B.


        By definition, if A and B are members of different
   DOIs, the result of comparison is always incomparable.  It
   is possible to overcome this if and only if A and/or B can
   be promoted such that the labels are interpretable within
   some single DOI.

2.5.2  Range

        A range is a pair of Sensitivity Labels which indicate
   both a minimum and a maximum acceptable Sensitivity Label
   for objects compared against it.  A range is usually
   expressed as "<minimum> : <maximum>" and always has the
   property that the minimum Sensitivity Label is less than or
   equal to the maximum Sensivitity Label.  In turn, this
   requires that the two Sensitivity Labels MUST be comparable.

        A range where <minimum> equals <maximum> may be
   expressed simply as "<minimum>"; in this case, the only
   acceptable Sensitivity Label is <minimum>.

2.6.  Import

        The act of receiving a datagram and translating the
   CALIPSO Sensitivity Label of that packet into the
   appropriate internal (i.e. End System specific) Sensitivity



StJohns Et Alia                                                [Page 11]

Internet-Draft                                               21 MAY 2008


   Label.

2.7.  Export

        The act of selecting an appropriate DOI for an outbound
   datagram, translating the internal (End System specific)
   label into an CALIPSO Sensitivity Label based on that DOI,
   and sending the datagram.  The selection of the appropriate
   DOI may be based on many factors including, but not
   necessarily limited to:

        Source Port
        Destination Port
        Transport Protocol
        Application Protocol
        Application Information
        End System
        Subnetwork
        Network
        Sending Interface
        System Implicit/Default DOI

        Regardless of the DOI selected, the Sensitivity
   Label of the outbound datagram must be consistent with the
   security policy monitor of the originating system and also
   with the DOI definition used by all other devices cognisant
   of that DOI.

2.8.  End System

        An End System (ES) is a host or router from which a
   datagram originates or to which a datagram is ultimately
   delivered.  The IPv6 community often uses the term Node for
   what this document sometimes calls an End System.

2.9.  Intermediate System

        An Intermediate System (IS) is a node that receives
   and transmits a particular datagram without being either the
   source or destination of that datagram.  An IPv6 router is
   an example of an Intermediate System.  A firewall or
   security guard device that applies security policies and
   forwards packets that comply with those security policies is
   another example of an intermediate system.

        An intermediate system may handle ("forward") a
   datagram without necessarily importing or exporting the
   datagram to/from itself.



StJohns Et Alia                                                [Page 12]

Internet-Draft                                               21 MAY 2008


        NOTE WELL: Any given system can be both an end
   system and an intermediate system -- which role the system
   assumes at any given time depends on the address(es) of the
   datagram you are considering and the address(es) associated
   with that system.

2.10 System Security Policy

        A system security policy (SSP) consists of a
   Sensitivity Label and the organizational security policies
   associated with content labeled with a given security
   policy.  The SSP acts as a bridge between how the
   organization's Mandatory Access Control (MAC) policy is
   stated and managed and how the network implements that
   policy.

3.  ARCHITECTURE

        This document describes a convention for labeling an
   IPv6 datagram within a particular system security policy.
   The labels are designed for use within a Mandatory Access
   Control (MAC) system.  A real world example is the security
   classification system in use within the UK Government. Some
   data held by the government is "classified", and is
   therefore restricted by law to those people who have the
   appropriate "clearances".  Commercial examples also
   exist. For example, one global electrical equipment company
   has a formal security policy that defines 6 different
   Sensitivity Levels for its internal data, ranging from
   "Class 1" to "Class 6" information.  Some financial
   institutions use multiple compartments to restrict access to
   certain information (e.g. "mergers & acquisitions",
   "trading") to those working directly on those projects and
   to deny access to other groups within the company
   (e.g. equity trading).  A CALIPSO Sensitivity Label is the
   network instantiation of a particular information security
   policy, and its related labels, classifications,
   compartments, and releasabilities.

         Some years ago, the Mandatory Access Control (MAC)
   policy for US Government classified information was
   specified formally in mathematical notation.[BL73] As it
   happens, many other organisations or governments have the
   same basic Mandatory Access Control (MAC) policy for
   information with differing ("vertical") Sensitivity Levels.
   This document builds upon the formal definitions of
   Bell-LaPadula.[BL73] There are two basic principles "no
   write down" and "no read up".



StJohns Et Alia                                                [Page 13]

Internet-Draft                                               21 MAY 2008


        The first rule means that an entity having minimum
   Sensitivity Level X must not be able to write information
   that is marked with a Sensitivity Level below X.  The second
   rule means that an entity having maximum Sensitivity Level X
   must not be able to read information having a Sensitivity
   Level above X.  In a normal deployment, information
   downgrading ("write down") must not occur automatically, and
   is permitted if and only if a person with appropriate
   "downgrade" privilege manually verifies the information is
   permitted to be downgraded before the s/he manually
   re-labels (i.e. "downgrades") the information.  Subsequent
   to the original work by Bell and LaPadula in this area, this
   formal model was extended to also support ("horizontal")
   Compartments of information.

         This document extends Bell-LaPadula to accommodate
   the notion of separate Domains of Interpretation
   (DOI).[BL73] Each DOI constitutes a single comparable domain
   of Sensitivity Labels as stated by Bell-LaPadula.
   Sensitivity Labels from different domains cannot be directly
   compared using Bell-LaPadula semantics.

        This document is focused on providing standards for
   encoding Sensitivity Labels in packets, as well as certain
   standards for how these labels are to be interpreted and
   enforced at the IP layer.  This document recognizes that
   there are several kinds of application processing that occur
   above the IP layer that significantly impact end-to-end
   system security policy enforcement, but are out of scope for
   this document.  In particular, how the network labeling
   policy is enforced within processing in an end system is
   critical, but is beyond the scope of a network (IP) layer
   Sensitivity Label encoding standard.  Other specifications
   exist which discuss such details.  [TCSEC] [CMW] [ISO-15408]
   [CC] [DoD MLOS PP]

         This standard does not preclude an End System
   capable of providing labeled packets across some range of
   Sensitivity Labels.  A Compartmented Mode Workstation (CMW)
   is an example of such an End System.[CMW] This is useful if
   the End System is capable of, and accredited to, separate
   processing across some range of Sensitivity Labels.  Such an
   node would have a range associated with it within the
   network interface connecting the node to the network.  As an
   example, an End System has the range "SECRET:TOP SECRET"
   associated with it in the Intermediate System to which the
   node is attached.  SECRET processing on the node is allowed
   to traverse the network to other SECRET:SECRET segments of



StJohns Et Alia                                                [Page 14]

Internet-Draft                                               21 MAY 2008


   the network, ultimately to a SECRET:SECRET node.  Likewise,
   TOP SECRET processing on the node is allowed to traverse a
   network through TOP SECRET:TOP SECRET segments, ultimately
   to some TOP SECRET:TOP SECRET node.  The node in this case
   can allow a user on this node to access SECRET and TOP
   SECRET resources, provided the user holds the appropriate
   clearances and has been correctly configured.

        With respect to a given network, each distinct
   Sensitivity Label represents a separate virtual network
   which shares the same physical network.  There are rules for
   moving information between the various virtual networks.
   The model we use within this document is based on the
   Bell-LaPadula model, but is extended to cover the concept of
   differing Domains of Interpretation.  Nodes that implement
   this protocol MUST enforce this mandatory separation of
   data.

        CALIPSO provides for both horizontal ("Compartment")
   and vertical ("Sensitivity Level") separation of
   information, as well as separation based on DOI.  The basic
   rule is that data MUST NOT be delivered to a user or system
   that is not approved to receive it.

   NOTE WELL: wherever we say "not approved", we also mean "not
   cleared", "not certified", and/or "not accredited" as
   applicable in one's operational community.

        This specification does not enable AUTOMATIC relabeling
   of information, within a DOI or to a different DOI.  That
   is, neither automatic "upgrading" nor automatic
   "downgrading" of information are enabled by this
   specification.  Local security policies might allow some
   limited downgrading, but this normally requires the
   intervention of some human entity and is usually done within
   an End System with respect to the internal Sensitivity
   Label, rather than on a network or in a intermediate-system
   (e.g. router, guard).  Automatic downgrading is not
   suggested operational practice; further discussion of
   downgrading is outside the scope of this protocol
   specification.

        Implementers of this specification MUST NOT permit
   automatic upgrading or downgrading of information in the
   default configuration of their implementation.  Implementers
   MAY add a configuration knob that would permit a System
   Security Officer holding appropriate privilege to enable
   automatic upgrading or downgrading of information.  If an



StJohns Et Alia                                                [Page 15]

Internet-Draft                                               21 MAY 2008


   implementation supports such a knob, the existence of the
   configuration knob must be clearly documented and the
   default knob setting MUST be that automatic upgrading or
   downgrading is DISABLED.  Automatic information upgrading
   and downgrading is not recommended operational practice.

        Many existing MLS deployments already use (and
   operationally need to use) more than one DOI concurrently.
   User feedback from early drafts this specification indicates
   that it is common at present for a single of network link
   (i.e. IP subnetwork) to carry traffic for both a particular
   "coalition" (or joint-venture) activity and also for the
   government (or other organisation) that owns and operates
   that particular network link.  On such a link, one CALIPSO
   DOI would typically be used for the "coalition" traffic and
   some different CALIPSO DOI would typically be used for
   non-coalition traffic (i.e. traffic that is specific to the
   government that owns and operates that particular network
   link).  For example, a UK military network that is part of a
   NATO deployment might have and use a UK MoD DOI for
   information originating/terminating on another UK system,
   while concurrently using a different NATO DOI for
   information originating/terminating on a non-UK NATO system.

        Additionally, operational experience with existing MLS
   systems has shown that if a system only supports a single DOI
   at a given time, then it is impossible for a deployment to migrate
   from using one DOI value to a different DOI value in a smooth,
   lossless, zero downtime, manner.

        Therefore, a node that implements this specification
   MUST be able to support at least 2 CALIPSO DOIs concurrently.
   Support for more than 2 concurrent CALIPSO DOIs is encouraged.
   This requirement to support at least 2 CALIPSO DOIs concurrently
   is not necessarily an implementation constraint upon MLS
   operating system internals that are unrelated to the network.

        Indeed, use of multiple DOIs is also operationally
   useful in deployments having a single administration that
   also have very large numbers of compartments.  For example,
   such a deployment might have one set of related compartments
   in one CALIPSO DOI and a different set of compartments in a
   different CALIPSO DOI.  Some compartments might be present
   in both DOIs, possibly at different bit positions of the
   compartment bitmap in different DOIs.  While this might make
   some implementations more complex, it might also be used to
   reduce the typical size of the IPv6 CALIPSO option in data
   packets.



StJohns Et Alia                                                [Page 16]

Internet-Draft                                               21 MAY 2008


        Moving information between any two DOIs is permitted
   if and only if the owners of the DOIs:

        1) Agree to the exchange,

   AND

        2) Publish a table of equivalencies which maps the
           CALIPSO values of one DOI into the other and
           make that table available within the deployment
           scope of those two DOIs.

        The owners of two DOIs may choose to permit the
   exchange on or between any of their systems, or may restrict
   exchange to a small subset of the systems they own/accredit.
   One way agreements are permissible, as are agreements which
   are a subset of the full table of equivalences.  Actual
   administration of inter-DOI agreements is outside the scope
   of this document.

        When data leaves an end system it is "exported" to the
   network, and marked with a particular DOI, Sensitivity
   Level, and Compartment Set. (This triple is collectively
   termed a Sensitivity Label).  This Sensitivity Label is
   derived from the internal Sensitivity Label (the End System
   specific implementation of a given Sensitivity Label), and
   the export DOI.  The export DOI is selected based on a range
   of parameters described in detail later in this document.

         When data arrives at an end system, it is "imported"
   from the network to the End System.  The data from the
   datagram takes on an internal Sensitivity Label based on the
   Sensitivity Label contained in the datagram.  This assumes
   the datagram is marked with a recognizable DOI, there is a
   corresponding internal Sensitivity Label equivalent to the
   CALIPSO Sensitivity Label, and the datagram is "within
   range" for the receiving logical interface.

        An host or router has one or more physical
   interfaces.  Each physical interface is associated with a
   physical network segment used to connect the node, router,
   LAN, or WAN.  Each physical interface has one or more
   Sensitivity Label ranges associated with it.  Sensitivity
   Label ranges from multiple DOIs must be enumerated
   separately.  Multiple ranges from the same DOI are
   permissible.

        Each host or router also might have one or more



StJohns Et Alia                                                [Page 17]

Internet-Draft                                               21 MAY 2008


   logical network interfaces. A given logical interface is
   associated with one and only one physical interface.  A
   given physical interface might have more than one associated
   logical interface.  For example, a single Ethernet port
   might have multiple Virtual LANs (VLANs) [IEEE 802.1Q]
   associated with it, where each VLAN could be a separate
   logical interface.  Each logical interface has one or more
   Sensitivity Label ranges associated with it.  Sensitivity
   Label ranges from multiple DOIs must be enumerated
   separately.  Multiple ranges from the same DOI are
   permissible.  Each range associated with a logical interface
   must fall within a range separately defined for the
   corresponding physical interface.

        There is specific user interest in having IPv6
   routers that can apply per-logical-interface mandatory
   access controls based on the contents of the CALIPSO
   Sensitivity Labels in IPv6 packets.  The authors note that
   since the early 1990s, and continuing through today, some
   commercial IPv4 router products provide MAC enforcement for
   the RFC-1108 IP Security Option.

        In transit, a datagram is handled based on its
   CALIPSO Sensitivity Label, and is usually neither imported
   to or exported from the various intermediate systems it
   transits.  There also is the concept of "CALIPSO Gateways"
   which import data from one DOI and export it to another DOI
   such that the effective Sensitivity Label is NOT changed,
   but is merely represented using a different DOI.  In other
   words, such devices would be trustworthy, trusted, and
   authorised to provide on-the-fly re-labeling of packets at
   the boundaries between complete systems of hosts within a
   single DOI.  Typically, such systems require specific
   certification(s) and accreditation(s) before deployment or
   use.

4. DEFAULTS

        This Section describes the default behaviour of
   CALIPSO-compliant end nodes and intermediate systems.
   Implementers MAY implement configuration knobs to vary from
   this behaviour, provided that the default behaviour (i.e. if
   the system administrator does not explicitly change the
   configured behaviour of the device) is as described below.
   If implementers choose to implement such configuration
   knobs, the configuration parameters and the behaviours that
   they enable and disable SHOULD be documented for the benefit
   of system administrators of those devices.



StJohns Et Alia                                                [Page 18]

Internet-Draft                                               21 MAY 2008


        Each Intermediate System or End System is
   responsible for properly interpreting and enforcing the MLS
   Mandatory Access Control policy.  Practically, this means
   that each node must evaluate the label on the inbound
   packet, ensure that this Sensitivity Label is valid (i.e.
   within range) for the receiving interface, and at a minimum
   only forward the packet to an interface and node where the
   Sensitivity Label of the packet falls within the assigned
   range of that node's receiving interface.

        Packets with an invalid (e.g. out of range)
   Sensitivity Label for the receiving interface MUST be
   dropped upon receipt.  A Sensitivity Label is valid if and
   only if the Sensitivity Label falls within the range
   assigned to the transmitting interface on the sending system
   and within the range assigned to the receiving interface on
   the receiving system.  These rules also need to be applied
   by intermediate systems on each hop that a CALIPSO-labelled
   packet traverses, not merely at the end points of a labelled
   IP session.  As an example, it is a violation of the default
   MLS MAC policy for a packet with a higher sensitivity level
   (e.g. "MOST SECRET") to transit a link whose maximum
   sensitivity level is less than that first sensitivity level
   (e.g. "SECRET").

        If an unlabelled packet is received from an node
   which is not aware of CALIPSO Sensitivity Labels
   (i.e. unaware to assign Sensitivity Labels itself) and the
   packet is destined for an node which is sensitivity label
   aware, the receiving intermediate system needs to insert a
   Sensitivity Label.  This Sensitivity Label will be equal to
   the maximum Sensitivity Label assigned to the originating
   node if and only if that is known to the receiving node.  If
   the receiving node does not know which Sensitivity Label is
   assigned to the originating node, the maximum Sensitivity
   Label of the interface the packet was received upon will be
   inserted.

   [NOTE WELL: The procedure in the preceding paragraph is NOT
   a label upgrade -- because it is not changing an existing
   label; instead, it is simply inserting a Sensivity Label
   that has the only "safe" value, given that no other
   information is known to the receiving node.  In large-scale
   deployments, it is very unlikely that a given node will have
   any authoritative a priori information about the security
   configuration of any node that is NOT on a directly attached
   link.]




StJohns Et Alia                                                [Page 19]

Internet-Draft                                               21 MAY 2008


        If a packet is to be sent to an node which is
   defined to not be Sensitivity Label aware, from an node
   which is label aware, then the Sensitivity Label MAY be
   removed upon transmission if and only if local security
   policy explicitly permits this.  The originating node is
   still responsible for ensuring that the Sensitivity Label on
   the packet falls within the Sensitivity Label range
   associated with the receiving node.  If the packet will
   traverse more than one subnetwork between origin and
   destination, and those subnetworks are labelled, then the
   packet SHOULD normally contain a Sensitivity Label so that
   the packet will be able to reach the destination and the
   intermediate systems will be able to apply the requisite MAC
   policy to the packet.

   [NOTE WELL that in some IPv4 labelled network deployments
   that exist as of this writing, the first hop router will
   insert a Sensitivity Label into a received unlabelled packet
   upon the receipt of that unlabelled packet, in the manner
   described above.  So sending a packet without a label across
   a multiple subnetwork path to a destination does not
   guarantee that the packet will arrive containing no
   Sensitivity Label.]

5.  FORMAT

        This section describes the format of the CALIPSO option
   for use with IPv6 datagrams.  CALIPSO is an IPv6 hop-by-hop
   option to ensure that a security gateway or router could
   apply access controls to IPv6 packets based on the CALIPSO
   label carried by the packet.

        An IPv6 datagram normally contains at most one
   CALIPSO label.  In the special case where (1) a labelled
   IPv6 datagram is tunnelled inside another labelled IPv6
   datagram AND (2) IP Security is NOT providing
   confidentiality protection for the inner packet, the outer
   CALIPSO Sensivity Label must have the same meaning as the
   inner CALIPSO Sensitivity Label.  For example, it would be
   invalid to encapsulate an unencrypted IPv6 packet with a
   Sensitivity Label of (SECRET, no compartments) inside a
   packet with an outer Sensitivity Label of (TOP SECRET, A B).
   If the inner packet is tunnelled inside the Encapsulating
   Security Payload (ESP) and confidentiality is being provided
   to that inner packet, then the outer packet MAY have a
   different CALIPSO Sensitivity Label -- subject to local
   security policy.




StJohns Et Alia                                                [Page 20]

Internet-Draft                                               21 MAY 2008


        This option format is designed with intermediate
   systems in mind.  It is now common for a MLS network
   deployment to contain an intermediate systems acting as a
   guard (sometimes several acting as guards).  Such a guard
   device needs to be able to very rapidly parse the
   sensitivity label in each packet, apply ingress interface
   MAC policy, forward the packet while aware of the packet's
   Sensitivity Label, and then apply egress interface MAC
   policy.  At least one prior IP Sensitivity Label option used
   a syntax that was unduly complex to implement in IP routers.
   So there is a deliberate effort to choose a streamlined
   packet syntax that is easy to parse, to encode, and to
   implement generally.


5.1.  Option Format

        The CALIPSO option is an IPv6 Hop-by-Hop Option and
   is designed to comply with IPv6 optional header rules.
   Following the nomenclature of RFC-2460, Section 4.2, the
   Option Data field of this option must have 4n+2
   alignment.[RFC-2460]

        The CALIPSO Option Data MUST not change en-route,
   except when (1) "DOI translation" is performed by a trusted
   intermediate system, (2) a CALIPSO Option is inserted by a
   trusted intermediate system upon receipt of an unlabelled
   IPv6 packet, or (3) a CALIPSO Option is removed by a
   last-hop trusted intermediate system immediately prior to
   forwarding the packet to a destination node that does not
   implement support for CALIPSO labels.  The details of these
   3 exceptions are described elsewhere in this document.

        If the option type is not recognised by a node
   examining the packet, the option is ignored.  However, all
   implementations of this specification MUST be able to
   recognise this option and therefore MUST NOT ignore this
   option if it is present in an IPv6 packet.

        This option is designed to comply with the IPv6
   optional header rules. [RFC-2460] The CALIPSO option is
   always carried in a Hop-By-Hop Option Header, never in any
   other part of an IPv6 packet.  This rule exists because IPv6
   routers need to be able to see the CALIPSO label so that
   those routers are able to apply MLS Mandatory Access
   Controls to those packets.

        The diagram below shows the CALIPSO option along



StJohns Et Alia                                                [Page 21]

Internet-Draft                                               21 MAY 2008


   with the required (first) 2 fields of the Hop-By-Hop Option
   Header that envelopes the CALIPSO option.  The design of the
   CALIPSO option is arranged to avoid the need for 16 bits of
   padding between the HDR EXT LEN field and the start of the
   CALIPSO option.  Also, the CALIPSO Domain of Interpretation
   field is laid out so that it normally will be 32-bit
   aligned.

   ------------------------------------------------------------
   | Next Header | Hdr Ext Len   | Option Type | Option Length|
   +-------------+---------------+-------------+--------------+
   |             CALIPSO Domain of Interpretation             |
   +-------------+---------------+-------------+--------------+
   | Cmpt Length |  Sens Level   |     Checksum (CRC-16)      |
   +-------------+---------------+-------------+--------------+
   |      Compartment Bitmap (Optional; variable length)      |
   +-------------+---------------+-------------+--------------+



5.1.1.  OPTION TYPE field

      This field contains an unsigned 8-bit value.  Its value
   is (TO BE ASSIGNED BY IANA; high order bits of this option
   need to be 000, meaning that nodes that do not recognise
   this option should ignore it).  In the event the IPv6 packet
   is fragmented, this option MUST be copied on fragmentation.

5.1.2.  OPTION LENGTH field

        This field contains an unsigned integer 1 octet in
   size.  It has minimum value is 8 (e.g. when the Compartment
   Bitmap field is absent).  This field specifies the Length of
   the option data field of this option in octets.  The Option
   Type and Option Length fields are not included in the length
   calculation.

5.1.3   COMPARTMENT LENGTH field

        This field contains an unsigned 8-bit integer.  The
   field specifies the size of the COMPARTMENT BITMAP field in
   64-bit words.  The minimum value is zero, which is used only
   when the information in this packet is not in any
   compartment.  (In that situation, the CALIPSO Sensitivity
   Label has no need for the compartment bitmap).

        Because this specification represents
   Releasabilities on the wire as inverted Compartments, the



StJohns Et Alia                                                [Page 22]

Internet-Draft                                               21 MAY 2008


   size of the COMPARTMENT BITMAP field needs to be large
   enough to hold not only the set of logical Compartments, but
   instead to hold the sum of the set of logical Compartments
   and the set of logical Releasabilities.

        Recall that the overall length of this option MUST
   follow IPv6 optional header rules, including the word
   alignment rules.  This has implications for the valid values
   for this field.  In some cases the length of the Compartment
   Bitmap field might need to exceed the number of bits
   required to hold the sum of the logical Compartments and the
   logical Releasabilities, in order to comply with IPv6
   alignment rules.

5.1.5 DOMAIN OF INTERPRETATION field

        This field contains an unsigned 32-bit integer.
   IANA maintains a registry with assignments of the DOI values
   used in this field.  The DOI identifies the rules under
   which this datagram must be handled and protected.  The NULL
   DOI, in which this field is all zeros, MUST NOT appear in
   any IPv6 packet on any network.

   [NOTE WELL: The DOMAIN OF INTERPRETATION where all 4 octets
   contain zero is defined to be the NULL DOI. The NULL DOI has
   no compartments and has a single level whose value and
   CALIPSO representation are each zero.  The NULL DOI MUST NOT
   ever appear on the wire.  If a packet is received containing
   the NULL DOI, that packet MUST be dropped and the event
   SHOULD be logged as a security fault.  Also note that the
   CALIPSO DOI is unrelated to the IP Security DOI.]

5.1.6.  SENSITIVITY LEVEL field

        This contains an unsigned 8-bit value.  This field
   contains an opaque octet whose value indicates the relative
   sensitivity of the data contained in this datagram in the
   context of the indicated DOI.  The values of this field MUST
   be ordered, with 00000000 being the lowest sensitivity level
   and 11111111 being the highest sensitivity level.

        However, in a typical deployment, not all 256
   sensitivity levels will be in use.  So the set of valid
   Sensitivity Level values depends upon the CALIPSO DOI in
   use. This sensitivity ordering rule is necessary so that
   intermediate systems (e.g. routers or MLS guards) will be
   able to apply MAC policy with minimal per-packet computation
   and minimal configuration.



StJohns Et Alia                                                [Page 23]

Internet-Draft                                               21 MAY 2008


5.1.7.  16-bit Checksum Field

        This field contains an unsigned 16-bit integer
   containing the 16-bit checksum calculated over the entire
   CALIPSO option in this packet.  The checksum algorithm
   is the 16-bit checksum defined in Appendix C of RFC-1662.
   [RFC-1662] For processing simplicity, this 16-bit
   checksum is always present, even when AH is used.

5.1.8.  Compartment Bitmap

        This contains a variable number of 64-bit words.  Each
   bit represents one compartment within the DOI.  Each "1" bit
   within an octet in the "Compartment Bitmap" field represents
   a separate compartment under whose rules the data in this
   packet must be protected.  Hence, each "0" bit indicates
   that the compartment corresponding with that bit is not
   applicable to the data in this packet.  The assignment of
   identity to individual bits within a Compartment Bitmap for
   a given DOI is left to the owner of that DOI.

        This specification represents a Releasability on the
   wire as if it were an inverted Compartment.  So the
   Compartment Bitmap holds the sum of both logical
   Releasabilities and also logical Compartments for a given
   DOI value.  The encoding of Releasabilities in this field is
   described elsewhere in this document.  The Releasability
   encoding is designed to permit the Compartment Bitmap
   evaluation to occur without the evaluator necessarily
   knowing the human semantic associated with each bit in the
   Compartment Bitmap.  In turn, this facilitates
   implementation and configuration of Mandatory Access
   Controls based on the Compartment Bitmap within IPv6 routers
   or guard devices.

5.2.  Packet Word Alignment considerations

       The basic option is variable length, due to the
   variable length Compartment Bitmap field.

        Intermediate Systems that lack custom silicon
   processing capabilities and most End Systems perform best
   when processing fixed length, fixed location items.  So the
   IPv6 base specification levies certain requirements on all
   IPv6 optional headers.  So the Compartment Bitmap field must
   have length in quanta of 64-bit words (e.g. 0 bits, 64 bits,
   128 bits)




StJohns Et Alia                                                [Page 24]

Internet-Draft                                               21 MAY 2008


6.  USAGE

        This section describes specific protocol processing
   steps required for systems that claim to implement or
   conform with this specification.

6.1.  Sensitivity Label Comparisons

        This section describes how comparisons are made
   between two Sensitivity Labels.  Implementing this
   comparison correctly is critical to the MLS system providing
   the intended Mandatory Access Controls (MAC) to network
   traffic entering or leaving the system.

        A Sensitivity Label consists of a DOI, a Sensitivity
   Level, and zero or more Compartments.  The following
   notation will be used:

     A.DOI  = the DOI portion of Sensitivity Label A
     A.LEV  = the Sensitivity Level portion of Sensitivity Label A
     A.COMP = the Compartments portion of Sensitivity Label A

6.1.1.  "Within Range"

        A Sensitivity Label, "M", is "within range" for a
   particular range "LO:HI" if and only if:

        1.  M, LO, and HI are members of the same DOI.

            (M.DOI == LO.DOI == HI.DOI)

        2.  The range is a valid range.  A given range LO:HI is
              valid if and only if HI is greater than LO.

            ((LO.LEV  <= HI.LEV)  &&  (LO.COMP <= HI.COMP))

        3.  The Sensitivity Label M has a Sensitivity Level
            which is greater than or equal to the Sensitivity
            Level contained in the low-end Sensitivity Label
            (LO) from the range and which is less than equal
            to the Sensitivity Level contained in the high-end
            Sensitivity Label (HI) from the range.

            (LO.LEV <= M.LEV <= HI.LEV)

   AND

        4.  The Sensitivity Label M has a Compartment set



StJohns Et Alia                                                [Page 25]

Internet-Draft                                               21 MAY 2008


            which is a superset (proper or otherwise) of the
            compartment set contained in the Sensitivity Label
            from the low-end range (LO) and which is a subset
            (proper or otherwise) of the compartment set
            contained in the high end Sensitivity Label (HI)
            from the range.

            (LO.COMP <= M.COMP <= HI.COMP)


6.1.2.  "Less Than" or "Below Range"

        A Sensitivity Label "M" is "less than" some other
   Sensitivity Label "LO" if and only if:

        1.   The DOI for the Sensitivity Label M is identical
             to the DOI for both the low-end and high-end of
             the range.

             (M.DOI == LO.DOI == HI.DOI)

        2.   The sensitivity level of M is less than the
             sensitivity level of A.

             (M.LEV < LO.LEV)

        3.   M.COMP is a subset (proper or otherwise) of A.COMP.

             (M.COMP <= LO.COMP)

   A Sensitivity Label "M" is "below range" for a
   Sensitivity Label "LO:HI", if M is less than LO.

6.1.3.  "Greater Than" or "Above Range"

        A Sensitivity Label, "M" is "greater than" some
   Sensitivity Label "HI" if and only if:

        1.   Their DOI's are identical.

             (M.DOI == HI.DOI)

        2A.  The Sensitivity Label M's sensitivity level is
             greater than B's level while M's compartment set
             is a superset (proper or otherwise) of B's
             compartment set

             ((M.LEV > HI.LEV) &&  (M.COMP  >= HI.COMP))



StJohns Et Alia                                                [Page 26]

Internet-Draft                                               21 MAY 2008


   XOR

        2B.  M's level is greater than or equal to A's level,
             while M's compartment set is a proper superset
             of A's compartment set.

             ((M.LEV >= HI.LEV) && (M.COMP >= HI.COMP))

   A Sensitivity Label, "M", is "above range" for a
   Sensitivity Label, "LO:HI", if M is greater than B.

6.1.4.  "Equal To"

        A Sensitivity Label "A" is "equal to" another
   Sensitivity Label "B" if and only if:

        1.  They have the exact same DOI.

            (A.DOI == B.DOI)

        2.  They have identical sensitivity levels.

            (A.LEV == B.LEV)

        3.  Their compartment sets are identical.

            (A.COMP == B.COMP)


6.1.5.  "Disjoint" or "Incomparable"

        A Sensitivity Label "A" is disjoint from another
   Sensitivity Label "B" if any of these conditions are true:

        1.   Their DOI's differ.

             (A.DOI <> B.DOI)

        2.   They are neither less than, nor greater than,
             nor equal to each other.

             (^((A < B) | (A > B) | (A == B)))

        3.   Their compartment sets are disjoint from each
             other

             (^( (A.COMP  <= B.COMP) | (A.COMP => B.COMP) ))




StJohns Et Alia                                                [Page 27]

Internet-Draft                                               21 MAY 2008


6.2.  End System Processing

        This section describes CALIPSO-related processing for
   IPv6 packets imported or exported from an End System
   claiming to implement or conform with this specification.
   This document places no additional requirements on IPv6
   nodes that do not claim to implement or conform with this
   document.

6.2.1  Export

        An end system which sends data to the network is said
   to "export" it to the network.  Before a datagram can leave
   an end system and be transmitted over a network the
   following ordered steps must occur:

        1. Selection of the export DOI:

        a) If the upper level protocol selects a DOI,
               then that DOI is the one used.

        b) elseIf there are tables defining a specific default
               DOI for the specific destination End System address
               or for the network address, then that DOI is
               selected.
        c) elseIf there is a specific DOI associated with the
           sending logical interface (i.e. IP address),
               then that DOI is selected.
        d)     Else the default DOI for the system is selected.

     NOTE WELL:

        A connection-oriented transport-layer protocol
     session (e.g. TCP session, SCTP session) MUST have the
     same DOI and same Sensitivity Label for the life of the
     connection. The DOI is selected at connection initiation
     and MUST NOT change during the session.

        A trusted multi-level application that possesses
     appropriate privilege MAY use multiple connection-oriented
     transport-layer protocol sessions with differing Sensitivity
     Labels concurrently.

        Some trusted UDP-based applications (e.g. remote
     procedure call service) multiplex different transactions
     having different sensitivity levels in different packets
     for the same IP session (e.g. IP addresses and UDP ports
     are constant for a given UDP session).  In such cases,



StJohns Et Alia                                                [Page 28]

Internet-Draft                                               21 MAY 2008


     the Trusted Computing Base MUST ensure that each packet
     is labelled with the correct Sensitivity Label for the
     information carried in that particular packet.

        In the event the End System selects and uses a
     specific DOI and that DOI is not recognised by the
     originating Node's first-hop router, the packet MUST be
     dropped by the first-hop router.  In such a case, the
     networking API should indicate the connection failure
     (e.g. with some appropriate error, such as ENOTREACH).
     This represents either incorrect configuration of either
     the Intermediate System or of the End System -- xor
     correct operation for a node that is not permitted to send
     IPv6 packets with that DOI through that Intermediate System.
     When an MLS End ystem is connected to an MLS LAN, it is
     possible that there would be more than one first-hop
     Intermediate System concurrently, with different
     Intermediate Systems having different valid Sensitivity
     Label ranges.  Thoughtful use of the IEEE 802 Virtual
     LAN (VLAN) standard (e.g. with different VLAN IDs
     corresponding to different sensitivity ranges) might
     ease proper system configuration in such deployments.


        2.  Export Labeling:

             Once the DOI is selected, the CALIPSO Sensitivity
        Label and values are determined based on the internal
        sensitivity label and the DOI.  In the event the internal
        sensitivity level does not map to a valid CALIPSO
        Sensitivity Label, then an error SHOULD be returned
        to the upper level protocol and that error MAY be
        logged. No further attempt to send this datagram
        should be made.


        3.  Access Control:

             Once the datagram is marked and the sending logical
        interface is selected (by the routing code), the
        datagram's Sensitivity Label is compared against the
        Sensitivity Label range(s) associated with that logical
        interface.  For the datagram to be sent, the interface
        MUST list the DOI of the datagram Sensitivity Label as
        one of the  permissible DOI's and the datagram Sensitivity
        Label must be within range for the range associated with
        that DOI.   If the datagram fails this access test an
        error SHOULD be returned to the upper level protocol



StJohns Et Alia                                                [Page 29]

Internet-Draft                                               21 MAY 2008


        and MAY be logged.  No further attempt to send this
        datagram should be made.

6.2.2.  Import

        When a datagram arrives at an interface on an end
   system, the end system MUST:

        1.   Verify the CALIPSO checksum.  Datagrams with
             invalid checksums MUST be silently dropped.
             Such a drop event SHOULD be logged as a security
             fault with an indication of what happened.

        2.   Verify the CALIPSO has a known and valid DOI.
             Datagrams with unrecognized or illegal DOIs MUST
             be silently dropped.  Such an event SHOULD be
             logged as a security fault with an indication
             of what happened.

        3.   Verify the DOI is a permitted one for the receiving
             interface.  Datagrams with prohibited DOI values
             MUST be silently dropped.  Such an event SHOULD
             be logged as a security fault with an indication
             of what happened.

        4.   Verify the CALIPSO Sensitivity Label is within
             the permitted range for the receiving interface:

             NOTE WELL:
                 EACH permitted DOI on an interface has a
             separate table describing the permitted range
             for that DOI.

             A datagram which has a Sensitivity Label within
             the permitted range is accepted for further
             processing.

             A datagram which has a Sensitivity Label disjoint
             with the permitted range MUST be silently dropped.
             Such an event SHOULD be logged as a security fault,
             with an indication that the packet was dropped
             because of a disjoint Sensitivity Label.  An ICMP
             error message MUST NOT be sent in this case.

             A datagram which has a Sensitivity Label below
             the permitted range MUST be dropped.  This event
             SHOULD be logged as a security fault with an
             indication of what happened.  An ICMP error



StJohns Et Alia                                                [Page 30]

Internet-Draft                                               21 MAY 2008


             message MUST NOT be sent in this case.

             A datagram with a Sensitivity Label above the
             permitted range MUST be dropped.  This event
             SHOULD be logged with an indication of what
             happened.  An ICMP error message MUST NOT
             be sent in this case.

        5.   Once the datagram has been accepted, the import
             Sensitivity Label and DOI are used to associate
             the appropriate internal Sensitivity Label with
             the data contained in the datagram.  This
             information MUST be carried as part of the
             information returned to the upper-layer protocol.

6.3.  Intermediate System Rules

        This section describes CALIPSO-related processing for
   IPv6 packets transiting an IPv6 Intermediate System that
   claims to implement and comply with this specification.
   This document places no additional requirements on IPv6
   Intermediate Systems that do not claim to comply or conform
   with this document.

        The CALIPSO packet format has been designed so that one
   can configure an intermediate system with the minimum
   sensitivity level, maximum sensitivity level, minimum
   compartment bitmap, and maximum compartment bitmap -- and
   then deploy that system without forcing the system to know
   the detailed human meaning of each sensitivity level or
   compartment bit value.  Instead, once the minimum and
   maximum labels have been configured, the intermediate system
   can apply a simple algorithm to determine whether or not a
   packet is within range for a given interface.  This design
   should be straight-forward to implement in ASIC or FPGA
   hardware because the option format is simple and easy to
   parse, and because only a single comparison algorithm
   (defined in this RFC, hence known in advance) is needed.

6.3.1.  Input

        Intermediate Systems have slightly different rules for
   processing marked datagrams than do end systems.  Primarily,
   Intermediate Systems do not IMPORT or EXPORT transit
   datagrams, they just forward them.  Also, in most
   deployments intermediate systems are used to provide
   Mandatory Access Controls to packets traversing more than
   one subnetwork.



StJohns Et Alia                                                [Page 31]

Internet-Draft                                               21 MAY 2008


        The following checks MUST occur before any other
   processing.  Upon receiving a CALIPSO-labeled packet, an
   intermediate system must:


        1.  Determine whether or not this datagram is destined
            for (addressed to) this Intermediate System.  If
            so, then the Intermediate System becomes an End
            System for the purposes of receiving this
            particular datagram and the rules for IMPORTing
            described above are followed.

        2.  Verify the CALIPSO checksum.  Datagrams with
            invalid checksums MUST be silently dropped.  The
            drop event SHOULD be logged as a security fault
            with an indication of what happened and MAY
            additionally be logged as a network fault.

            NOTE WELL:
            A checksum failure could indicate a general network
            problem (e.g. noise on a radio link) that is
            unrelated to the presence of a CALIPSO option, but
            it also could indicate an attempt by an adversary
            to tamper with the value of a CALIPSO label.

        3.  Verify the CALIPSO has a known and valid DOI.
            Datagrams with unrecognized or illegal DOIs MUST
            be silently dropped.  Such an event SHOULD be
            logged as a security fault with an indication of
            what happened.

        4.  Verify the DOI is a permitted one for the receiving
            interface.  Datagrams with prohibited DOIs MUST be
            silently dropped.  Such a drop SHOULD be logged as
            a security fault with an indication of what
            happened.

        5.  Verify the Sensitivity Label within the CALIPSO
            is within the permitted range for the receiving
            interface:

            NOTE WELL:
                 Each permitted DOI on an interface has a
            separate table describing the permitted range
            for that DOI.

            A rejected datagram which has a Sensitivity Label
            below or disjoint with the permitted range MUST be



StJohns Et Alia                                                [Page 32]

Internet-Draft                                               21 MAY 2008


            silently dropped.  Such an event SHOULD be logged
            as a security fault with an indication of what
            happened.  An ICMP error message MUST NOT be sent
            in this case.

             A rejected datagram with a Sensitivity Label above
             the permitted range MUST be dropped.  The drop
             event SHOULD be logged as a security fault with an
             indication of what happened.  An ICMP error
             message MUST NOT be sent in this case.


        If and only if all the above conditions are met is the
   datagram accepted by the IPv6 Intermediate System for
   further processing and forwarding.

        At this point, the datagram is within the permitted
   range for the Intermediate System, so appropriate ICMP error
   messages MAY be created by the IP module back to the
   originating End System regarding the forwarding of the
   datagram.  These ICMP messages MUST be created with the
   exact same Sensitivity Label as the datagram causing the
   error.  Standard rules about generating ICMP error messages
   (e.g. never generate an ICMP error message in response to a
   received ICMP error message) continue to apply.  Note that
   these locally-generated ICMP messages must go through the
   same outbound checks (including MAC checks) as any other
   forwarded datagram as described in the following paragraphs.

6.3.2.  Translation

        It is at this point that TRANSLATION of the CALIPSO
   takes place if at all.  Please see Section 6.4 for a
   discussion of the appropriate processing for Translation.

6.3.3.  Output

        Once the forwarding code has selected the interface
   through which the datagram will be transmitted the following
   takes place:


        1.  Verify the DOI is a permitted one for the sending
            interface and that the datagram is within the
            permitted range for the DOI and for the interface.

        2.  Datagrams with prohibited DOIs or with out of range
            Sensitivity Labels MUST be dropped.  Any drop event



StJohns Et Alia                                                [Page 33]

Internet-Draft                                               21 MAY 2008


            SHOULD be logged as a security fault, including
            appropriate details about which datagram was
            dropped and why.

        3.  Datagrams with prohibited DOIs or out of range
            Sensitivity Labels MAY result in an appropriate
            ICMP error message, depending upon the security
            configuration of the system.  If an ICMP Error
            Message is sent, it MUST be sent with the same
            Sensitivity Label as the rejected datagram.

            The choice of whether or not to send an ICMP
            message, if sending an ICMP message for this case
            is implemented, MUST be configurable, and SHOULD
            default to OFF.  Standard conditions about
            generating ICMP error messages (e.g. never send an
            ICMP error message about a received ICMP error
            message) apply.

6.4.  Translation

        A system which provides on-the-fly re-labeling is said
   to "translate" from one DOI to another.  There are basically
   two ways a datagram can be relabeled:

        EITHER the Sensitivity Label can be converted from a
   CALIPSO Sensitivity Label, to an internal Sensitivity Label,
   and then back to a new CALIPSO Sensitivity Label, XOR a
   CALIPSO Sensitivity Label can be directly remapped into a
   new CALIPSO Sensitivity Label.

        The first of these methods is the functional
   equivalent of "importing" the datagram then "exporting" it
   and is covered in detail in the "Import" and "Export"
   sections above.  This section describes direct relabeling.
   The choice of which method to use for relabeling is an
   implementation decision outside the scope of this document.

        A system which provides on-the-fly relabeling
   without importing or exporting is basically a special case
   of the Intermediate System rules listed above.  Translation
   or relabeling takes place AFTER all input checks take place,
   but before any output checks are done.

        Once a datagram has been accepted (passing all the
   appropriate checks described in section 5.3), it may be
   relabeled.  To determine the new Sensitivity Label, first
   determine the new DOI.  The selection of the new DOI may be



StJohns Et Alia                                                [Page 34]

Internet-Draft                                               21 MAY 2008


   based on any of DESTINATION END SYSTEM, DESTINATION NETWORK,
   DESTINATION SUBNET, SENDING INTERFACE, or RECEIVING
   INTERFACE, or combinations thereof.  Exact details on how
   the output DOI is selected are implementation dependent,
   with the caveat that it should be consistent and reversible.
   If a datagram from End System A to End System B with DOI X
   maps into DOI Y, then a datagram from B to A with DOI Y
   should map into DOI X.

        Once the output DOI is selected, the output
   Sensitivity Label is determined based on (1) the input DOI
   and input Sensitivity Label and (2) the output DOI.  In the
   event the input Sensitivity Label does not map to a valid
   output Sensitivity Label for the output DOI, then the
   datagram MUST be silently dropped and the drop event SHOULD
   be logged as a security fault.

        Once the datagram is re-labeled, the output
   procedures under Section 5.3 "Intermediate Systems" are
   followed, with the exception that any error that would cause
   a ICMP error message to be generated back to the originating
   End System instead MUST drop the datagram.  Such a drop
   SHOULD be logged as a security fault.

7.  IMPLEMENTATION ISSUES AND HINTS

        This section contains "implementation hints" and are
   NOT "requirements".  Implementation experience could
   eventually turn some of them into implementation
   requirements in some future version of this specification.

7.1.  Intermediate Systems

        Performance is optimised if there is hardware
   support for applying the mandatory access controls based on
   this label option.  The label option syntax has been
   designed so that it should be straight-forward to implement
   support for this option and the associated Mandatory Access
   Controls in custom logic (e.g. in Verilog or VHDL).

7.2.  End Systems

        It is possible to create two DOIs with different
   overlapping compartment ranges.  This can be used to reduce
   the size of the IPv6 Sensitivity Label option in some
   deployments.





StJohns Et Alia                                                [Page 35]

Internet-Draft                                               21 MAY 2008


7.3.  Upper-Level Protocols

        As CALIPSO is an IP option, this document focuses
   upon the network-layer handling of packets containing
   CALIPSO options.  This section provides some discussion of
   upper-layer protocol issues.

        This section is not a complete specification for how
   an MLS host handles information internally after the
   decision has been made to accept a received IPv6 packet
   containing a CALIPSO option.  Implementers of MLS systems
   might wish also to consult [TCSEC], [CMW], [CC],
   [ISO-15408], and [DoD MLOS PP].

        In a typical MLS host, the information received from
   the network (i.e. information not dropped by the
   network-layer as a result of the CALIPSO processing
   described in this document) is assigned an internal
   Sensitivity Label while inside the host operating system.
   The MLS host uses the Bell-LaPadula Mandatory Access Control
   policy [BL73] to determine how that information is
   processed, including to which transport-layer sessions or to
   which applications the information is delivered.

        Within this section, we use one additional notation,
   in an attempt to be both clear and concise.  Here, the
   string "W:XY" defines a Sensitivity Label where the
   sensitivity level is W and where X and Y are the only
   compartments enabled, while the string "W::" defines a
   Sensitivity Label where the Sensitivity Level is W and there
   are no compartments enabled.

7.3.1.  TCP-related issues

        With respect to a network, each distinct Sensitivity
   Label represents a separate virtual network which shares the
   same physical network.

        The above statement taken from section 3 has a
   non-obvious, but critical, corollary.  If there are separate
   virtual networks then it is possible for a system which
   exists in multiple virtual networks to have identical TCP
   connections, each one existing in a different virtual
   network.

        TCP connections are normally identified by source
   and destination port, and source and destination address.
   If a system labels datagrams with the CALIPSO option (which



StJohns Et Alia                                                [Page 36]

Internet-Draft                                               21 MAY 2008


   it must do if it exists in multiple virtual networks -
   e.g. a "multi-level secure" system), then TCP connections
   are identified by source and destination port, source and
   destination address, and an internal Sensitivity Label
   (optionally, a Sensitivity Label range).

7.3.2.  UDP-related Issues

        Unlike TCP or SCTP, UDP is a stateless protocol, at
   least conceptually.  However, many implementations of UDP
   have some session state (e.g. Protocol Control Blocks in 4.4
   BSD), although the UDP protocol specifications do not
   require any state.

        One consequence of this is that in widely used host
   implementations of UDP and IPv6, a UDP listener might be
   bound only to a particular UDP port on its host -- without
   binding to a particular remote IP address or local IP
   address.

        Note that UDP can be used with unicast or with
   multicast.  Some existing UDP host implementations permit a
   single UDP packet to be delivered to more than one listener
   at the same time.  Except for the application of Mandatory
   Access Controls, the behaviour of a given system should
   remain the same (so that application behaviour does not
   change in some unexpected way) with respect to delivery of
   UDP datagrams to listeners.

        For example, if a listener on UDP port X has a
   Sensitivity Label range with a minimum of "S:AB" and a
   maximum of "S:AB", then only datagrams with a destination of
   UDP port X and a Sensitivity Label of "S:AB" will be
   delivered to that listener.

        For example, if a listener on UDP port Y has a
   Sensitivity Label range with a minimum of "W::" and a
   maximum of "X:ABC" (where X dominates W), then a datagram
   addressed to UDP port Y with a Sensitivity Label of "W:A"
   normally would be delivered to that listener.

7.3.3.  SCTP-related Issues

        With respect to a network, each distinct Sensitivity
   Label represents a separate virtual network which shares the
   same physical network.

        The above statement taken from section 3 has a



StJohns Et Alia                                                [Page 37]

Internet-Draft                                               21 MAY 2008


   non-obvious, but critical, corollary.  If there are separate
   virtual networks then it is possible for a system which
   exists in multiple virtual networks to have identical SCTP
   connections, each one existing in a different virtual
   network.

        As with TCP, SCTP is a connection-oriented transport
   protocol and has substantial session state.  In single-level
   hosts, this state includes the set of remote IP addresses,
   the set of local IP addresses, the remote SCTP port number,
   and the local SCTP port number.  In MLS hosts, the SCTP
   session state also includes the Sensitivity Label (or,
   optionally, the Sensitivity Label range) for each SCTP
   session.  Unlike TCP, SCTP has the ability to shift an
   existing SCTP session from one endpoint IP address to a
   different IP address that belongs to the same endpoint.

        CALIPSO-labelled SCTP data that is received should
   be sent to all SCTP listeners for that particular SCTP
   connection where the Sensitivity Label of the received SCTP
   data is within range for that listener's Sensitivity Label
   range.

        Further, although a node might be multi-homed, it is
   entirely possible that only one of those interfaces is
   reachable for a given Sensitivity Label value.  For example,
   one network interface on a node might have a Sensitivity
   Label range from "A::" to "B:XY" (where B dominates A),
   while a different network interface on the same node might
   have a Sensitivity Label range from "U::" "U::" (where A
   dominates U).  In that example, if a packet has a CALIPSO
   label of "A:X", then that packet will not be able to use the
   "U"-only network interface.  This might lead to novel
   operational issues with SCTP sessions.  Implementers ought
   to give special attention to this SCTP-specific issue.

7.3.4.  Security Logging

        This option is recommended for deployment only in
   well-protected private networks that are NOT connected to
   the global Internet.  By definition, such private networks
   are also composed only of trusted systems that are believed
   to be trustworthy.  So the risk of a denial of service
   attack upon the logging implementation is much lower in the
   intended deployment environment than it would have been for
   general Internet deployments.





StJohns Et Alia                                                [Page 38]

Internet-Draft                                               21 MAY 2008


SECURITY CONSIDERATIONS

        This document describes a mechanism for adding
   explicit Sensitivity Labels to IPv6 datagrams.  The primary
   purpose of these labels is to facilitate application of
   Mandatory Access Controls (MAC) in End Systems or
   Intermediate Systems that implement this specification.
   As such, correct implementation of this mechanism is very
   critical to the overall security of the systems and networks
   where this mechanisms is deployed.  Use of high-assurance
   development techniques is encouraged.  End users carefully
   should consider the assurance requirements of their
   particular deployment, in the context of that deployment's
   prospective threats.

        A concern is that since this label is used for
   mandatory access controls, some method of binding the
   Sensitivity Label option to the rest of the packet is
   needed.  Without such binding, malicious modification
   of the Sensitivity Label in a packet would go undetected.
   So, implementations of this Sensitivity Label option MUST
   also implement support for the IP Authentication Header.
   Implementations MUST permit the system administrator to
   configure whether AH is used or not.

        Because the IP Authentication Header will include
   the CALIPSO option among the protected IPv6 header fields,
   modification of a CALIPSO-labelled packet that also contains
   an IP Authentication Header will cause the resulting packet
   to fail authentication at the destination node for the AH
   security session.  Therefore, CALIPSO labels cannot be
   inserted, deleted, or translated for IPv6 packets that
   contain an IP Authentication Header.  In situations where
   such a modification by an intermediate system is required
   but is not possible due to AH, then the packet MUST be
   dropped instead.  If the packet can be forwarded properly
   without violating the MLS MAC policy of the intermediate
   system, then (by definition) such a packet modification is
   not required.

        This mechanism is only intended for deployment in
   very limited circumstances where a set of systems and
   networks are in a well-protected operating environment and
   the threat of external or internal attack on this mechanism
   is considered acceptable to the accreditor of those systems
   and networks.  Accreditors of a given deployment should
   consider not only personnel clearances and physical security
   issues, but also electronic security (e.g. TEMPEST), network



StJohns Et Alia                                                [Page 39]

Internet-Draft                                               21 MAY 2008


   security (NETSEC), communications security (COMSEC), and
   other issues.

IANA CONSIDERATIONS

        IANA is requested to assign an IPv6 Hop-by-Hop
   option number to the CALIPSO option described in this
   specification.  This option is immutable during transit.

   (NOTE TO IANA: high-order bits of this option should be 000,
   indicating that nodes should ignore this option if it is not
   recognised by the node.)

        Also, IANA is requested to create a registry for
   CALIPSO DOI values.  The initial values for this registry,
   shown in dotted-quad format, are as follows:

      DOI Value                   Organisation or Use
      =======================     ============================
      0:0:0:0                     Null DOI; MUST NOT be used
                                  on any network at any time.
      0:0:0:1 to 0:255:255:255    For private use among
                                  consenting parties within
                                  private networks; for reasons
                                  of interoperability, these
                                  DOI values MUST NOT ever
                                  appear on the global public
                                  Internet.
      1:0:0:0 to 254:255:255:255  For assignment by IANA to
                                  organisations following the
                                  guidelines in the paragraph
                                  below.
      255:0:0:0 to 255:0:0:0      Reserved for future protocol
                                  use.


        For the CALIPSO DOI values registry, IANA is requested
   to issue a new DOI value to any organisation that requests
   it.  Assignment information normally should be made
   available on the IANA website.  A commercial organisation
   will normally only be assigned at most two DOI values.  A
   national government or multi-national treaty organisation
   may be assigned a small range of values, if that is
   requested.  Different departments within a given national
   government each may independently request a range of values.






StJohns Et Alia                                                [Page 40]

Internet-Draft                                               21 MAY 2008


ACKNOWLEDGEMENTS

        This document is directly derived from an
   Internet-Draft titled "Son of IPSO (SIPSO)" written by
   Mike StJohns circa 1992.  Packet format changes have been
   made since that draft, primarily to comply with IPv6
   syntax rules.

        Steve Brenneman, L.C. Bruzenak, Jarrett Lu, Paul
   Moore, Dave Parker, and Bill Sommerfeld (in alphabetical
   order) provided feedback on earlier versions of this
   document.  We also would like to thank the several anonymous
   reviewers, particularly for sharing their insights into
   operational considerations with MLS networking.

INFORMATIVE REFERENCES

  [BL73]         Bell, D.E. & LaPadula, L.J., "Secure Computer
                 Systems: Mathematical Foundations and
                 Model", Technical Report M74-244, The MITRE
                 Corporation, Bedford, MA, May 1973.

  [CMW]          US Defense Intelligence Agency,
                 "Compartmented Mode Workstation Evaluation
                 Criteria", Technical Report
                 DDS-2600-6243-91, Washington, DC.

  [DOD 5200.1]   US Department of Defense,
                 "DoD Information Security Program",
                 Directive 5200.1, 13 December 1996.

  [DOD 5200.1-R] US Department of Defense,
                 "Information Security Program Regulation",
                 DoD 5200.1-R, 17 January 1997.

  [DoD 5200.28]  US Department of Defense,
                 "Security Requirements for Automated
                 Information Systems," Directive 5200.28,
                 21 March 1988.

  [DoD MLOS PP]  US Department of Defense,
                 "Protection Profile for Multi-level
                 Operating Systems in Environments requiring
                 Medium Robustness, Version 1.22,
                 23 May 2001.

   [ISO-15408]    International Stanards Organisation,
                  "Evaluation Criteria for IT Security",



StJohns Et Alia                                                [Page 41]

Internet-Draft                                               21 MAY 2008


                  ISO/IEC 15408, 2005.

   [CC]          "Common Criteria for Information Technology
                 Security Evaluation", Version 3.1, Revision
                 1, CCMB-2006-09-001, September 2006.

   [TCSEC]        US Department of Defense,
                  "Trusted Computer System Evaluation
                  Criteria", DoD 5200.28-STD,
                  26 December 1985.

   [DoD 8500.1]   US Department of Defense,
                  "Information Assurance",
                  Directive 8500.1, 24 October 2002.

   [FIPS-188]     US National Institute of Standards &
                  Technology, "Standard Security Labels for
                  Information Transfer", Federal Information
                  Processing Standard (FIPS) 188, September
                  1994.

   [RFC-791]      J. Postel, Internet Protocol, RFC-791,
                  September 1981.

   [RFC-1038]     M. StJohns, Draft Revised IP Security
                  Option, RFC-1038, January 1988.

   [RFC-1108]     S. Kent, US DoD Security Options
                  for the Internet Protocol, RFC-1108,
                  November 1991.

   [RFC-1825]     R. Atkinson, Security Architecture
                  for the Internet Protocol, RFC-1825,
                  August 1995.

   [RFC-2119]    S. Bradner, "Key words for use in RFCs
                 to Indicate Requirement Levels", RFC-2119,
                 March 1997.

   [IPSEC]       S. Kent, "Security Architecture for the
                 Internet Protocol", RFC-4301, December 2005.

   [AH]          S. Kent, "IP Authentication Header",
                 RFC-4302, December 2005.

   [ESP]         S. Kent, "IP Encapsulating Security Payload",
                 RFC-4303, December 2005.




StJohns Et Alia                                                [Page 42]

Internet-Draft                                               21 MAY 2008


NORMATIVE REFERENCES

      [RFC-2460]     S. Deering & R. Hinden, "Internet Protocol
                     Version 6 Specification", RFC-2460,
                     December 1998.

      [RFC-1662]     W. Simpson, "PPP in HDLC-like Framing",
                     Appendix C, RFC-1662, July 1992.


AUTHORS:

   M. StJohns
   Germantown, MD

   R. Atkinson
   Extreme Networks
   3585 Monroe Street
   Santa Clara, CA
   USA 95051

   rja@extremenetworks.com
   +1 (408)579-2800

   G. Thomas
   US Department of Defense
   Washington, DC
   USA

IETF IPR Clause

  The IETF takes no position regarding the validity or scope
  of any Intellectual Property Rights or other rights that
  might be claimed to pertain to the implementation or use
  of the technology described in this document or the extent
  to which any license under such rights might or might not
  be available; nor does it represent that it has made any
  independent effort to identify any such rights.
  Information on the procedures with respect to rights in
  RFC documents can be found in BCP 78 and BCP 79.

  Copies of IPR disclosures made to the IETF Secretariat and
  any assurances of licenses to be made available, or the
  result of an attempt made to obtain a general license or
  permission for the use of such proprietary rights by
  implementers or users of this specification can be
  obtained from the IETF on-line IPR repository at
  http://www.ietf.org/ipr.



StJohns Et Alia                                                [Page 43]

Internet-Draft                                               21 MAY 2008


  The IETF invites any interested party to bring to its
  attention any copyrights, patents or patent applications,
  or other proprietary rights that may cover technology
  that may be required to implement this standard.  Please
  address the information to the IETF at ietf-ipr@ietf.org.

COPYRIGHT

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and
   restrictions contained in BCP 78, and except as set forth
   therein, the authors retain all their rights.

   This document and the information contained herein are
   provided on an "AS IS" basis and THE CONTRIBUTOR, THE
   ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY),
   THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE
   USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS
   OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
   A PARTICULAR PURPOSE.

   Draft Expires: 21 NOV 2008


























StJohns Et Alia                                                [Page 44]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/