[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 01

                                     Expiration Date:  January 1993



        Request for Comments On A Specification of
          Trusted NFS (TNFS) Protocol Extensions



1.  Status Of This Memo

This document is an Internet Draft.  Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.

Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted
by other documents at any time.  It is not appropriate to use
Internet Drafts as reference material or to cite them other than
as a "working draft" or "work in progress."

Please check the I-D abstract listing contained in each Internet
Draft directory to learn the current status of this or any
other Internet Draft.

This draft document specifies extensions  to  RFC  1094  [1]
which  support  network  file  access in a multilevel secure
(MLS) network environment[1].  This draft  was  approved  by
the  Trusted  Systems  Interoperability  Group (TSIG), whose
charter is to promote multi-vendor trusted system interoper-
ability.

2.  Abstract

Additional functionality has been developed for  UNIXr  sys-
tems  to address the TCSEC [2] requirements for trusted sys-
tems.  New  requirements  are  driving  efforts  to  develop
interoperable, networked solutions for trusted UNIX environ-
ments.   A  specific  approach  for  addressing  TCSEC   MLS
requirements  is identified in the CMW requirements document
[3].  Developing support for network interoperability  among
MLS classified systems is a primary goal of the trusted UNIX
community.

Sun Microsystem's Network File System (NFS- ) V2 protocol is
an  industry (de facto) standard network file access mechan-
ism, and represents one of  the  key  components  of  system
interoperability in the current UNIX networking market. This
draft document describes extensions to the NFS  V2  protocol
which  support network file access in a MLS network environ-
ment.  It will be submitted to the RFC editor as a  protocol
specification. Distribution of this draft document is unlim-
ited.  Please send comments to the  author  at  the  address
identified in section 6 below.

3.  MLS Extensions for NFS

MLS  functionality  includes  discretionary  access  control
(DAC),  subject  and  object  security  labeling,  mandatory
access control (MAC), authentication, auditing, and documen-
tation.  Exchanging information between MLS systems requires
communicating additional security information along with the
actual data.
_________________________

  [1] Multilevel Secure systems include,  for  example,
support for B1 and CMW security policies.
  r UNIX is a registered trademark of UNIX Systems  La-
boratories (U.S.L.)

  - NFS is a trademark of Sun Microsystems, Incorporat-
ed



TNFS-001.2.03                                       [Page 1]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


The primary goal of this specification is to describe exten-
sions  to  the  NFS  V2  protocol which support network file
access between MLS systems with  a  minimal  impact  on  the
existing NFS V2 environment[2].  It is  also  intended  that
this  MLS environment will permit unmodified NFS clients and
servers to continue to be fully supported.

The general approach used in extending the NFS  V2  protocol
is  to  transport  additional user context in the form of an
extended NFS UNIX style credential  between  a  Trusted  NFS
(TNFS)  client  and server, and to map that context into the
appropriate server  security  policies  which  address  file
access.   In addition, security file attributes are returned
with each NFS (TNFS) procedure call.  Otherwise, the NFS  V2
protocol remains essentially unchanged.

Two companion documents [4][5] complete the set of  documen-
tation describing the TNFS environment.

3.1.  The Extended User Context

The Sun RPC  protocol  [6][7]  includes  two  authentication
parameters in a request message:

     an authentication credential  -  used  to  identify  or
     present  a  client  subject's  credentials  to a server
     along with a given request for access  or  information,
     and

     an authentication  verifier  -  used  to  validate  the
     subject's credentials,

and an authentication verifier in the RPC response message.

An NFS server uses the client subject's credentials to  per-
form  appropriate  access  checks  prior  to  servicing  the
request.  The verifier parameter in the RPC request  message
is used to authenticate the client subject's credentials[3].

Several styles of authentication are currently  defined  for
NFS[4], and an NFS server  may  elect  to  support  multiple
authentication  styles  concurrently.  A new RPC authentica-
tion style,  AUTH_MLS,  is  defined  for  use  in  the  TNFS
_________________________

  [2] Revisions to the NFS V2 protocol have been speci-
fied  and  presented  for comment to the NFS community;
this document addresses extensions to the  V2  protocol
only.
  [3] Authentication  of  client  and server identities
will not be addressed in this specification.

  [4] Styles    currently    defined   are   AUTH_NONE,
AUTH_UNIX, AUTH_SHORT, and AUTH_DES.



TNFS-001.2.03                                       [Page 2]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


environment. The definition of the AUTH_MLS credential  com-
bines  the  information  in  the  AUTH_UNIX  credential with
extensions for the additional security attributes:

     o    audit id - immutable  subject  (user)  identifier,
          not  affected  by modifications to either the real
          or effective user or group identifiers,

     o    sensitivity label - used with a MAC policy; a sub-
          ject  generally has a static, top-level clearance,
          but is permitted to execute processes at a  sensi-
          tivity  level  different  from  (i.e.  lower than)
          his/her actual clearance,

     o    information label - also used with a  MAC  policy;
          dynamically  adjusted  based  upon the information
          content associated with the subject (or object),

     o    integrity label -  used  with  commercial,  multi-
          party  security policy (eg. Clark-Wilson [8], Biba
          [9]),

     o    privilege mask - used to identify privileges  (eg.
          chown,  chmod) or "rights" granted to a given sub-
          ject, generally to override an  existing  security
          policy, and

     o    vendor label -  used  to  accommodate  additional,
          vendor specific policies

The  additional  security  attributes   will   actually   be
represented  within  the  AUTH_MLS  credential by fixed size
tokens,  which  can  support  multiple  translation  schemes
through the use of an appropriate translation mechanism [5].
For instance, mechanisms such  as  M.I.T.  Project  Athena's
Hesiod/BIND or Sun Microsystem's NIS[5] lookup service could
be  used  to  support the translation of tokens and security
attribute information.

There are several advantages to the use of a token  transla-
tion model.  One major advantage is that the actual security
attribute information may be defined within the  translation
service,  while  the attribute representation may be defined
by a small, fixed sized token within  the  relatively  small
amount  of unallocated space in the credential structure.  A
second advantage of a  translation  model  is  that  it  may
accommodate  multiple  security  policies  and translations.
Finally, a token translation model permits security policies
to  be  developed independently from the translation mechan-
ism. Tokens are transferred within the  AUTH_MLS  credential
_________________________

  [5] Network Information Service, known previously  as
the Yellow Pages Service



TNFS-001.2.03                                       [Page 3]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


as opaque objects which are given context  by  the  security
policy  mechanisms  implemented  by  the  TNFS  clients  and
servers.

Note that although tokens are  defined  as  opaque  objects,
tokens which represent the same security attribute and which
reside within the same translation scheme  may  be  compared
for equality.  This characteristic permits tokens represent-
ing a specific security attribute to be referenced  in  com-
parisons without requiring the tokens to be translated.

3.2.  Discretionary Access Control

A Discretionary Access Control (DAC) policy provides for the
restriction  of subject access to objects based on the iden-
tity of subjects  and/or  the  groups  for  which  they  are
members.   Most  secure  systems  address  DAC  requirements
through the use of access control  lists.   Associated  with
each  file  is  a  list which identifies the set of user and
group combinations authorized to access the file, along with
the access privileges associated with each combination.

The information contained in the AUTH_MLS  credential  of  a
TNFS  client  request includes user and group identification
sufficient to permit the server  to  apply  appropriate  DAC
policies  in  controlling  access  to its shared, local file
objects.  For example, the subject represented by  the  user
and/or group identifiers contained in the client request may
be checked against the access control list information asso-
ciated  with  the referenced file on the server. Access con-
trol list information is not required to be transmitted from
the client to the server in support of a server based access
control policy.  Client based support for access control  of
server  based file objects is discussed below in the section
which describes the extended attribute cache.

3.3.  Mandatory Access Control

A Mandatory Access Control (MAC)  policy  provides  for  the
restriction of subject access to objects based on the sensi-
tivity of the information contained  in  the  objects.   MAC
policies thus include assigning levels of trust or clearance
to system users (subjects), and  levels  of  sensitivity  to
system  objects, and then ensuring that only users with suf-
ficient clearance can access the classified information.

3.3.1.  Sensitivity Labels

When MAC policies  are  enabled,  each  system  subject  and
object  is  created with a sensitivity label, and the system
MAC policies compare the labels when determining access.

The  AUTH_MLS  credential  contains  the  sensitivity  label
information   associated   with   the  TNFS  client  subject



TNFS-001.2.03                                       [Page 4]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


(application) making the access request.   This  information
is sufficient to permit the MAC policy checking mechanism on
the server to determine whether  to  permit  access  to  the
requested object or information.

3.3.2.  Information Labels

Information labels represent the  actual  sensitivity  of  a
given subject or object, and permit the additional identifi-
cation of control markings for a given piece of information.
The  information  label is dynamically adjusted on both sub-
jects and objects to the highest sensitivity level reflected
by  a  subject/object  pair:  if  a  subject  issues a write
request to an object, the information label  of  the  object
will  be adjusted (if necessary) to the level defined by the
information label of the subject;  if  a  subject  issues  a
read request to an object, the information label of the sub-
ject will be adjusted to the level defined by  the  informa-
tion  label of the object.  Note that information labels are
adjusted upwards as a result of these  actions;  information
labels are never automatically adjusted to a lower level.

The AUTH_MLS credential in the RPC request message  contains
the  current information label associated with a TNFS client
application (subject), and permits a  remote  file's  object
information  label to be adjusted (if necessary) as a result
of a client generated write operation.  The TNFS reply  mes-
sage  includes  a field for the information label associated
with an  accessed  file  object,  permitting  the  subject's
information  label to be adjusted (if necessary) as a result
of a client generated read operation.

These extensions are sufficient to support the MAC  informa-
tion label policies with respect to network file access.

3.3.3.  Privilege

The TCSEC/CMW concept of least privilege is an integral part
of  the MLS environment. Fine grained privileges are granted
to  subjects  (and  associated  processes),  and  executable
objects (files) according to a strict set of rules. All sub-
jects are limited with respect to the  system  actions  they
may  perform.  An  executable  object  is  also limited to a
specific set of actions, regardless  of  the  subject  which
executes  the  object. Privilege sets associated with a file
object are used to adjust a process's privileges during  the
execution  of  that object.  Thus, at any given time, a sub-
ject will possess only those privileges necessary to support
the completion of its current task.

Note, however, that the privileges associated with a subject
on  a client system might not be extended to that subject on
a given remote server system.  Although most  subjects  will
likely  retain  their  privileges  on  the  server, a client



TNFS-001.2.03                                       [Page 5]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


administrator, for example, might not be granted administra-
tive privileges on the server.

For TNFS, subject privileges are defined within the AUTH_MLS
credential, and file privileges are defined within the secu-
rity file attributes.

3.3.4.  File Name Attributes

UNIX file names may vary in length from 1 to 255 characters,
and  represent  an  additional  data storage mechanism which
must be protected by appropriate  MLS  policies.  Generally,
the  contents  of  a file may be classified, but the name of
the file or knowledge of its  existence  is  not.   In  some
cases, however, the name of the file as well as its contents
may require classification  and  protection.   For  example,
consider the following file name:

          codeword.SAND_AIRDEF.is.the.TOP-
          SECRET.DESERT_STORM.air.defense.project

The association of sensitivity and information  labels  with
directory  file  name entries provides the support necessary
to protect the use of classified file names.

3.4.  Additional MLS Extensions for NFS

In an MLS environment, both DAC and MAC access control poli-
cies  are  applied  in determining access to a given object.
In a network environment of  MLS  systems  participating  in
TNFS  file  access,  the  AUTH_MLS credential permits a TNFS
server to apply both DAC and MAC policies  in  consideration
of  a  request  from a remote NFS client subject.  Thus, MLS
based network file access using the NFS V2 protocol  can  be
supported  through  the  use  of  the AUTH_MLS credential as
described.

Listing or modifying the DAC and MAC security attributes  of
a  server's  file  or  file  name  from  a  client, however,
requires additional protocol extensions.  Identifying  addi-
tional  security  access restrictions when a request is made
to open a remote file is also considered to  be  a  require-
ment.  Extensions designed to satisfy these requirements are
addressed by TNFS, and are described  in  the  next  subsec-
tions.

3.4.1.  Remote Access to Extended File Attributes


The DAC and MAC security attribute information includes  MAC
and  information labels, and access control list information
(ACLs).  Supporting remote access  to  this  information  is
more difficult to address in the network environment, since:




TNFS-001.2.03                                       [Page 6]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     o    it requires transmitting additional file  security
          attribute   information  (or  its  representation)
          "over the wire", and

     o    additional file attribute  information  cannot  be
          accommodated  in the existing NFS V2 protocol file
          attribute data structures; additional support  for
          setting  and  getting the extended security attri-
          butes is required

Thus, extensions to the NFS V2 protocol procedures have been
defined  to  support  access  to  the extended attributes of
served files and file names. The complete set of NFS  proto-
col  procedures  and  security extensions are referred to in
this document as the TNFS protocol.

3.4.2.  File Open Enhancement

Using the NFS V2 protocol, a client request to  open  (2)  a
remote  file  on  the server may be translated by the client
into a GETATTR procedure call for the current  directory[6],
followed  by  a  LOOKUP  procedure  call  for the file to be
opened. If valid responses from these  procedure  calls  are
returned,  the client's NFS file attribute cache is updated,
and an open file descriptor may be returned to the  request-
ing application.

Since the NFS V2 protocol does not transmit an  actual  open
request  to  the  server, however, an MLS server will not be
able to apply the appropriate DAC and MAC policy at the time
of  the  open  request, and the application may find that it
has successfully opened the file, but that it cannot  access
the  file  due  to  stronger  access  control policies being
applied by the server in response to specific client  access
requests.

An access protocol procedure  would  permit  the  client  to
determine  whether  access to the file would be supported by
the server, based on the application's open request type and
the  associated extended security attribute information.  An
ACCESS TNFS protocol procedure has been defined  to  address
this  issue.   Thus,  if file attributes are being cached on
the client, and the security attributes of a client  process
issuing  a  request to open a remote file have been modified
since the last time it issued an open request for that file,
then an ACCESS procedure call shall be made to the server to
revalidate the access rights of that client process.



_________________________
  [6] Depends on the presence of  valid  attributes  in
the lookup cache (DNLC).




TNFS-001.2.03                                       [Page 7]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


3.4.3.  File Name Enhancement

Supporting the retrieval of the security attributes  associ-
ated with each file name requires an extension to the direc-
tory result structure returned by  the  NFS  directory  pro-
cedures:  LOOKUP,  CREATE,  and  MKDIR.  This data structure
extension is defined in section 3.4.5.1.

The ability to modify file name security attributes indepen-
dently  from file data security attributes is also required.
A new TNFS procedure, SETLABEL, has been defined to  support
this capability.

3.4.4.  MultiLevel Directory Enhancement

Directories are files which contain file names and  pointers
to  the data associated with the file names.  The files con-
tained in a directory include both regular files as well  as
other  subdirectory  files.  Directories  are  used to group
files, and to support the file system hierarchy.

In an MLS environment, files  and  directories  are  labeled
with  specific  classifications; security policies limit the
access of a given file to a user with a classification which
dominates  the  file's  classification.  MLS implementations
must continue to maintain the basic  file  system  directory
hierarchy,  and  also support the MLS access policies.  They
must support the creation, storage, and access of files  and
data of different security classifications, and also provide
some accommodation for the use  of  commonly  shared  direc-
tories, such as /tmp and /usr/tmp.

One implementation approach is to  use  file  name  security
attributes,  as  described  previously.   The TNFS file name
attributes and SETLABEL procedure support this approach.  An
alternative  is  to  create  a  set of diversion directories
below  the  actual  MultiLevel  Directory.   Each  diversion
directory  is  associated  with  a  specific  classification
level, and user access  is  directed  into  the  appropriate
diversion  directory  in a transparent, pass-through manner.
The TNFS MLD procedure supports diversion  directory  imple-
mentations.  Additional information is provided in [4].

3.4.5.  TNFS Protocol Extensions

Extensions to the NFS V2 protocol are defined in  this  sec-
tion of the specification.  These extensions are designed to
support remote access to the security file attribute  exten-
sions,  and  to  support  the file open, file name, and Mul-
tiLevel Directory enhancements.

3.4.5.1.  Data Structure Definitions

The  definitions  which  support  the  MLS  extensions   are



TNFS-001.2.03                                       [Page 8]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


described  in  this  section.  Since the definitions for the
TNFS protocol are an extension of the original NFS V2 proto-
col,  this  specification  will  include all of the extended
data structure definitions, and a few of the original defin-
itions  for clarity. Note that the arguments and results are
defined using the RPC language.

The following RPC constants are used to  identify  the  TNFS
extensions  which  support  MLS security policies.  The TNFS
program will be registered as a separate  service  with  the
RPC port mapping service.[7]  Registration  as  a  different
service distinguishes the TNFS service from the original NFS
V2 service.  The use of a different version  number  distin-
guishes each request/response message.


     PROGRAM 390086  /* TNFS Program Number */
     VERSION      1  /* TNFS Version 1 */


The stat type is returned  from  every  procedure  call.   A
value  of  NFS_OK indicates the call completed successfully.
Other values indicate that an error occurred during the ser-
vicing  of  the  request.  Note: this structure is unchanged
from the NFS V2 Protocol Specification.  It  is  (partially)
reproduced here for clarity.


     stat

     enum stat {
          NFS_OK = 0,
          NFSERR_PERM = 1,
             NFSERR_NOENT = 2,
             . . .
             [other NFS errors as defined in the V2 protocol
     specification]
     };


The credential parameter is included  in  each  RPC  request
message,  and is used to supply the client subject's creden-
tials to the server.  The AUTH_MLS credential will  be  used
with the TNFS procedure calls and is defined as follows:


     #define AUTH_MLS 200000     /* decimal */


_________________________
  [7] TNFS server implementations may elect to share  a
common  UDP  [13]  port number with the original NFS V2
service, or to make use of a different port number.




TNFS-001.2.03                                       [Page 9]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     #define MLS_TOKEN_SIZE 4    /* 4 octets or 32 bits */

     typedef opaque t_token[MLS_TOKEN_SIZE]; /*  tokens  are
     opaque */

     struct authmls_cred {
             u_long  auc_stamp;         /* arbitrary ID */
             char    auc_machname<255>; /* machine name */
             u_long  auc_uid;           /* effective uid */
             u_long  auc_gid;           /* effective gid */
             u_long  auc_len;           /* len of groups list */
             u_long  auc_gids<24>;      /* groups */
             u_long  auc_aid;           /* audit id */
             t_token auc_privs;         /* subject privileges token */
             t_token auc_sens;          /* sensitivity token */
             t_token auc_info;          /* information token */
             t_token auc_integ;         /* integrity token */
             t_token auc_vend;          /* vendor specific policy token */
     };


     Note that if a given security attribute  is  not  being
     exchanged,  then  the  corresponding  credential  token
     value shall be set to "all bits on".  A given  security
     policy  may  require that only a subset of the security
     attributes  provided  for  in  this  specification   be
     exchanged.   For  example, a C2 network security policy
     requires the support  of  privileges,  and  might  also
     require  support  for  Access Control Lists (ACLs).  In
     that case, the sensitivity, information, integrity, and
     vendor  specific token values shall be set to "all bits
     on" in the exchange messages.


The fattr structure defines the complete set of file  attri-
butes  of  a file. The extended fattr structure combines the
NFS V2 fattr structure with additional fields for  a  file's
security    attributes.    The   security   attributes   are
represented by tokens.


     struct fattr {
             ftype   type;      /* file type */
             u_long  mode;      /* encoded access mode */
             u_long  nlink;     /* number of hard links */
             u_long  uid;       /* file's owner id */
             u_long  gid;       /* file's group id */
             u_long  size;      /* file size in bytes */
             u_long  blocksize; /* number bytes/block */
             u_long  rdev;      /* device number of the file */
             u_long  blocks;    /* current number of blocks */
             u_long  fsid;      /* file system id */
             u_long  fileid;    /* unique file identifier */
             timeval atime;     /* time of file's last access */



TNFS-001.2.03                                      [Page 10]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


             timeval mtime;     /* time last modified (written) */
             timeval ctime;     /* time of last attribute change */
             t_token privs;     /* file privileges token */
             t_token sens;      /* sensitivity token */
             t_token info;      /* information token */
             t_token integ;     /* integrity token */
             t_token acl;       /* access control list token */
             t_token vend;      /* vendor specific policy token */
     };


     Note that if a given security attribute  is  not  being
     exchanged,  then the corresponding file attribute token
     value shall be set to "all bits on".

The sattr structure defines the file attributes which can be
set  from  the client. The extended sattr structure combines
the NFS V2 sattr structure with additional  fields  for  the
security  attributes,  which  are  represented by tokens.  A
token value of "all bits on" indicates that the token  field
is to be ignored.


     struct sattr {
             u_long  mode;    /* encoded access mode */
             u_long  uid;     /* file's owner id */
             u_long  gid;     /* file's group id */
             u_long  size;    /* file size in bytes */
             timeval atime;   /* last access time */
             timeval mtime;   /* last data modify time */
             t_token privs;   /* file privileges token */
             t_token sens;    /* sensitivity token */
             t_token info;    /* information token */
             t_token integ;   /* integrity token */
             t_token acl;     /* access control list token */
             t_token vend;    /* vendor specific policy token */
     };


The sattrargs structure is used by  the  SETATTR  procedure.
It contains the extended sattr structure definition.


     struct sattrargs {
         fhandle file;
         sattr attributes;
     };


The attrstat structure defines  a  common  procedure  result
containing the status of the procedure call.  It is returned
with the results of GETATTR, SETATTR,  and  WRITE  procedure
calls.   If  the  call was successful, attrstat contains the
results for the specific procedure called, and the  complete



TNFS-001.2.03                                      [Page 11]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


set  of  file attributes for the file on which the procedure
was executed.


     union attrstat switch (stat status) {
             case NFS_OK:
                 fattr attributes;
             default:
                 void;
     };


The diropargs structure is used in directory operations. The
fhandle dir is the directory containing file name name.


     struct diropargs {
          fhandle dir;
          filename name;
     };


The diropres structure defines the results  of  a  directory
procedure  call.   If the call was successful, diropres con-
tains a new file handle file, the complete set of associated
file  attributes,  and the file name attributes: sens, info,
and vend.


     union diropres switch (stat status) {
             case NFS_OK:
                 struct {
                     fhandle file;
                     fattr attributes;
                     t_token sens;
                     t_token info;
                     t_token vend;
                 } diropok;
             default:
                 void;
     };


The readlinkres structure defines the results of a  READLINK
procedure  call.   If  the  call was successful, readlinkres
contains the data in the symbolic link of the  file  identi-
fied  by  the  file handle argument, and the complete set of
associated file attributes.  File  attributes  are  returned
with  the READLINK procedure call to support the information
label adjustment policy.


     union readlinkres switch (stat status) {
             case NFS_OK:



TNFS-001.2.03                                      [Page 12]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


                 struct {
                     path data;
                     fattr attributes;
                 } readlinkok;
             default:
                 void;
     };


The readdirres structure defines the results  of  a  READDIR
procedure  call.   If  the  call  was successful, readdirres
returns a variable number of directory entries, with a total
size  of up to the amount specified in the argument count of
the readdirargs structure. Each entry contains a unique file
identifier, the name of the file, and an opaque "pointer" to
the "next" entry in the directory, which is used in a subse-
quent  READDIR  procedure  call to obtain additional entries
starting at that "point" in the directory.  The eof flag has
a value of TRUE if there are no more directory entries.  For
TNFS, file attributes are returned  with  the  READDIR  pro-
cedure call to support the information label adjustment pol-
icy.

Note that in responding to a  READDIR  procedure  call,  the
server  shall  return only those directory entries which the
requesting client process dominates. Thus,  security  attri-
bute tokens are not required to be returned with each entry,
and the directory  information  which  is  returned  may  be
passed to the requesting process without additional process-
ing by the client TCB.


     union readdirres switch (stat status) {
             case NFS_OK:
                 struct {
                     entry *entries;
                     bool eof;
                     fattr attributes;
                 } readdirok;
             default:
                 void;
     };

3.4.5.2.  TNFS Protocol Procedure Definitions

The TNFS Protocol Definition integrates the use of:

     o    the extended fattr and sattr structures,

     o    an AUTH_MLS authentication style RPC credential,

     o    a new TNFS protocol version  number  to  differen-
          tiate  between  NFS  V2  and the security extended
          TNFS protocol,



TNFS-001.2.03                                      [Page 13]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     o    a new protocol procedure, ACCESS, to  support  the
          file open enhancement,

     o    a new protocol procedure, SETLABEL, to support the
          modification of the file name security attributes,
          and

     o    a new protocol procedure, MLD, to  support  diver-
          sion directories

Other than these changes, however, the syntax and  semantics
of TNFS remain the same as in the original NFS V2 specifica-
tion.

3.4.5.2.1.  Access Procedure

The following descriptions are used to define the new ACCESS
procedure.


Definitions used to identify the access request type:

     #define READ    0x001
     #define WRITE   0x002
     #define EXEC    0x004
     #define SEARCH  0x008
     #define APPEND  0x010


Arguments for the remote access procedure:

     accessargs

     struct accessargs {
             fhandle  file;
             u_long   flag;
      };


Response from the remote access procedure:

     accessres

     union accessres switch ( stat status ) {
         case NFS_OK:
             struct {
                 bool_t status;   /* access status: TRUE  or
     FALSE  */
                 fattr  attributes;  /* standard file attri-
     butes */
             }  accessok;

         default:
          void;



TNFS-001.2.03                                      [Page 14]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     };


Procedure definition for checking remote access permission:

     accessres
     NFSPROC_ACCESS(accessargs) = 18

     Description:

     Determine if access as described by flag will  be  per-
     mitted  on the remote served object file by the reques-
     ter.  Flag values are bit  encoded  as  defined  previ-
     ously.  READ  access means that the data in file can be
     read, WRITE access means that the data in file  can  be
     modified  (written), EXEC access means that file can be
     accessed and executed  (local  execution  of  a  remote
     file),  SEARCH access means that the directory file can
     be used as the argument  to  a  LOOKUP  operation,  and
     APPEND  means  that  the file size can be extended.  If
     status is NFS_OK:

          accessok.status will be set to TRUE if the  access
          request  would be allowed, and set to FALSE other-
          wise, and

          attributes will contain the complete set  of  file
          attributes

     Otherwise:

          the NFSERR error number  returned  identifies  the
          error condition

     Implementation:

     The ACCESS procedure provides a means for checking file
     access  permission prior to issuing a subsequent set of
     file operations. For example, a TNFS client  may  issue
     an  access  procedure  as  a result of an application's
     file open (2) request to determine if  subsequent  file
     reads  and/or writes by the application would be denied
     by the server as a result of the server's extended file
     access  security policies.  Note that the processing of
     an open (2) request for a remote file shall include  an
     ACCESS procedure call if the security attributes of the
     issuing client process have  been  modified  since  the
     last  time that process issued an open request for that
     file.  Note also that the information returned  by  the
     server  in  response to an ACCESS procedure call is not
     static; subsequent file administrative  procedures  may
     result  in  the  modification  of  the  file's security
     attributes.




TNFS-001.2.03                                      [Page 15]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


3.4.5.2.2.  Set Label Procedure

The following descriptions are used to define the new SETLA-
BEL procedure.


Arguments for the set label procedure:

     setlabargs

     struct setlabargs {
             struct diropargs dirargs;
             t_token  sens;
             t_token  info;
             t_token  vend;
      };


Response from the set label procedure:

     diropres

     union diropres switch ( stat status ) {
         case NFS_OK:
             struct {
                fhandle file;
                fattr attributes;
                t_token sens;
                t_token info;
                t_token vend;
         } diropok;

         default:
          void;

     };


Procedure definition for setting file name  security  attri-
butes:

     diropres
     NFSPROC_SETLABEL(setlabargs) = 19

     Description:

     Set the file name security attributes: the  sensitivity
     label  sens, the information label info, and the vendor
     specific policy label vend on the file name name in the
     parent directory dir.  If status is NFS_OK:

          then the reply file and reply attributes  are  the
          file  handle  and  attributes for the file name in
          the directory given by dir in  the  argument,  and



TNFS-001.2.03                                      [Page 16]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


          the reply sens, reply info, and reply vend are the
          sensitivity, information, and vendor specific pol-
          icy labels for the file name name.

     Otherwise:

          the NFSERR error number  returned  identifies  the
          error condition

     Implementation:

     The SETLABEL procedure provides a means  for  modifying
     the  file  name  security  attributes: the sensitivity,
     information, and vendor specific policy labels  associ-
     ated  with  the  file  name  object.   When  a  file is
     created, the file name sensitivity label  will  be  set
     equal  to  the  sensitivity  value  identified  in  the
     credential structure, and  the  file  name  information
     label  will  be set to the information value identified
     in the credential structure.  Once the file is created,
     however,  the sensitivity and information labels of the
     file name and the file  data  are  maintained  indepen-
     dently.   The  file data security attribute information
     is maintained by SETATTR, and the  file  name  security
     attribute information is maintained by SETLABEL.

3.4.5.2.3.  MultiLevel Diversion Directory Procedure

The following descriptions are used to define the  new  pro-
cedure to support diversion directories.


Definitions used to identify the MLD request operations:

     #define CREATE    1
     #define REMOVE    2
     #define ISMLD     3


Arguments for the MLD procedure:

     mldargs

     struct mldargs {
             fhandle  file;
             u_long   op;
      };


Response from the remote access procedure:

     mldres

     union mldres switch ( stat status ) {



TNFS-001.2.03                                      [Page 17]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


         case NFS_OK:
             struct {
                 bool_t status;   /* ISMLD status:  TRUE  or
     FALSE  */
                 fattr  attributes;  /* standard file attri-
     butes */
             }  mldok;

         default:
          void;

     };


Procedure definition for maintaining diversion directories:

     mldres
     NFSPROC_MLD(mldargs) = 20

     Description:

     Support the creation and removal  of  diversion  direc-
     tories,  and the ability to determine if a given direc-
     tory is a diversion directory.   The  CREATE  operation
     requests  that  a  diversion  directory be created, the
     REMOVE operation requests that a diversion directory be
     destroyed,  and  the  ISMLD operation requests that the
     diversion status of the file be returned.  If status is
     NFS_OK:

          if the mldargs.op  was  ISMLD,  then  mldok.status
          will  be  set  to  TRUE if the file is a diversion
          directory, and set to FALSE otherwise

          if the mldargs.op was not ISMLD, then mldok.status
          has no meaning

          attributes will contain the complete set  of  file
          attributes

     Otherwise:

          the NFSERR error number  returned  identifies  the
          error condition

     Implementation:

     The MLD procedure  provides  the  means  for  creating,
     removing, and checking for the existence of a diversion
     directory.

     MultiLevel Directory implementations which make use  of
     file  name  attributes shall return status of NFS_OK in
     response to CREATE, REMOVE, and ISMLD  requests,  since



TNFS-001.2.03                                      [Page 18]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     all  directories  are MultiLevel Directories in such an
     environment and thus no explicit action is required.

3.4.5.2.4.  TNFS Service Routines

The TNFS protocol definition is defined below as  a  set  of
procedures,  arguments,  and  results.   All  modified  data
structure definitions are included  in  this  specification.
Most  NFS V2 protocol data definitions remain unchanged, and
are documented in the NFS V2  protocol  specification.   The
complete  set of TNFS protocol procedures are defined below.
The ACCESS, SETLABEL, and MLD procedures are  new,  but  the
other procedures are the same as those defined in the NFS V2
specification.   The  GETATTR,  SETATTR,  LOOKUP,  READLINK,
READ,  WRITE,  CREATE, MKDIR, READDIR, ACCESS, SETLABEL, and
MLD procedures for the TNFS protocol, however,  include  the
extended file attribute structure fattr in the response mes-
sage.

     program TNFS_PROGRAM {
         version TNFS_VERSION {
             void        NFSPROC_NULL (void) = 0;
             attrstat    NFSPROC_GETATTR (fhandle) = 1;
             attrstat    NFSPROC_SETATTR (sattrargs) = 2;
             diropres    NFSPROC_LOOKUP (diropargs) = 4;
             readlinkres NFSPROC_READLINK (fhandle) = 5;
             readres     NFSPROC_READ (readargs) = 6;
             attrstat    NFSPROC_WRITE (writeargs) = 8;
             diropres    NFSPROC_CREATE (createargs) = 9;
             stat        NFSPROC_REMOVE (diropargs) = 10;
             stat        NFSPROC_RENAME (renameargs) = 11;
             stat        NFSPROC_LINK (linkargs) = 12;
             stat        NFSPROC_SYMLINK (symlinkargs) = 13;
             diropres    NFSPROC_MKDIR (createargs) = 14;
             stat        NFSPROC_RMDIR (diropargs) = 15;
             readdirres  NFSPROC_READDIR (readdirargs) = 16;
             statfsres   NFSPROC_STATFS (fhandle) = 17;
             accessres   NFSPROC_ACCESS (accessargs) = 18;
             diropres    NFSPROC_SETLABEL (setlabargs) = 19;
             mldres      NFSPROC_MLD (mldargs) = 20;
         } = 1;     /* Trusted NFS Version 1  */
     } = 390086;    /* Trusted NFS Program Number */

3.4.6.  Using TNFS

With the TNFS protocol procedures described  above,  listing
and  modifying  remote  extended file attributes is now sup-
ported. The definition  of  a  new  application  programming
interface  (API) to support the display of a file's security
attributes will permit either a new file list command  (e.g.
lsacl,  lsmac) or a modification to the existing ls (2) com-
mand to display the security attribute  information  associ-
ated  with a remote file.  Likewise, the definition of a new
API for setting a file's security attributes will permit new



TNFS-001.2.03                                      [Page 19]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


change  security  attribute  commands  to be developed (e.g.
chacl, chmac).

The file open enhancement discussed previously  may  now  be
supported.   The  open API will be translated into a GETATTR
operation for the current directory, a LOOKUP operation  for
the file to be opened, and an ACCESS operation which returns
a boolean value  indicating  whether  the  access  requested
would  be  permitted,  along  with  the  complete set of the
file's attributes.  Thus,  the  TNFS  client  can  determine
whether  the  application requesting to open the remote file
will be able to access it based on the open request type and
the  application's  security credentials.  As described ear-
lier, a server may choose to associate a set  of  privileges
with  the  remote  subject  which  are  different  from  the
privilege set associated with the subject on the client sys-
tem.  The ACCESS procedure call returns the server's assess-
ment of the subject's access capabilities.

The information label adjustment policy is supported,  since
the  AUTH_MLS  credential contains the subject's information
label, and the TNFS reply message contains an extended  file
attribute  structure which includes the file object's infor-
mation label.  Note that the subject's information label may
require  adjustment  as  a  result  of reading a remote file
(READ), reading a remote directory (READDIR), or  reading  a
remote  symbolic  link (READLINK).  A remote file's (object)
information label may be adjusted as a  result  of  SETATTR,
WRITE,  CREATE,  RENAME,  LINK, SYMLINK, and MKDIR TNFS pro-
cedure calls.

File names may now be  protected  by  MLS  policy  with  the
introduction  of file name security attributes, and the SET-
LABEL procedure.

Finally, MultiLevel Directories are accommodated.

3.4.7.  TNFS Access Control Policy

The access control policy recommended by this  proposal  may
be stated as follows:

     o    a client system shall always apply the access con-
          trol  policy  to  a  local request for access to a
          local resource,

     o    a server system shall always apply the access con-
          trol  policy  to  a  local request for access to a
          local resource,

     o    a server system shall always apply the access con-
          trol policy to a remote access request for a local
          resource, and




TNFS-001.2.03                                      [Page 20]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     o    a client system may (temporarily) apply the access
          control   policy   to   a  locally  cached  remote
          resource, iff:

          *    client security attribute caching support  is
               included in the implementation, and

          *    a client security attribute caching policy is
               enabled by the host security officer

This TNFS access control policy ensures that no access  will
be  made  without the application of appropriate access con-
trol.

3.4.8.  TNFS Auditing Policy

The auditing policy recommended by this proposal  is  stated
as follows. When the security auditing function is enabled:

     o    an implementation shall:

          (1)  audit  all  local  requests  for  local  file
               access:

               >    a client system  shall  always  audit  a
                    local  request  for  access  to  a local
                    resource,

               >    a server system  shall  always  audit  a
                    local  request  for  access  to  a local
                    resource

          (2)  provide the capability to  audit  all  remote
               file access requests:

               >    the client shall support the  capability
                    to  audit  local  requests for access to
                    remote resources on a server, and

               >    the server shall support the  capability
                    to  audit  remote requests for access to
                    local resources on the server[8]

          (3)  enable  client  system  auditing   of   local
               requests   for  access  to  remote  files  by
               default


_________________________
  [8] This option  may  require  the  auditing  of  the
specific  TNFS protocol procedure calls, since the pro-
tocol procedures are not translated into actual "system
calls" in many server implementations.




TNFS-001.2.03                                      [Page 21]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


Thus, when the security auditing function is enabled:

     o    all local requests for access to local  files  are
          audited,

     o    client system requests for access to remote  files
          are audited[9]

     o    the capability to audit remote file access by both
          client and server is provided:

          *    client system  auditing  may  be  enabled  to
               audit  local  requests  for  access to remote
               resources; client system auditing is  enabled
               by default,

          *    server system  auditing  may  be  enabled  to
               audit  remote  requests  for  access to local
               resources

     o    enabling of the remote file access auditing  capa-
          bility  shall  be supported by a system management
          operation

This TNFS policy ensures that each  TNFS  host  shall  audit
local  requests for local file access, each TNFS client sys-
tem  shall  audit  requests  for  remote  file  access   (by
default),  and  both TNFS clients and servers shall have the
cability to enable auditing of remote file access  activity.
In  a  given  network  environment,  it  may be desirable to
optionally disable auditing of remote access on  either  the
client or the server to avoid duplication.

3.4.9.  The Extended Attribute Cache

NFS caching strategies are implementation specific, and  are
not  part  of  the NFS protocol.  Caching is not required to
support  TNFS  interoperability.   This  specification  will
therefore  not  include  specific  details  on  the issue of
attribute caching.  However, since  the  caching  mechanisms
are  included in the NFS reference source code releases, and
since attribute caching is critical for achieving  NFS  per-
formance  goals,  several  suggestions  are included in this
section.

In most NFS client implementations, remote  file  attributes
are cached on the client, improving performance and reducing
network traffic.  The attribute cache is updated frequently,
as  most  NFS  procedures  return file attributes along with
_________________________

  [9] This is the default policy; site specific  audit-
ing  policies are established by the site security off-
icer.



TNFS-001.2.03                                      [Page 22]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


other requested information.

A client side cache for the extended  security  file  attri-
butes  should also be considered for similar reasons.  Since
all of the file's security attributes are returned with each
TNFS  file  access  request,  an extended security attribute
cache can now be maintained on the client.

Extending the  attribute  validation  procedure  to  include
validating the security file attributes permits the complete
set of file attributes to be checked and refreshed  if  they
are  no  longer  valid.  If the file's cached attributes are
not valid, a GETATTR procedure call can be made.   The  TNFS
reply  to  this  procedure  now includes the complete set of
file attribute information, permitting  all  of  the  file's
cached attributes to be refreshed.  Cached attribute entries
shall be aged and eventually flushed  unless  refreshed.  If
client caching is enabled, then per process cached attribute
entries shall be maintained.

Note again that an attribute caching policy is not  part  of
the  protocol,  and  is  an implementation technique used to
improve performance.  During the window  of  time  that  the
cache  entry  is  valid,  the  client system applies the MLS
access control policies on  behalf  of  the  server.  It  is
recommended  that  if  an implementation supports the use of
client side attribute  caching,  it  shall  also  support  a
mechanism for disabling the attribute cache. Specific imple-
mentation details are provided in [4].

4.  Related Requirements and Expectations

This specification addresses extensions the NFS V2  protocol
which accommodate network file access in a trusted, MLS net-
work environment.   Expectations  for  the  environment  for
which this specification is applicable include:

     o    the TNFS network environment is a trusted environ-
          ment:

          >    TNFS  authentication  and  message  integrity
               support shall not be required

          >    use of TNFS in an untrusted environment (i.e.
               commercial   network   environment)   is  not
               addressed by this specification

     o    other, related RPC services are required  to  sup-
          port  the  execution  of NFS; these services shall
          support the AUTH_MLS credential  flavor,  but  may
          also  support  alternative policies which make use
          of other authentication flavors:

          >    the token management service is  required  to



TNFS-001.2.03                                      [Page 23]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


               translate    security    attributes   between
               expanded and tokenized formats [5],

          >    the mount service is required to support  NFS
               mount requests,

          >    the lock manager and status monitor  services
               are  required  to  support  NFS file and file
               region locking

     o    client side mounts  shall  be  restricted  to  the
          server's exported mount points:

          >    client requests to mount a subdirectory which
               resides   below   the  export  point  in  the
               server's exported directory shall be denied,

          >    without this restriction,  client  access  to
               server   files  mounted  below  the  server's
               export point bypass the authorization  checks
               which  would  otherwise  have been made using
               the  access  modes  of  the  file  components
               located   higher  in  the  server's  exported
               tree[10]

     o    most file access will take place between MLS modi-
          fied  clients  and  servers, but some TNFS systems
          will continue to interoperate with NFS V2  systems
          through  the  use  of  an  appropriate policy; for
          example, a  filter  or  gateway  could  be  placed
          between  a  MLS system and an unmodified system to
          insert or delete  appropriate  security  attribute
          information on behalf of the unmodified system

          note that client system auditing information  will
          not  be  supplied for remote file access initiated
          from an unmodified  NFS  client;  enabling  server
          system  auditing should be considered by the secu-
          rity officer to support these configurations

     o    a  TNFS  client  should  not  send  any   security
          extended  NFS  procedure  calls  to a server which
          does not  support  this  service;  a  TNFS  client
          should  also refrain from sending extraneous secu-
          rity attribute information to a TNFS  server  that
          does not support those attributes


_________________________
  [10] Note that appropriate use of symbolic  links  on
the  client  will  result  in  a client file name space
similar to one previously constructed by mounting  sub-
directories of exported server file trees.




TNFS-001.2.03                                      [Page 24]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


     o    additional TCB information[11]  is  maintained  by
          each  MLS system to support trusted interoperabil-
          ity [10]; for example, each MLS host may:

          >    maintain a list of the hosts  which  it  will
               communicate with,

          >    maintain the set of security attributes which
               it  expects  to  use  in the exchange of data
               with a given host, and

          >    maintain the specific translation  scheme  or
               schemes  which  will  be  used in translating
               tokens with a given host [5]

     o    the  security  information  defined   within   the
          AUTH_MLS  credential and file attribute structures
          provides for the transfer of  security  attributes
          required  to  support  MLS access policies without
          requiring the underlying network layer to  provide
          security attribute information:

          >    if security attributes are provided  by  both
               the  RPC  layer  and  the  underlying network
               layer, then the security  attribute  informa-
               tion  provided  by  the  RPC  layer  shall be
               applied to the file data  transferred  within
               the RPC message

          >    transferring security attributes  within  the
               RPC  layer provides for the support of a pol-
               icy where data  may  be  transferred  with  a
               security  classification  which  is different
               from the security classification of the  net-
               work  layer;  for  instance, file data with a
               given security classification might first  be
               encrypted and then transferred through a net-
               work with a lower security classification.

          >    support for the transfer of  MAC  sensitivity
               labels  for  the  Internet Protocol Suite has
               been addressed by the CIPSO  [11],  and  IPSO
               [12] documents

5.  Conclusion

This document describes the set of extensions which  support
network  file  access in a network environment consisting of
MLS systems using the  proposed  TNFS  protocol  extensions.
_________________________

  [11] Note that this  information  is  needed  by  all
trusted network applications, and is not limited to NFS
file access.



TNFS-001.2.03                                      [Page 25]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


Unmodified NFS clients and servers are supported  using  the
de facto NFS V2 protocol.

With the previously defined extensions, the MLS network file
access requirements are met.  The extended structure defini-
tions support the DAC and MAC attributes required for  modi-
fying  or displaying the security attribute information. The
enhanced file  open  operation  and  the  information  label
adjustment policies are also supported.

Thus, a small set of extensions to the  NFS  V2  environment
permits MLS access control policies to be supported.  Agree-
ment on these changes will permit the current  base  of  NFS
clients  and  servers  to  be  accommodated  in  the  secure
environment with no changes, and for TNFS  modified  systems
to interoperate using MLS policies.

6.  Acknowledgements

I would like to acknowledge the members of the ITEF/TSIG NFS
Subcommittee,  who  were  instrumental  in  evolving the MLS
extended NFS Protocol Specification from the original propo-
sal.  Many  comments were also made during the review of the
later drafts which greatly improved the specification's rea-
dability.   Contributing  IETF  TNFS  working  group members
include Jeff Edelheit, Fran  Fadden,  Jonathon  Fraser,  Ali
Gohshan,  Carl  Smith, Mark Saake, Dave Summers, and Charlie
Watt.  I'd also like to acknowledge the contributions of the
original  members  of the TSIG Trusted NFS working group: in
addition to the above, these members included Morgan  Clark,
Tricia Jordan, Will Lees, Scott Norton, and Mike Shipley.

The specification was also reviewed by numerous persons out-
side  of the subcommittee. I would like to acknowledge these
persons as well, as a number  of  their  comments  are  also
reflected in the final version.

7.  Author's Address

Fred Glover
Digital Equipment Corporation
110 Spit Brook Road ZK03-3/U14
Nashua, New Hampshire 03062-2698

Phone: 603-881-0388

EMail: fglover@zk3.dec.com

8.  References

[1] Sun Microsystems, Inc., "Network  Filesystem  Specifica-
     tion",  RFC-1094,  DDN  Network Information Center, SRI
     International, Menlo Park, CA.




TNFS-001.2.03                                      [Page 26]


INTERNET-DRAFT  TNFS Protocol Specification    July 06, 1992


[2] National Computer Security Center, United States Depart-
     ment  of  Defense, "Trusted Computer Systems Evaluation
     Criteria" National Computer Security Center, Ft. George
     G. Meade, MD., 1985, DoD 5200.28-STD

[3] Defense Intelligence Agency, United States Department of
     Defense,  "Compartmented  Mode  Workstation  Evaluation
     Criteria",  Defense  Intelligence  Agency,  Washington,
     D.C., DIA document number DDS-2600-6243-91

[4] Trusted Systems Interoperability  Group,  "The  MLS  NFS
     Implementor's Guide", TSIG Document

[5] Trusted Systems Interoperability Group, "The  MLS  Token
     Translation Specification", TSIG Document

[6] Sun Microsystems, Inc., "Remote Procedure Call  Specifi-
     cation",  RFC-1057, DDN Network Information Center, SRI
     International, Menlo Park, CA.

[7] Sun Microsystems, Inc.,  "External  Data  Representation
     Specification",   RFC-1014,   DDN  Network  Information
     Center, SRI International, Menlo Park, CA.

[8] Clark, D. D. and David R. Wilson, "A Comparison of  Com-
     mercial   and  Military  Computer  Security  Policies",
     Proceedings of the 1987 IEEE Symposium on Security  and
     Privacy, IEEE Computer Society Press, Washington, DC.

[9] Biba, K. J., "Integrity Considerations for  Secure  Com-
     puter Systems", TR-76-372, Electronic Systems Division,
     Air Force Systems Command, U.S. Department of  the  Air
     Force, Hanscomb AFB, MA., April 1977

[10]  Trusted  Systems  Interoperability   Group,   "Trusted
     Administration Specification", TSIG Document

[11] Trusted Systems Interoperability Group, "Commercial  IP
     Security Option", TSIG Document

[12] "The IP Security Option", RFC-1108, DDN Network  Infor-
     mation Center, SRI International, Menlo Park, CA.

[13] Postel, J.,  "User  Datagram  Protocol",  RFC-768,  DDN
     Network  Information  Center,  SRI International, Menlo
     Park, CA.











TNFS-001.2.03                                      [Page 27]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/