Proposed MLS section - "5.4 bis"

[Dan McDonald <danmcd@Eng.Sun.Com>]

Hello!

The following proposed text consolidates and clarifies Multi-Level
Secure (MLS)-specific text for the IP Security Architecture document.
It is the output of a small team which met here at Sun on 10/16/97.

Contrary to popular belief, MLS systems have significant deployment in
the commercial sector (including Banking and Health Care).  Members of
this team include IPsec and MLS OS implementors from various commercial
firms and the US DoD.  The members of the team reached smooth consensus
on the following text, which is designed to be a standalone section in
the IP Security Architecture document.  The text is based on section 5.4
of RFC 1825, hence the name "5.4 bis".  It is intended to show IPsec's
extensibility into MLS domains, without constraining the work that will
be needed to fully integrate IPsec into an MLS environment.  None of the
following text applies to non-MLS systems, so anyone who is NOT doing an
MLS implementation does not have to concern {him,her}self with the points
raised below.

Thanks!  (NOTE:  All names are in first-name alphabetical order.)

THE TEAM (* == co-authors at the 10/16 meeting)
===============================================
C. S. Lin (csl@cup.hp.com)
* Dan McDonald (danmcd@eng.sun.com)
* David Kemp (dpkemp@missi.ncsc.mil)
Doug Hosking (???@cup.hp.com)
* Gary Winiger (gww@ebay.sun.com)
Gary Lowell (glowell@engr.sgi.com)
* Mohan Parthasarathy (mohanp@eng.sun.com)
* Matt Thomas (matt.thomas@altavista-software.com)
* Ran Atkinson (rja@inet.org)

p.s. Please send replies to the list and/or to all of the authors.  I ask
     this because I will be virtually incommunicado for the next week.

===================== (Cut up to and including here.) =====================


5.4 Use in Compartmented or Multi-Level Networks

   A multi-level secure (MLS) network is one where a single network is
   used to communicate data with different sensitivity information
   (e.g., Unclassified, Company Proprietary, Secret) [DoD85] [DoD87].
   The IP security mechanisms can easily support MLS networking.  MLS
   networking requires the use of strong Mandatory Access Controls
   (MAC), which ordinary users are incapable of controlling or violating
   [BL73].  This section pertains only to the use of these IP security
   mechanisms in MLS environments.  Nothing in this section applies to
   systems not claiming to provide MLS.

   As used in this section, "sensitivity information" might include
   implementation-defined sensitivity levels, categories, and/or
   releasability information.

   The Authentication Header can be used to provide strong authentication
   among hosts in a single-level network.  The Authentication Header can also
   be used to provide strong assurance for both mandatory access control
   decisions in multi-level networks and discretionary access control
   decisions in all kinds of networks.  If explicit IP sensitivity
   information (e.g., IPSO [Ken91]) is used and confidentiality is not
   considered necessary within the particular operational environment, the
   Authentication Header is used to provide authentication for the entire
   packet, including cryptographic binding of the sensitivity information to
   the IP header and user data.  This is a significant improvement over
   labeled IPv4 networks where the sensitivity information is trusted even
   though it is not trustworthy because there is no authentication or
   cryptographic binding of the information to the IP header and user data.
   IPv4 networks might or might not use explicit labelling.  IPv6 will
   normally use implicit sensitivity information that is part of the IPsec
   Security Association but not transmitted with each packet instead of using
   explicit sensitivity information.  All explicit IP sensitivity information
   MUST be authenticated using either ESP, AH, or both.

   Encryption is very useful and desirable even when all of the hosts
   are within a protected environment.  The Internet-standard encryption
   algorithm could be used, in conjunction with appropriate key
   management, to provide strong Discretionary Access Controls (DAC) in
   conjunction with either implicit or explicit sensitivity information
   (such as IPSO provides for IPv4 [Ken91]). Some environments might
   consider the Internet-standard encryption algorithm sufficiently
   strong to provide Mandatory Access Controls (MAC).  Full encryption
   SHOULD be used for all communications between multi-level computers
   or compartmented mode workstations even when the computing
   environment is considered to be protected.

5.4.1 Relationship Between Security Associations and Data Sensitivity

   Both the Encapsulating Security Payload and the Authentication Header
   can be combined with appropriate Security Association policies to
   provide full multi-level secure networking.  In this case each SA (or
   SA bundle) MUST be used for only a single instance of sensitivity
   information.  For example, "PROPRIETARY - Internet Engineering" must
   be associated with a different SA (or SA bundle) from "PROPRIETARY -
   Finance".

5.4.2 Sensitivity Consistency Checking

   An MLS implementation MAY associate sensitivity information, or a
   range of sensitivity information with an interface, or a configured
   IP address with its associated prefix (the latter is sometimes
   referred to as a logical interface, or an interface alias).  If such
   properties exist, an implementation SHOULD compare the sensitivity
   information associated with the packet against the sensitivity
   information associated with the interface or address/prefix from
   which the packet will arrive, or to which the packet will depart.
   This check will either verify that the sensitivities match, or that
   the packet's sensitivity falls within the range of the interface or
   address/prefix.

   The checking SHOULD be done on both inbound and outbound processing.

5.4.3 Additional MLS Attributes for Security Association Databases

   Section 4.4 details three Security Association databases.  The first
   two, the Security Policy Database (SPD) and the Security Association
   Map (SAM), are used primarily for outbound traffic, though the SPD is
   also consulted after IPsec inbound processing, but before the IP
   datagram is passed to an application or forwarding engine.  Both the
   SPD and the SAM use common selectors.  MLS networking introduces an
   additional selector:

	- Sensitivity information.

   The Sensitivity information aids in selecting the appropriate
   algorithms and key strength, so that the traffic gets a level of
   protection appropriate to its importance or sensitivity as described
   in section 5.4.1.  The exact syntax of the sensitivity information is
   implementation defined.

   The third database is the Security Association Database (SAD).  One
   additional SAD attribute is:

	- Sensitivity information.

   Sensitivity information is needed in the model shown in [BL73].

5.4.4 Additional Inbound Processing Steps for MLS Networking

   After an inbound packet has passed through IPsec processing, an MLS
   implementation SHOULD first check the packet's sensitivity with the
   interface or address/prefix as described in section 5.4.2 before
   delivering the datagram to an upper-layer protocol.

   The MLS system MUST retain the binding between the data received in
   an IPsec protected packet and the sensitivity information in the SA
   or SAs used for processing, so appropriate policy decisions can be
   made when delivering the datagram to an application or forwarding
   engine.

5.4.5 Additional Outbound Processing Steps for MLS Networking

   An MLS implementation of IPsec MUST perform two additional checks
   besides the normal steps detailed in section X.Y.Z.  When consulting
   the SPD or the SAM to find an outbound security association, the MLS
   implementation MUST use the sensitivity of the data to select an
   appropriate outbound SA or SA bundle.  The second check comes before
   forwarding the packet out to its destination, and is the sensitivity
   consistency checking described in section 5.4.2.

5.4.6 Additional MLS Processing for Security Gateways

   An MLS security gateway MUST follow the previously mentioned
   inbound and outbound processing rules as well as perform some
   additional processing specific to the intermediate protection of
   packets in an MLS environment.

   A security gateway MAY act as an outbound proxy for creating SAs for
   MLS systems that originate packets forwarded by the gateway.  These
   MLS systems may explicitly label the packets to be forwarded, or
   perhaps the whole originating network has sensitivity characteristics
   associated with it.  The security gateway MUST create and use
   appropriate SAs for AH, ESP, or both, to protect such traffic it
   forwards.

   Similarly such a gateway SHOULD accept and process inbound AH and or
   ESP packets and forward appropriately, using explicit packet
   labeling, or relying on the sensitivity characteristics of the
   destination network.

REFERENCES

   [BL73]  Bell, D.E. & LaPadula, L.J., "Secure Computer Systems:
           Mathematical Foundations and Model", Technical Report
           M74-244, The MITRE Corporation, Bedford, MA, May 1973.

   [Ken91] Kent, S., "US DoD Security Options for the Internet Protocol",
           RFC 1108, BBN Communications, November 1991.

---

• Prev by Date: Comments on AH and ESP drafts
• Next by Date: Re: Comments on AH and ESP drafts
• Prev by thread: Re: Comments on AH and ESP drafts
• Next by thread: draft of the ISAKMP/Oakley draft
• Index(es):
  • Main
  • Thread