Original Publication Date: 1991-Nov-01
Included in the Prior Art Database: 2000-Sep-12
Internet Society Requests For Comment (RFCs)
This RFC specifies the U.S. Department of Defense Basic Security Option and the top-level description of the Extended Security Option for use with the Internet Protocol. This RFC obsoletes RFC 1038 "Revised IP Security Option", dated January 1988.
Network Working Group S. Kent
Request for Comments: 1108 BBN Communications
Obsoletes: RFC 1038 November 1991
U.S. Department of Defense
Security Options for the Internet Protocol
Status of this Memo
This RFC specifies an IAB standards track protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "IAB Official Protocol
Standards" for the standardization state and status of this protocol.
Distribution of this memo is unlimited.
This RFC specifies the U.S. Department of Defense Basic Security
Option and the top-level description of the Extended Security Option
for use with the Internet Protocol. This RFC obsoletes RFC 1038
"Revised IP Security Option", dated January 1988.
1. DoD Security Options Defined
The following two internet protocol options are defined for use on
Department of Defense (DoD) common user data networks:
CF CLASS # TYPE LENGTH DESCRIPTION
1 0 2 130 var. DoD Basic Security: Used to carry the
classification level and protection
1 0 5 133 var. DoD Extended Security: Used to carry
additional security information as
required by registered authorities.
CF = Copy on Fragmentation
2. DoD Basic Security Option
This option identifies the U.S. classification level at which the
datagram is to be protected and the authorities whose protection
rules apply to each datagram.
This option is used by end systems and intermediate systems of an
a. Transmit from source to destination in a network standard
representation the common security labels required by computer
b. Validate the datagram as appropriate for transmission from
the source and delivery to the destination,
c. Ensure that the route taken by the datagram is protected to
the level required by all protection authorities indicated on
the datagram. In order to provide this facility in a general
Internet environment, interior and exterior gateway protocols
must be augmented to include security label information in
support of routing control.
The DoD Basic Security option must be copied on fragmentation. This
option appears at most once in a datagram. Some security systems
require this to be the first option if more than one option is
carried in the IP header, but this is not a generic requirement
levied by this specification.
The format of the DoD Basic Security option is as follows:
| 10000010 | XXXXXXXX | SSSSSSSS | AAAAAAA AAAAAAA0 |