RFC 1457 (rfc1457) - Page 3 of 14
Security Label Framework for the Internet
Alternative Format: Original Text Document
RFC 1457 Security Label Framework for the Internet May 1993
As data moves through the network, the confidence that may be placed
in that data may change as a result of being handled by various
network components. Therefore, the integrity label is a function of
the integrity of the data before being transmitted on the network and
the path that the data takes through the network. The confidence
that may be placed in data does not increase because it was
transferred across a network, but the confidence that may be placed
in data may decrease as a result of being handled by arbitrary
network components. Entities are assigned integrity labels which
indicate how much confidence may be placed in data that is handled by
them. Thus, when data is handled by an entity with an integrity
label lower than the integrity label of the data, the data is
relabeled with the integrity label of the entity. Such relabeling
should be avoided by limiting the possible paths that data may take
through the network to those where the data will be handled only by
entities with the same or a higher integrity label than the data.
When integrity labels are used, each of the systems on a network must
implement the integrity model and the protocol suite must transfer
the integrity label with the data, if the confidence of the data is
to be maintained throughout the network. Each of the systems on a
network may have its own internal representation for a integrity
label, but the protocols must provide common syntax and semantics for
the transfer of the integrity label, as well as the data itself. To
date, no protocols have been standardized which include integrity
labels in the protocol control information.
2.2 Sensitivity Labels
Sensitivity labels are security labels which support data
confidentiality models, like the Bell and LaPadula model. The
sensitivity label tells the amount of damage that will result from
the disclosure of the data and also indicates which measures the data
requires for protection from disclosure. The amount of damage that
results from unauthorized disclosure depends on who obtains the data;
the sensitivity label should reflect the worst case.
As data moves through the network, it is processed by various network
components and may be mixed with data of differing sensitivity. If
these network components are not trusted to segregate data of
differing sensitivities, then all of the data processed by those
components must be handled as the most sensitive data processed by
those network components. For example, poor buffer management may
append highly sensitive data to the end of a protocol data unit that
was otherwise publicly releasable. Therefore, the sensitivity label
is a function of the sensitivity of the data before being transmitted
on the network and the most sensitive data handled by the network
components, and the trustworthiness of those network components. The
Housley