COPS
Click on the red underlined text to get to the source
...
COPS [RFC2748] was designed to distribute clear-text policy
information from a centralized Policy Decision Point ...
... Policy Enforcement Points (PEP) in the Internet. COPS provides
its own security mechanisms to protect the per-hop ...
... per-hop integrity of the
deployed policy. However, the use of COPS for sensitive applications
(e.g., some types of security policy distribution) requires
...
... integrity.
This document describes how to use COPS over TLS. "COPS over TLS" is
abbreviated COPS ...
... COPS Over TLS ...
... use COPS over TCP (COPS/TCP). Apart from a specific procedure used
to initialize the connection ...
... TCP). Apart from a specific procedure used
to initialize the connection, there is no difference between COPS/TLS
and COPS ...
... Open or Client-Accept messages. It MUST NOT be included in any other
COPS message.
0 1 2 3
...
... Client-Type of any message containing this object MUST be 0.
Client-Type 0 is used to negotiate COPS connection level security and
...
... security-related connection closure if it cannot support a TLS
connection for the COPS protocol.
If the PDP ...
... Integrity object C-Type. If the server does not
support any form of COPS-Security, it MUST set the Sub-code (octet 2)
to 16 and (octet 3) to zero instead, signifying that no type of the
...
... Client-Accept message format, which
can continue to be used for non-secure COPS session negotiations.
...
... TCP connection with the PDP on the standard
COPS port and sends a Client-Open message. This Client-Open message ...
... TLS allows implementations to
reuse the session in this case, but COPS/TLS makes no use of this
capability.
...
... indicates that subsequent data might have been truncated. Because
TLS is oblivious to COPS message boundaries, it is necessary to
examine the COPS data itself (specifically the Message header ...
... TLS is oblivious to COPS message boundaries, it is necessary to
examine the COPS data itself (specifically the Message header) to
determine whether truncation occurred.
...
... PEP implementations MUST treat premature closes as errors and any
data received as potentially truncated. The COPS protocol allows the
PEP system to find out whether truncation took place. A PEP system ...
...
All PEP implementations of COPS/TLS MUST support an access control
mechanism to identify authorized PDPs ...
... PEP deployments SHOULD require the use of this access control
mechanism for operation of COPS over TLS. When access control is
enabled, the PEP ...
... access control is
enabled, the PEP implementation MUST NOT initiate COPS/TLS
connections to systems not authorized as PDPs by the access control
mechanism ...
...
Similarly, PDP COPS/TLS implementations MUST support an access
control mechanism permitting them to restrict their services ...
... PEP systems. If access controls are used, however, the PDP
implementation MUST terminate COPS/TLS connections from unauthorized
PEP systems ...
... RFC3280] to identify PDP and PEP systems. COPS/TLS systems MUST
perform certificate verification ...
... certificate extension), a match in any one of the provided identities
is acceptable. Generally, the COPS system uses the first name for
matching, except as noted below in the IP address checking
...
... register with a certificate authority,
and COPS over TLS uses one-way authentication, of the PDP to the PEP ...
... end entity certificates [RFC3280]. In this case, COPS over TLS uses
two-way authentication, and the PDP ...
... PEP and PDP SHOULD be backward compatible with peers that have
not been modified to support COPS/TLS. They SHOULD handle errors
generated in response to the Integrity-TLS object ...
... Durham, D., Boyle, J., Cohen, R., Herzog, S., Rajan, R., and A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748prop, January 2000. ...