K <- 4. Definitions -> M
L
$ L2F
(N) See: Layer 2 Forwarding Protocol.
$ L2TP
(N) See: Layer 2 Tunneling Protocol.
$ label
See: time stamp, security label.
Shirey Informational [Page 179]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ laboratory attack
(O) "Use of sophisticated signal recovery equipment in a
laboratory environment to recover information from data storage
media." [C4009]
$ LAN
(I) Abbreviation for "local area network" [R1983]. (See: [FP191].)
$ land attack
(I) A denial-of-service attack that sends an IP packet that (a)
has the same address in both the Source Address and Destination
Address fields and (b) contains a TCP SYN packet that has the same
port number in both the Source Port and Destination Port fields.
Derivation: This single-packet attack was named for "land", the
program originally published by the cracker who invented this
exploit. Perhaps that name was chosen because the inventor thought
of multi-packet (i.e., flooding) attacks as arriving by sea.
$ Language of Temporal Ordering Specification (LOTOS)
(N) A language (ISO 8807-1990) for formal specification of
computer network protocols; describes the order in which events
occur.
$ lattice
(I) A finite set together with a partial ordering on its elements
such that for every pair of elements there is a least upper bound
and a greatest lower bound.
Example: A lattice is formed by a finite set S of security levels
-- i.e., a set S of all ordered pairs (x,c), where x is one of a
finite set X of hierarchically ordered classification levels X(1),
non-hierarchical categories C(1), ..., C(M) -- together with the
"dominate" relation. Security level (x,c) is said to "dominate"
(x',c') if and only if (a) x is greater (higher) than or equal to
x' and (b) c includes at least all of the elements of c'. (See:
dominate, lattice model.)
Tutorial: Lattices are used in some branches of cryptography, both
as a basis for hard computational problems upon which
cryptographic algorithms can be defined, and also as a basis for
attacks on cryptographic algorithms.
$ lattice model
1. (I) A description of the semantic structure formed by a finite
set of security levels, such as those used in military
organizations. (See: dominate, lattice, security model.)
Shirey Informational [Page 180]
RFC 4949 Internet Security Glossary, Version 2 August 2007
2. (I) /formal model/ A model for flow control in a system, based
on the lattice that is formed by the finite security levels in a
system and their partial ordering. [Denn]
$ Law Enforcement Access Field (LEAF)
(N) A data item that is automatically embedded in data encrypted
by devices (e.g., CLIPPER chip) that implement the Escrowed
Encryption Standard.
$ Layer 1, 2, 3, 4, 5, 6, 7
(N) See: OSIRM.
$ Layer 2 Forwarding Protocol (L2F)
(N) An Internet protocol (originally developed by Cisco
Corporation) that uses tunneling of PPP over IP to create a
virtual extension of a dial-up link across a network, initiated by
the dial-up server and transparent to the dial-up user. (See:
L2TP.)
$ Layer 2 Tunneling Protocol (L2TP)
(N) An Internet client-server protocol that combines aspects of
PPTP and L2F and supports tunneling of PPP over an IP network or
over frame relay or other switched network. (See: VPN.)
Tutorial: PPP can in turn encapsulate any OSIRM Layer 3 protocol.
Thus, L2TP does not specify security services; it depends on
protocols layered above and below it to provide any needed
security.
$ LDAP
(I) See: Lightweight Directory Access Protocol.
$ least common mechanism
(I) The principle that a security architecture should minimize
reliance on mechanisms that are shared by many users.
Tutorial: Shared mechanisms may include cross-talk paths that
permit a breach of data security, and it is difficult to make a
single mechanism operate in a correct and trusted manner to the
satisfaction of a wide range of users.
$ least privilege
(I) The principle that a security architecture should be designed
so that each system entity is granted the minimum system resources
and authorizations that the entity needs to do its work. (Compare:
economy of mechanism, least trust.)
Shirey Informational [Page 181]
RFC 4949 Internet Security Glossary, Version 2 August 2007
Tutorial: This principle tends to limit damage that can be caused
by an accident, error, or unauthorized act. This principle also
tends to reduce complexity and promote modularity, which can make
certification easier and more effective. This principle is similar
to the principle of protocol layering, wherein each layer provides
specific, limited communication services, and the functions in one
layer are independent of those in other layers.
$ least trust
(I) The principle that a security architecture should be designed
in a way that minimizes (a) the number of components that require
trust and (b) the extent to which each component is trusted.
(Compare: least privilege, trust level.)
$ legacy system
(I) A system that is in operation but will not be improved or
expanded while a new system is being developed to supersede it.
$ legal non-repudiation
(I) See: secondary definition under "non-repudiation".
$ leap of faith
1. (I) /general security/ Operating a system as though it began
operation in a secure state, even though it cannot be proven that
such a state was established (i.e., even though a security
compromise might have occurred at or before the time when
operation began).
2. (I) /COMSEC/ The initial part, i.e., the first communication
step, or steps, of a protocol that is vulnerable to attack
(especially a man-in-the-middle attack) during that part but, if
that part is completed without being attacked, is subsequently not
vulnerable in later steps (i.e., results in a secure communication
association for which no man-in-the-middle attack is possible).
Usage: This term is listed in English dictionaries, but their
definitions are broad and can be interpreted in many ways in
Internet contexts. Similarly, the definition stated here can be
interpreted in several ways. Therefore, IDOCs that use this term
(especially IDOCs that are protocol specifications) SHOULD state a
more specific definition for it.
Tutorial: In a protocol, a leap of faith typically consists of
accepting a claim of peer identity, data origin, or data integrity
without authenticating that claim. When a protocol includes such a
step, the protocol might also be designed so that if a man-in-
the-middle attack succeeds during the vulnerable first part, then
the attacker must remain in the middle for all subsequent
Shirey Informational [Page 182]
RFC 4949 Internet Security Glossary, Version 2 August 2007
exchanges or else one of the legitimate parties will be able to
detect the attack.
$ level of concern
(N) /U.S. DoD/ A rating assigned to an information system that
indicates the extent to which protective measures, techniques, and
procedures must be applied. (See: critical, sensitive, level of
robustness.)
$ level of robustness
(N) /U.S. DoD/ A characterization of (a) the strength of a
security function, mechanism, service, or solution and (b) the
assurance (or confidence) that it is implemented and functioning.
[Cons, IATF] (See: level of concern.)
$ Liberty Alliance
(O) An international consortium of more than 150 commercial,
nonprofit, and governmental organizations that was created in 2001
to address technical, business, and policy problems of identity
and identity-based Web services and develop a standard for
federated network identity that supports current and emerging
network devices.
$ Lightweight Directory Access Protocol (LDAP)
(I) An Internet client-server protocol (RFC 3377) that supports
basic use of the X.500 Directory (or other directory servers)
without incurring the resource requirements of the full Directory
Access Protocol (DAP).
Tutorial: Designed for simple management and browser applications
that provide simple read/write interactive directory service.
Supports both simple authentication and strong authentication of
the client to the directory server.
$ link
1a. (I) A communication facility or physical medium that can
sustain data communications between multiple network nodes, in the
protocol layer immediately below IP. (RFC 3753)
1b. (I) /subnetwork/ A communication channel connecting subnetwork
relays (especially one between two packet switches) that is
implemented at OSIRM Layer 2. (See: link encryption.)
Tutorial: The relay computers assume that links are logically
passive. If a computer at one end of a link sends a sequence of
bits, the sequence simply arrives at the other end after a finite
time, although some bits may have been changed either accidentally
(errors) or by active wiretapping.
Shirey Informational [Page 183]
RFC 4949 Internet Security Glossary, Version 2 August 2007
2. (I) /World Wide Web/ See: hyperlink.
$ link encryption
(I) Stepwise (link-by-link) protection of data that flows between
two points in a network, provided by encrypting data separately on
each network link, i.e., by encrypting data when it leaves a host
or subnetwork relay and decrypting when it arrives at the next
host or relay. Each link may use a different key or even a
different algorithm. [R1455] (Compare: end-to-end encryption.)
$ liveness
(I) A property of a communication association or a feature of a
communication protocol that provides assurance to the recipient of
data that the data is being freshly transmitted by its originator,
i.e., that the data is not being replayed, by either the
originator or a third party, from a previous transmission. (See:
fresh, nonce, replay attack.)
$ logic bomb
(I) Malicious logic that activates when specified conditions are
met. Usually intended to cause denial of service or otherwise
damage system resources. (See: Trojan horse, virus, worm.)
$ login
1a. (I) An act by which a system entity establishes a session in
which the entity can use system resources. (See: principal,
session.)
1b. (I) An act by which a system user has its identity
authenticated by the system. (See: principal, session.)
Usage: Usually understood to be accomplished by providing an
identifier and matching authentication information (e.g., a
password) to a security mechanism that authenticates the user's
identity; but sometimes refers to establishing a connection with a
server when no authentication or specific authorization is
involved.
Derivation: Refers to "log" file, a security audit trail that
records (a) security events, such as the beginning of a session,
and (b) the names of the system entities that initiate events.
$ long title
(O) /U.S. Government/ "Descriptive title of [an item of COMSEC
material]." [C4009] (Compare: short title.)
Shirey Informational [Page 184]
RFC 4949 Internet Security Glossary, Version 2 August 2007
$ low probability of detection
(I) Result of TRANSEC measures used to hide or disguise a
communication.
$ low probability of intercept
(I) Result of TRANSEC measures used to prevent interception of a
communication.
$ LOTOS
(N) See: Language of Temporal Ordering Specification.
K <- 4. Definitions -> M