On a Trusted Extensions gateway system,the following accreditation checks are performed for the next-hop gateway:
If the incoming packet is unlabeled, the packet inherits the source host's default label from the tnrhdb entry. Otherwise, the packet receives the indicated CIPSO label.
Checks for forwarding a packet proceed similar to source accreditation:
For all destinations, the label of the data must be within the label range of the next hop. And, the label must be contained in the security attributes of the next-hop host.
For all destinations, the DOI of an outgoing packet must match the DOI of the destination host. The DOI must also match the DOI of the next-hop host.
The label of an unlabeled packet must match the destination host's default label.
The label of a CIPSO packet must be within the destination host's label range.