RIPSO Labels in Packets
The RIPSO, Revised IP Security Option, protocol is described in the IETF RFC 1108. The trusted networking software puts a RIPSO label into the IP option for outgoing packets and also looks for a RIPSO label in the IP option of incoming packets from a host, if the trusted network template entry for the host meets one of these criteria:
-
Assigns the host the
ripsohost Type -
Assigns the host the sun_tsol host type, specifying the IP Label Type as RIPSO
-
Assigns the host the
tsixhost Type, specifying the IP Label Type as RIPSO
RIPSO labels on outgoing packets are administratively defined. The Security Administrator role specifies them in the tnrhtp database, putting the classification in the RIPSO Send Class field and the compartment(s), or protection authority flags (PAF) in the RIPSO Send PAF field.
The following RIPSO Send classifications are supported: Top_Secret, Secret, Confidential, and Unclassified.
The RIPSO Send PAF and Return PAF fields refer to Protection Authority Flags, which are shown in the following table. PAFs specified in the Send PAF field are used like compartment names along with the classification within the RIPSO labels (as in Top_Secret SCI). PAFs specified in the Return PAF field are used in labeling ICMP messages that can be generated as errors in response to incoming RIPSO labeled packets. The classification sent back in an ICMP message is the same as the RIPSO classification in the packet.
Table 7-3 Protection Authority Flags| Protection Authority Flags (may be specified along with supported classifications in RIPSO labels or specified as RIPSO errors) |
|---|
| GENSER |
| SIOP-ESI |
| SCI |
| NSA |
| DOE |
- © 2010, Oracle Corporation and/or its affiliates