Choosing Routers

Because routes must be carefully chosen in the Trusted Solaris environment, the Security Administrator role needs to understand the security characteristics of all routers through which sensitive information is passing.

For the highest degree of trust, routes should be set up with Trusted Solaris computers as routers. If other types of routers are used, keep in mind that the Trusted Solaris security features are not always available on those routers, and without administrative action packets can be routed through routers without MAC security protection.

CIPSO and RIPSO routers drop packets when they do not find the right type of information in the IP options section of the packet. For example, a CIPSO router drops a packet if it does not find a matching CIPSO label or a matching DOI in the packet's IP options section. Other types of routers not running Trusted Solaris software do not drop packets when they find labels they do not understand in the IP options section; they just pass the packets along. Be aware of these considerations when setting up communications between hosts, and make sure that packets are routed through the appropriate types of routers.

To support trusted routing, the Trusted Solaris routing tables are extended to include security information along with the metric for the number of hops to the destination, as described below.

Specifying the SRI

The set of security attributes necessary for trusted routing is called the SRI (for security routing information). The SRI always includes a minimum and a maximum label to establish the route's accreditation range:

As described on the route(1M) man page, the SRI can also incorporate other security attributes. The SRI is obtained from one of two possible sources:

• The dynamic routing software initially derives the SRI from the template assigned to the computer on the router.

• The Security Administrator role can enter the SRI manually in a static routing table.

Emetric

The emetric (Extended Metric) consists of both the standard routing metric and the SRI. The emetric is stored in each route's entry in the routing table. The routing software selects the shortest path that satisfies the security requirements by comparing emetrics. Alternately, the emetric can be entered manually for static routes using the route(1M). (See "Routing Table" for how routes are manually defined.)

If dynamic routing is used, the routing daemon, in.routed broadcasts a special type of security-enhanced response packet advertising the known routes.

Several routes through multiple gateways may exist between a sending and receiving host, and the emetric for each route may be different.

Routing Table

The routing table in the kernel of each host contains routes. Each entry in the routing table provides a route to a particular destination:

The routing software tries to find a route to the destination host in the route tables. When the host is not explicitly named, the routing software looks for an entry for the (sub)network where the host resides. When neither the host nor the network where the host resides is defined, the host sends the packet to a default gateway, if one has been defined. Multiple default gateways can be defined, and each is treated equally. A pointer keeps track of which default gateway has been used most recently, and the next one in the list is used for the next routing.

Routing table entries are created either of the following two ways:

• Dynamically - The routed(1M) routing daemon dynamically creates the route entries including the emetric.

• Statically - The administrator role creates static routes manually in one of two routing files. The administrator may or may not supply an emetric with the route entry.

With a small network, it is feasible to set up routes manually, and to manually make changes to the routing table when conditions change. For example, many sites have a single gateway through which all communications go to the outside world. In these cases, the single gateway can be statically defined as the default on each host on the network. Manually configuring and maintaining static routes is less feasible with large networks.

Extended RIP

Xerox Routing Information Protocol (RIP) version is extended in the Trusted Solaris environment to supply security attributes along with a route's metric when the router advertises the route. The extended RIP is compatible only within an Intranet whose gateways all recognize RIP, because routing in the Internet is done using other protocols.

Determining Dynamic or Static Routing

The following figure shows how the presence or absence of certain files and programs on a Trusted Solaris host that is not a gateway determines whether static or dynamic routing is done.

Figure 7-2 How a Host Determines Which Type of Routing to Do