A Trusted Extensions system is installed with a default set of security templates that are used to define the label properties of remote hosts. In Trusted Extensions, both unlabeled hosts and labeled hosts on the network are assigned security attributes by means of a security template. Hosts that are not assigned a template cannot communicate with hosts that are configured with Trusted Extensions. The templates are stored locally.
Hosts can be added to a security template by IP address or as part of a range of IP addresses. For further explanation, see Trusted Network Fallback Mechanism.
Each host type has its own set of additional required and optional security attributes. The following security attributes are specified in security templates:
Host type – Defines whether the packets are labeled with a CALIPSO or CIPSO security label, or not labeled at all.
Default label – Defines the level of trust of the unlabeled host. Packets that are sent by an unlabeled host are read at this label by the receiving Trusted Extensions system or gateway.
The Default label attribute is specific to the host type unlabeled. For details, see Default Label in Security Templates.
DOI – A positive, non-zero integer that identifies the domain of interpretation. The DOI is used to indicate which set of label encodings applies to a network communication or network entity. Labels with different DOIs, even if otherwise identical, are disjoint. For unlabeled hosts, the DOI applies to the default label. In Trusted Extensions, the default value is 1.
Minimum label – Defines the bottom of the label accreditation range. Hosts and next-hop gateways do not receive packets that are below the minimum label that is specified in their template.
Maximum label – Defines the top of the label accreditation range. Hosts and next-hop gateways do not receive packets that are higher than the maximum label that is specified in their template.
Auxiliary label set – Optional. Specifies a discrete set of security labels for a security template. In addition to their accreditation range that is determined by the maximum and minimum labels, hosts that are added to a template with an auxiliary label set can send and receive packets that match any one of the labels in the label set. The maximum number of auxiliary labels that can be specified is four.