Trusted Extensions assigns security attributes to zones, hosts, and networks. These attributes ensure that the following security features are enforced on the network:
Data is properly labeled in network communications.
Mandatory access control (MAC) rules are enforced when data is sent or received across a local network and when file systems are mounted.
MAC rules are enforced when data is routed to distant networks.
MAC rules are enforced when data is routed to zones.
In Trusted Extensions, network packets are protected by MAC. Labels are used for MAC decisions. Data is labeled explicitly or implicitly with a sensitivity label. A label has an ID field, a classification or “level” field, and a compartment or “category” field. Data must pass an accreditation check. This check determines if the label is well-formed, and if the label lies within the accreditation range of the receiving host. Well-formed packets that are within the receiving host's accreditation range are granted access.
IP packets that are exchanged between trusted systems can be labeled. A label on a packet serves to classify, segregate, and route IP packets. Routing decisions compare the sensitivity label of the data with the label of the destination.
Trusted Extensions supports labels on IPv4 and IPv6 packets.
For IPv4 packets, Trusted Extensions supports Commercial IP Security Option (CIPSO) labels.
For IPv6 packets, Trusted Extensions supports Common Architecture Label IPv6 Security Option (CALIPSO) labels.
If you must interoperate with systems on an IPv6 CIPSO network, see How to Configure an IPv6 CIPSO Network in Trusted Extensions.
Typically on a trusted network, the label is generated by a sending host and processed by the receiving host. However, a trusted router can also add or strip labels while forwarding packets in a trusted network. A sensitivity label is mapped to a CALIPSO or CIPSO label before transmission. This label is embedded in the IP packet, which is then a labeled packet. Typically, a packet sender and the packet's receiver operate at the same label.
Trusted networking software ensures that the Trusted Extensions security policy is enforced even when the subjects (processes) and objects (data) are located on different hosts. Trusted Extensions networking preserves MAC across distributed applications.