The following accreditation checks are performed on the sending process or sending zone:
For all destinations, the label of the data must be within the label range of the next hop in the route, that is, the first hop. And, the label must be contained in the first-hop gateway's security attributes.
For all destinations, the DOI of an outgoing packet must match the DOI of the destination host. The DOI must also match the DOI of all hops along the route, including its first-hop gateway.
When the destination host is an unlabeled host, one of the following conditions must be satisfied:
The sending host's label must match the destination host's default label.
The sending host is privileged to perform cross-label communication, and the sender's label dominates the destination's default label.
The sending host is privileged to perform cross-label communication, and the sender's label is ADMIN_LOW. That is, the sender is sending from the global zone.
A first-hop check occurs when a message is being sent through a gateway from a host on one network to a host on another network.