Destination Accreditation Checks
When a Trusted Solaris machine receives data, the trusted network software checks for the following:
-
The label of the data is within the accreditation range of both the source machine and the network interface receiving the data.
-
If a packet has a CIPSO label, then the DOI in the packet must be the same as the DOI in the remote host template for the destination.
-
If a packet has a RIPSO label (or RIPSO error), then the RIPSO label (or RIPSO error) in the packet must be the same as the RIPSO label (or RIPSO error) in the remote host template for the destination.
After the data has passed the accreditation checks above, the system checks that all necessary security attributes are present. If there are missing attributes, the system looks up the source host (by its IP address or a target expression) in the tnrhdb database to get the name of the network security template assigned to the host. The system then retrieves the template's set of security attributes from the tnrhtp database. If there are still security attributes missing, the software looks up the network interface in the tnidb database and retrieves default security attributes.
- © 2010, Oracle Corporation and/or its affiliates