Accreditation Checks

To determine the suitability of a route regarding security, the Trusted Solaris environment runs a series of tests called accreditation checks on the source host, destination host, and the route's emetrics. If the emetric for a particular route is missing, the security attributes for the first-hop gateway in the route are checked. A host's security attributes are derived from information in the tnrhdb, tnrhtp, and tnidb files. The tests check, for example, that a data packet's label is within the range of each host in the route.

Source Accreditation Checks

The accreditation checks conducted on the source host are:

• The label of the data being sent must be within the destination host's accreditation range.

• The label of the data must be within the accreditation range of the emetric for the route or, if the emetric is not available, the first-hop gateway's security attributes.

• The label of the data must be within the accreditation range of the source host's network interface.

• The DOI of an outgoing packet must match the DOI of the destination and the route's emetric (or first-hop gateway).

• An outgoing packet's RIPSO label must match the RIPSO label of the destination and the route's emetric (or first-hop gateway). Alternatively, the RIPSO error can match the destination's RIPSO error, the route's emetric, or the first-hop gateway's RIPSO error.

Gateway Accreditation Checks

The accreditation checks conducted on a Trusted Solaris gateway host work in the following manner:

If the next hop is an unlabeled host, then the label of the source host must match the label of the destination host.

If the packet has the CIPSO option, the following conditions for forwarding must be true:

• The route's emetric (or next-hop gateway) must be able to accept data in the CIPSO protocol.

• The route's emetric (or next-hop gateway) must be in the data packet's DOI.

• The DOI (from the tnrhtp database) for the outgoing interface must be the same as the data packet's DOI.

If the packet has the RIPSO option, the following conditions for forwarding must be true:

• The route's emetric (or next-hop gateway) must be able to accept data in the RIPSO protocol.

• The route's emetric (or next-hop gateway) must have the same RIPSO label (or RIPSO error) as the data packet's RIPSO label (or RIPSO error).

Destination Accreditation Checks

When a Trusted Solaris machine receives data, the trusted network software checks for the following:

• The label of the data is within the accreditation range of both the source machine and the network interface receiving the data.

• If a packet has a CIPSO label, then the DOI in the packet must be the same as the DOI in the remote host template for the destination.

• If a packet has a RIPSO label (or RIPSO error), then the RIPSO label (or RIPSO error) in the packet must be the same as the RIPSO label (or RIPSO error) in the remote host template for the destination.

After the data has passed the accreditation checks above, the system checks that all necessary security attributes are present. If security attributes are missing, the system looks up the source host (by its IP address or a target expression) in the tnrhdb database to get the name of the network security template assigned to the host. The system then retrieves the template's set of security attributes from the tnrhtp database. If security attributes are still missing, the software looks up the network interface in the tnidb database and retrieves default security attributes.