Accreditation Checks

The trusted networking software performs accreditation checks to compare the security attributes of the source host, the destination host, and of the routes along the way.

Security attributes for the accreditation range check (accreditation range and any CIPSO or RIPSO label information that may be specified) are obtained from a host's templates. The security attributes for a route (its SRI) are obtained from the route's emetric in the routing table. If an emetric for a route has not been specified, the security attributes of the first hop gateway host's entries are checked.

On a router, accreditation checks are performed only if the packet to be forwarded has RIPSO or CIPSO labels and then the labels in the IP options portion of the packet are used. If the packet has a CIPSO label, its label is compared to the label range of the incoming and outgoing interface. Its label is also compared to the label range of the next hop gateway.

MAC Enforcement on Outgoing Messages

The following accreditation checks are performed on the sending host.

• The label of the packet being sent must be:

  • Within the accreditation range of the destination host

  • Within the accreditation range of the network interface of the source host.

• If the packet has a CIPSO label, then its DOI must match the DOI of the destination and of the route's emetric. If no emetric is specified for the route, the DOI must match the DOI of the first hop gateway.

• If the packet has a RIPSO label, then its RIPSO label and PAF flag must match the RIPSO label and PAF flag of the destination and of the route's emetric. If no emetric is specified for the route, the RIPSO label and PAF flag must match the RIPSO label and PAF flag of the first hop gateway.

• If the destination is specified as a MSIX host, then the label of the packet being sent must be within the accreditation range of the destination host and the route's emetric must include the MSIX attribute. If no emetric is specified for the route, the host type of the first hop gateway must be specified as MSIX and the label of the packet must be within the accreditation range specified for the first hop gateway.

A first hop check occurs when a message is being sent from a host on one network to a host on another through a gateway.

MAC Checks on Messages Being Forwarded

On a Trusted Solaris gateway, accreditation checks are performed for the next hop and for the network interfaces.

If the packet has CIPSO label information, the following must be true for a packet to be forwarded:

• The route's emetric must include the CIPSO option. If no emetric is specified for the route, the next hop gateway's entry must be defined as one of the following:

  • CIPSO host type

  • sun_tsol host type with a CIPSO IP label

  • tsix host type with a CIPSO IP label

• The CIPSO label of the packet must be within the accreditation range from the emetric of the route. If no emetric is specified for the route, the packet's CIPSO label must be within the accreditation range specified in next hop gateway's entry.

• The CIPSO DOI specified in the network database entry for the outgoing interface must equal the packet's DOI.

If the packet has RIPSO label information, the following must be true for a packet to be forwarded:

• The route's emetric must include the RIPSO option. If no emetric is specified for the route, the next hop gateway's entry must be defined as either of the following:

  • RIPSO host type

  • tsol host type with a RIPSO IP label

  • tsix host type with a RIPSO IP label

• The RIPSO label of the packet and PAF must be the same as the RIPSO label and RIPSO PAF in the emetric of the route. Or, if no emetric is specified for the route, the packet's RIPSO label and RIPSO PAF must be the same as the RIPSO label and RIPSO PAF specified in next hop gateway's entry.

If the label of a message is not within the minimum and maximum labels specified in the accreditation range for any of the destination host, gateways, or the network interface, the message is dropped.

MAC Enforcement on Incoming Messages

The following checks are performed on a receiving host.

• The label of the packet being received must be:

  • Within the accreditation range specified in the source host's trusted network database entry

  • Within the accreditation range specified in the trusted network database entry for the network interface receiving the data

• If the packet has a CIPSO label, then its DOI must match the DOI specified in the receiving host's trusted network database entry.

• If the packet has a RIPSO label, then its RIPSO label and PAF flag must match the RIPSO label and PAF flag specified in the trusted network database entry for the receiving host.

For incoming communications, the Trusted Solaris networking software obtains labels and other security attributes from the packets themselves whenever possible--which is only completely possible when the messages are sent from systems that support labels and all the other required attributes in a form recognized by the Trusted Solaris software. In many cases, packets arrive from hosts that are not label-cognizant or that do not send recognizable labels, or the packets do not have all of the other required attributes in their packets.

When the needed security attributes are not all available from a packet, those that are lacking are assigned to the message from trusted networking databases. Any attributes not obtainable from the host's entry are supplemented by the attributes specified in the entry in the trusted network interface database entry the interface through which the message arrives.