Background on Routing

For communications sent to destinations on the same subnet, accreditation checks are performed by Trusted Solaris endpoints only since no routers are involved. (Because gateways and routers route packets, the terms gateway and router are used interchangeably in this discussion.) Accreditation range checks are performed at the source. If the receiving host is running Trusted Solaris, accreditation range checks are also performed at the destination.

When the source and destination hosts are on two different sub-networks, the packet is sent from the source host to a gateway. The accreditation range of the destination and of the first hop gateway is checked at the source when selecting a route. The gateway forwards the packet to the network where the destination host is connected. A packet may go through a number of gateways before reaching the destination.

On Trusted Solaris gateways, accreditation range checks are performed in certain cases. A Trusted Solaris computer routing a packet between two unlabeled hosts compares any IP label in the IP options portion of the packet against the accreditation range of the network interface. If no IP option is specified, the default label assigned to the sending host is compared to the accreditation range on the network interface through which the packet is going. Because the "write up read-down" MAC rule is enforced even on communications between unlabeled hosts, the default label of the sending host must be dominated by the default label of the destination host. In practice, two way communications would be impossible unless both unlabeled hosts shared a default label.

Each gateway maintains a list of routes to all destinations. Standard Solaris routing metrics allow routes to be chosen based on the shortest path to the destination. Extensions in Trusted Solaris 2.5.1 and later compatible releases enable trusted routing based on the shortest path to the destination that also satisfies security requirements. IP security options in a packet allow IP labels to be available for accreditation range checks on intermediate routers.

Trusted routing depends on all gateways recognizing extended RIP, the Routing Information Protocol. Therefore, trusted routing is only possible in an Intranet whose gateways are all known to use RIP, because routing in the Internet is done using other protocols.

Some sites using trusted routing need to enable communications with Trusted Solaris hosts that are on the other side of a cloud of unlabeled hosts when communications must go through one or more routers that do not understand labels. At these sites, the Security Administrator role needs to set up tunneling. (The terms cloud and tunneling are defined under "Setting Up Tunneling".)