The following accreditation checks are performed on the sending host.
The label of the packet being sent must be:
Within the accreditation range of the destination host
Within the accreditation range of the network interface of the source host.
If the packet has a CIPSO label, then its DOI must match the DOI of the destination and of the route's emetric. If no emetric is specified for the route, the DOI must match the DOI of the first hop gateway.
If the packet has a RIPSO label, then its RIPSO label and PAF flag must match the RIPSO label and PAF flag of the destination and of the route's emetric. If no emetric is specified for the route, the RIPSO label and PAF flag must match the RIPSO label and PAF flag of the first hop gateway.
If the destination is specified as a MSIX host, then the label of the packet being sent must be within the accreditation range of the destination host and the route's emetric must include the MSIX attribute. If no emetric is specified for the route, the host type of the first hop gateway must be specified as MSIX and the label of the packet must be within the accreditation range specified for the first hop gateway.
A first hop check occurs when a message is being sent from a host on one network to a host on another through a gateway.