CIPSO Labels in Packets
The CIPSO label is derived from the actual label of the data on the sending Trusted Solaris computer.
The trusted networking software puts a CIPSO label and a DOI (domain of interpretation) number into the IP option for outgoing packets and also looks for a CIPSO label and DOI in the IP option of incoming packets, if the trusted network template entry assigned to the remote host meets one of these criteria:
-
Assigns the host the CIPSO host type
-
Assigns the host the Trusted Solaris host type, setting the IP label type to CIPSO
-
Assigns the host the TSIX host type, setting the IP label type to CIPSO
The CIPSO label that is inserted into outgoing packets is derived by the trusted networking software from the actual label associated with the data. Sometimes Trusted Solaris labels match directly to a CIPSO label. For example, the label of CONFIDENTIAL matches the CIPSO label of CONFIDENTIAL. However, most Trusted Solaris labels do not map directly to CIPSO labels.
Note -
At a site that plans to use CIPSO labels for trusted routing or wishes to communicate with a host with a host type of CIPSO, the Security Administrator role should plan ahead to configure the site's labels so they map well to CIPSO labels.
A DOI (domain of interpretation) must also be specified, and the same DOI must be:
-
Assigned to the sending host
-
In a routing table entry for all gateways through which messages travel and understood by routers
-
Assigned to the destination host
Ensuring Labels Are Mappable to CIPSO Labels
The Security Administrator role needs to plan ahead to ensure that the labels defined in the label_encodings(4) file map well to CIPSO labels. See Trusted Solaris Label Administration.
- © 2010, Oracle Corporation and/or its affiliates