On a Trusted Solaris gateway, accreditation checks are performed for the next hop and for the network interfaces.
If the packet has CIPSO label information, the following must be true for a packet to be forwarded:
The route's emetric must include the CIPSO option. If no emetric is specified for the route, the next hop gateway's entry must be defined as one of the following:
CIPSO host type
sun_tsol host type with a CIPSO IP label
tsix host type with a CIPSO IP label
The CIPSO label of the packet must be within the accreditation range from the emetric of the route. If no emetric is specified for the route, the packet's CIPSO label must be within the accreditation range specified in next hop gateway's entry.
The CIPSO DOI specified in the network database entry for the outgoing interface must equal the packet's DOI.
If the packet has RIPSO label information, the following must be true for a packet to be forwarded:
The route's emetric must include the RIPSO option. If no emetric is specified for the route, the next hop gateway's entry must be defined as either of the following:
RIPSO host type
tsol host type with a RIPSO IP label
tsix host type with a RIPSO IP label
The RIPSO label of the packet and PAF must be the same as the RIPSO label and RIPSO PAF in the emetric of the route. Or, if no emetric is specified for the route, the packet's RIPSO label and RIPSO PAF must be the same as the RIPSO label and RIPSO PAF specified in next hop gateway's entry.
If the label of a message is not within the minimum and maximum labels specified in the accreditation range for any of the destination host, gateways, or the network interface, the message is dropped.