MAC Enforcement on Incoming Messages
The following checks are performed on a receiving host.
-
The label of the packet being received must be:
-
Within the accreditation range specified in the source host's trusted network database entry
-
Within the accreditation range specified in the trusted network database entry for the network interface receiving the data
-
-
If the packet has a CIPSO label, then its DOI must match the DOI specified in the receiving host's trusted network database entry.
-
If the packet has a RIPSO label, then its RIPSO label and PAF flag must match the RIPSO label and PAF flag specified in the trusted network database entry for the receiving host.
For incoming communications, the Trusted Solaris networking software obtains labels and other security attributes from the packets themselves whenever possible--which is only completely possible when the messages are sent from systems that support labels and all the other required attributes in a form recognized by the Trusted Solaris software. In many cases, packets arrive from hosts that are not label-cognizant or that do not send recognizable labels, or the packets do not have all of the other required attributes in their packets.
When the needed security attributes are not all available from a packet, those that are lacking are assigned to the message from trusted networking databases. Any attributes not obtainable from the host's entry are supplemented by the attributes specified in the entry in the trusted network interface database entry the interface through which the message arrives.
- © 2010, Oracle Corporation and/or its affiliates