Trusted Extensions software determines the suitability of a route for security purposes. The software runs a series of tests called accreditation checks on the source host, the destination host, and the intermediate gateways.
The accreditation check verifies the label range and the CALIPSO or CIPSO label information. The security attributes for a route are obtained from the routing table entry, or from the security template of the gateway if the entry has no security attributes.
For incoming communications, the Trusted Extensions software obtains labels from the packets themselves, whenever possible. Obtaining labels from packets is only possible when the messages are sent from hosts that support labels. When a label is not available from the packet, a default label is assigned to the message from the security template. These labels are then used during accreditation checks. Trusted Extensions enforces several checks on outgoing messages, forwarded messages, and incoming messages.
The following accreditation checks are performed on the sending process or sending zone:
For all destinations, the DOI of an outgoing packet must match the DOI of the destination host. The DOI must also match the DOI of all hops along the route, including its first-hop gateway.
For all destinations, the label of the outgoing packet must be within the label range of the next hop in the route, that is, the first hop. And, the label must be contained in the first-hop gateway's security attributes.
When the destination host is an unlabeled host, one of the following conditions must be satisfied:
The sending host's label must match the destination host's default label.
The sending host is privileged to perform cross-label communication, and the sender's label dominates the destination's default label.
The sending host is privileged to perform cross-label communication, and the sender's label is ADMIN_LOW. That is, the sender is sending from the global zone.
On a Trusted Extensions gateway system, the following accreditation checks are performed for the next-hop gateway:
If the incoming packet is unlabeled, the packet inherits the source host's default label from the security template. Otherwise, the packet receives the label that is indicated in the CALIPSO or CIPSO option.
Checks for forwarding a packet proceed similar to source accreditation, as follows:
For all destinations, the DOI of an outgoing packet must match the DOI of the destination host. The DOI must also match the DOI of the next-hop host.
For all destinations, the label of the outgoing packet must be within the label range of the next hop. And, the label must be contained in the security attributes of the next-hop host.
The label of an unlabeled packet must match the destination host's default label.
The label of a labeled packet must be within the destination host's label range.
A labeled gateway that is expected to forward packets from adaptive hosts must configure its inbound interface with a netif host type template. For definitions of the adaptive and netif host types, see Host Type and Template Name in Security Templates.
When a Trusted Extensions system receives data, the software performs the following checks:
If the incoming packet is unlabeled, the packet inherits the source host's default label from the security template. Otherwise, the packet receives the label that is indicated in the labeled option.
The label and DOI for the packet must be consistent with the destination zone or destination process's label and DOI. The exception is when a process is listening on a multilevel port. The listening process can receive a packet if the process is privileged to perform cross-label communications, and the process is either in the global zone or has a label that dominates the packet's label.