Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

Network Security Attributes in Trusted Extensions

A Trusted Extensions system is installed with a default set of security templates that are used to define the label properties of remote hosts. In Trusted Extensions, both unlabeled hosts and labeled hosts on the network are assigned security attributes by means of a security template. Hosts that are not assigned a template cannot communicate with hosts that are configured with Trusted Extensions. The templates are stored locally.

Hosts can be added to a security template by IP address or as part of a range of IP addresses. For further explanation, see Trusted Network Fallback Mechanism.

    Each host type has its own set of additional required and optional security attributes. The following security attributes are specified in security templates:

  • Host type – Defines whether the packets are labeled with a CALIPSO or CIPSO security label, or not labeled at all.

  • Default label – Defines the level of trust of the unlabeled host. Packets that are sent by an unlabeled host are read at this label by the receiving Trusted Extensions system or gateway.

    The Default label attribute is specific to the host type unlabeled. For details, see Default Label in Security Templates.

  • DOI – A positive, non-zero integer that identifies the domain of interpretation. The DOI is used to indicate which set of label encodings applies to a network communication or network entity. Labels with different DOIs, even if otherwise identical, are disjoint. For unlabeled hosts, the DOI applies to the default label. In Trusted Extensions, the default value is 1.

  • Minimum label – Defines the bottom of the label accreditation range. Hosts and next-hop gateways do not receive packets that are below the minimum label that is specified in their template.

  • Maximum label – Defines the top of the label accreditation range. Hosts and next-hop gateways do not receive packets that are higher than the maximum label that is specified in their template.

  • Auxiliary label set – Optional. Specifies a discrete set of security labels for a security template. In addition to their accreditation range that is determined by the maximum and minimum labels, hosts that are added to a template with an auxiliary label set can send and receive packets that match any one of the labels in the label set. The maximum number of auxiliary labels that can be specified is four.

Host Type and Template Name in Security Templates

    Trusted Extensions supports four host types in the trusted network databases and provides four default templates:

  • cipso host type – Intended for hosts that run labeled trusted operating systems. This host type supports CALIPSO and CIPSO labels.

    For IPv6, the CALIPSO protocol is used to specify security labels that are passed in the IP options field. For IPv4, the CIPSO protocol is used. Labels in CALIPSO and CIPSO headers are derived automatically from the data's label. The derived label is then used to make security checks at the IP level and to label the network packets.

  • unlabeled host type – Intended for hosts that use standard networking protocols but do not support labeled options. Trusted Extensions supplies the template named admin_low for this host type.

    This host type is assigned to hosts that run the Oracle Solaris OS or other unlabeled operating systems. This host type provides a default label to apply to communications with the unlabeled host. Also, a label range or a set of discrete labels can be specified to allow the sending of packets to an unlabeled gateway for forwarding.

  • adaptive host type – Intended for subnets of hosts that are not labeled, but that send packets to a specific network interface on a labeled system. The labeled system applies its network interface default label to the incoming packets.

    This host type is assigned to hosts that run the Oracle Solaris OS or other unlabeled operating systems and that are expected to send data to a labeled system. This host type does not provide a default label. The label of communication is derived from the labeled network interface of the receiving system. This host type is assigned to end node systems, not gateways.

    The adaptive host type provides flexibility for planning and scaling a trusted network. Administrators can expand the network with new unlabeled systems without having to know the new systems' default label in advance. When an adaptive host is configured to send packets to a labeled network interface on a netif host, the default label of the interface on that netif host assigns the appropriate label to the incoming packets.

  • netif host type – Intended for the host names of interfaces that receive packets on a specific network interface from adaptive hosts. This host type is assigned to interfaces on Trusted Extensions systems. The default label of the netif interface is applied to the arriving packets.

Caution  - The admin_low template provides an example for constructing unlabeled templates with site-specific labels. While the admin_low template is required for the installation of Trusted Extensions, the security attributes might be too liberal for normal system operations. Retain the provided templates without modification for system maintenance and support reasons.

Default Label in Security Templates

Templates for the unlabeled and netif host types specify a default label. This label is used to control communications with hosts whose operating systems are not aware of labels, such as Oracle Solaris systems. The default label that is assigned reflects the level of trust that is appropriate for the host and its users.

Because communications with unlabeled hosts are essentially limited to the default label, these hosts are also referred to as single-label hosts. A technical reason to call these hosts "single-label" is that these hosts do not have admin_high and admin_low labels.

Domain of Interpretation in Security Templates

Organizations that use the same Domain of Interpretation (DOI) agree among themselves to interpret label information and other security attributes in the same way. When Trusted Extensions performs a label comparison, a check is made as to whether the DOI is equal.

A Trusted Extensions system enforces label policy on one DOI value. All zones on a Trusted Extensions system must operate at the same DOI. A Trusted Extensions system does not provide exception handling on packets that are received from a system that uses a different DOI.

If your site uses a DOI value that is different from the default value, you must use this value in every security template, as described in How to Configure a Different Domain of Interpretation.

Label Range in Security Templates

    The minimum label and maximum label attributes are used to establish the label range for labeled and unlabeled hosts. These attributes are used to do the following:

  • To set the label range that can be used when a host communicates with a remote labeled host

    In order for a packet to be sent to a destination host, the label of the packet must be within the label range assigned in the destination host's security template.

  • To set a label range for packets that are being forwarded through a labeled gateway or an unlabeled gateway

    The label range can be specified in the template for an unlabeled host type. The label range enables the host to forward packets that are not necessarily at the label of the host, but are within a specified label range.

Auxiliary Labels in Security Templates

The auxiliary label set defines at most four discrete labels at which packets can be accepted, forwarded, or sent by the remote host. This attribute is optional. By default, no auxiliary label set is defined.