User's Manual
Configuring GRE, NAT, RIPSO, and BFE Services
3-2
308625-14.00 Rev 00
By default, RIPSO is disabled on IP interfaces. You can use Site Manager to
enable RIPSO on an IP interface and specify the following:
• A range of acceptable security levels for IP datagrams that the interface
receives and transmits
• A set of required and allowed authority values for IP datagrams that the
interface receives and transmits
• Whether inbound datagrams received on this interface require security labels
• Whether outbound datagrams transmitted on this interface (either forwarded
or originated by the router) require security labels
• Whether datagrams received or transmitted on this interface should have their
labels stripped
You also specify whether the router creates the following types of labels:
• An implicit label, which the router uses to label unlabeled inbound datagrams,
when required
• A default label, which the router uses to label unlabeled outbound datagrams,
when required
• An error label, which the router uses to label Internet Control Message
Protocol (ICMP) error messages associated with processing security options
Security Label Format
A RIPSO security label is three or more bytes long and specifies the security
classification level and protection authority values for the datagram (Figure 3-1
).
Figure 3-1. RIPSO Security Label
Type Length
Security
classification
Protection
authority
IP datagram...
1 octet 1 octet
or more
1 octet 1 octet
1P0013A