User's Manual

Configuring GRE, NAT, RIPSO, and BFE Services

3-4

308625-14.00 Rev 00

Inbound IP Datagrams

When the router receives an IP datagram on a RIPSO interface, it compares the

security classification and authority values specified in the security label with

those configured on the inbound interface.

If the interface does not require a security label for inbound IP datagrams, the

router accepts both unlabeled IP datagrams and datagrams that meet the

classification and authority rules described in the next paragraph.

If the interface does require a security label, then for the router to accept the

datagram, the following RISPO conditions must be met:

• The datagram must be labeled.

• The security classification value in the datagram’s label must be within the

security-level range configured for the interface.

• The authority flags in the datagram’s label must include all flags required for

the interface and cannot contain any flags not allowed for the interface.

The router drops any datagrams that do not meet these requirements and generates

an ICMP error message.

On a non-RIPSO interface, the router accepts only unlabeled IP datagrams and IP

datagrams that are labeled as Unclassified with no authority flags set.

Forwarded IP Datagrams

When the router receives an IP datagram that needs forwarding on a RIPSO

interface, the router compares the security classifications and authority values

specified in the security label with those configured on the outbound interface.

Before forwarding the datagram, the router:

• Checks that all RIPSO conditions are met (see the preceding section)

• Applies any outbound-specific configuration parameters

The router drops any datagrams that do not meet these requirements and generates

an ICMP error message.