Trusted Network Fallback Mechanism

Language:

A host IP address can be added to a security template either directly or indirectly. Direct assignment adds a host's IP address. Indirect assignment adds a range of IP addresses that includes the host. To match a particular host, the trusted network software first looks for the specific IP address. If the search does not find a specific entry for the host, it looks for the "longest prefix of matching bits". You can indirectly assign a host to a security template when the IP address of the host falls within the "longest prefix of matching bits" of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. For examples, see Figure 23, Table 23, Trusted Extensions Host Address and Fallback Mechanism Entries.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 23 Trusted Extensions Host Address and Fallback Mechanism Entries

IP Version	Host Entry for `host_type=cipso`	IP Addresses Covered
IPv4	192.0.2.57 192.0.2.57/32	Host address `192.0.2.57`. Not a range of addresses. The `/32` sets a prefix length of 32 fixed bits.
	192.0.2.128/26	From `192.0.2.0` through `192.0.2.63`
	192.0.2.0 192.0.2.0/24	All addresses on `192.0.2` subnet.

	192.0.2.0 192.0.2.0/16	All addresses on `192.0.` subnet.
	10.0.0.0 10.0.0.0/8	All addresses on `10.` subnet.
	192.0.2.0/32	Host address `192.0.2.0`. Not a range of addresses.

	192.0.0.0/32	Host address `192.0.0.0`. Not a range of addresses.
	0.0.0.0/32	Host address `0.0.0.0`. Not a range of addresses.
	0.0.0.0	All addresses on all networks.
IPv6	2001\:DB8\:22\:5000\:\:21f7	2001:DB8:22:5000::21f7
	2001\:DB8\:22\:5000\:\:0/52	From `2001:DB8:22:5000::0` through `2001:DB8:22:5fff:ffff:ffff:ffff:ffff`
	0\:\:0/0	All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. By adding the 0.0.0.0/32 entry to a system's unlabeled security template, you enable hosts with the specific address, 0.0.0.0, to contact the system. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry on a Sun Ray server that serves DHCP clients, see Example 46, Configuring a Valid Initial Address for a Labeled Sun Ray Server. To create a tnrhdb entry for an application that serves DHCP clients, see Example 45, Making the Host Address 0.0.0.0/32 a Valid Initial Address. The 0.0.0.0:admin_low network is the default entry in the admin_low unlabeled host template. Review How to Limit the Hosts That Can Be Contacted on the Trusted Network for security issues that would require changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Obtaining IP Addresses for Your Network in Planning for Network Deployment in Oracle Solaris 11.3.