skiphost: Setting Up the ACL
The functionality of skiphost is the same as the skiptool GUI.
Use skiphost to list, add, and delete host, network, or nomadic (mobile) systems from the ACL, as well as to enable and disable SKIP. Without arguments, it lists the state of the SKIP interface and authorized or unauthorized hosts, networks, and nomadic systems for the default interface.
The ACL allows the user to configure which remote systems can obtain access to the local host and the type of access granted. Access control is usually based on the IP address of the remote host or by the remote system's key ID.
Remote systems can be specified either as individual hosts, networks, or nomadic systems.
Hosts are specified by their host name or IP address. Networks of subnetworks are specified by a network address plus a mask similar to that used in subnetworking. Nomadic systems can be specified in SKIP and in SKIP Version 1. They are specified by a key identifier (that is, any IP address with the key ID "x").
The order of processing ACL entries is as follows. A search is made for an ACL entry specifying the remote host. If one exists, it will be used. If no entry containing the IP address can be found, then a search is made for a nomadic ACL entry containing the sender's key ID in the SKIP protocol header. If one is found and the packet is correctly authenticated, then the sender's IP address is stored for future reference.
If no corresponding ACL entry can be found for a remote system, the default is used. The default may be configured to allow access or to deny access. This method is similar to the method used by the IP when it is deciding how to route a packet to a destination (that is, host routes take precedence over network routes, and, in the absence of anything better, the default route is used).
When applying access control, the system treats the lists of authorized and excluded systems as a global list and always selects the best match.
A default entry can be specified to indicate all other hosts not specifically covered by other access-control entries.
Note -
Before you enable SKIP, any hosts needed for operation of the local system must be present in the ACL. Verify that any NFS file servers, NIS servers, or any local broadcast addresses for your network are on the ACL.
Syntax
skiphost -[i|h|o|P|V|f|d|x|a][hostname/IP address][option specific arguments...] |
Options
| -i |
The -i option takes the interface name as an argument and is used with the -o option to enable or disable SKIP for a particular interface. If this option is not specified skiphost operates on the system's primary network interface. |
|
-f |
This option is used to remove (flush) all ACL entries from a given network interface. This option will automatically disable SKIP. |
|
-h |
This option is used to display the SKIP statistics for a given network interface. |
|
-o |
This option enables and disables SKIP. To enable SKIP, use -o on, to disable SKIP use -o off. |
|
-P |
Adding this option to skiphost prints the current access control list in a format that is suitable for execution in a shell script. |
|
-V |
Adding this option to skiphost prints the current access control list in a name=value verbose format. |
|
hostname/IP addresss |
Takes the -M mask argument. skiphost used without any options, checks if the system hostname or network exists in the access control list and displays its parameters. |
|
-a |
Adds the hostname or network (specified using the hostname/address -M-M mask argument) to the access control list and enables traffic between the hosts in the clear. To add hostname or network and enable encrypted and/or authenticated traffic to the host, use the -k, -m and/or -t options. For more arguments, see the description of *. |
|
-d |
Removes hostname, network or nomadic system from the access control list. Also takes hostname/IP address/* -M mask as well as other option specific arguments. For more arguments, see the description of *. |
|
-x |
Excludes hostname, network or nomadic system from the access control list. Also takes hostname/IP address/* -M mask as well as other option specific arguments. For more arguments, see the description of *. |
|
-a '*' |
This option is used to specify a nomadic system. It must be used in conjunction with the authentication and receiver key ID options. To encrypt and/or authenticate communications with a remote system the following options should be used: -k key algorithm Specifies the key encryption algorithm or encrypting keys. A list of supported algorithms is available using the skipstat(1M) command. -t crypt algorithm Specifies the traffic encryption algorithm for encrypting traffic (bulk data). -m mac algorithm Specifies the authentication algorithm. -c comp algorithm Specifies the compression algorithm. Not currently implemented.
-r receiver NSID -R Receiver keyID -s sender NSID -S Sender keyID The Key Name Space Identifier (NSID) options (-r and -s) are used to control the identification of keying information in the SKIP protocol. They take numeric values from 0 to 11. The remote keyId option (-R) and local keyIDoption (-S) take a hexadecimal value of different lengths, depending on the name space being used. The default NSID values (0, "Not Present") are normally acceptable for most applications. Currently only name spaces 0 ("Not Present"), 1 ("IPv4 address" and 8 ("MD5 DH public values") are supported. -v SKIP version SKIP can use an old version of the protocol to communicate with SunScreen SPF-100 and Sun Screen SPF-100G systems. To use this mode, specify the -v 1 option. If no version is specified, skiphost will use SKIP version 2 by default.
-A tunnel address This option is used in tunneling mode to replace the destination address in outgoing packets with the supplied value. This permits hiding of network topology. By default, the tunnel address is set to the destination address. -T Encrypt or authenticate only the data part of the IP packet. By default, SKIP uses tunneling mode and protects the whole packet. |
See the man pages for more detail.
- © 2010, Oracle Corporation and/or its affiliates