Trusted Network Fallback Mechanism

The tnrhdb database can assign a security template to a particular host either directly or indirectly. Direct assignment assigns a template to a host's IP address. Indirect assignment is handled by a fallback mechanism. The trusted network software first looks for an entry that specifically assigns the host's IP address to a template. If the software does not find a specific entry for the host, it looks for the “longest prefix of matching bits”. You can indirectly assign a host to a security template when the IP address of the host falls within the “longest prefix of matching bits” of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. Entries 3 – 6 in Table 18-1 illustrate this fallback mechanism.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 18-1 tnrhdb Host Address and Fallback Mechanism Entries

IP Version	`tnrhdb` Entry	Addresses Covered
IPv4	192.168.118.57:cipso 192.168.118.57/32:cipso	192.168.118.57 The `/32` sets a prefix length of 32 fixed bits.
	192.168.118.128/26:cipso	From `192.168.118.0` through `192.168.118.63`
	192.168.118.0:cipso 192.168.118.0/24:cipso	All addresses on `192.168.118.` network
	192.168.0.0/24:cipso	All addresses on `192.168.0.` network.
	192.168.0.0:cipso 192.168.0.0/16:cipso	All addresses on `192.168.` network
	192.0.0.0:cipso 192.0.0.0/8:cipso	All addresses on `192.` network
	192.168.0.0/32:cipso	Network address `192.168.0.0`. Not a wildcard address.
	192.168.118.0/32:cipso	Network address `192.168.118.0`. Not a wildcard address.
	192.0.0.0/32:cipso	Network address `192.0.0.0`. Not a wildcard address.
	0.0.0.0/32:cipso	Host address `0.0.0.0`. Not a wildcard address.
	0.0.0.0:cipso	All addresses on all networks
IPv6	2001\:DB8\:22\:5000\:\:21f7:cipso	2001:DB8:22:5000::21f7
	2001\:DB8\:22\:5000\:\:0/52:cipso	From `2001:DB8:22:5000::0` through `2001:DB8:22:5fff:ffff:ffff:ffff:ffff`
	0\:\:0/0:cipso	All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. The tnrhdb entry 0.0.0.0/32:admin_low is useful on a system where the literal address, 0.0.0.0, is used as a source IP address. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry on a Sun Ray server that serves DHCP clients, see Example 19-10. Because 0.0.0.0:admin_low is the default wildcard entry, see How to Limit the Hosts That Can Be Contacted on the Trusted Network for issues to consider before removing or changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Designing Your CIDR IPv4 Addressing Scheme in System Administration Guide: IP Services and IPv6 Addressing Overview in System Administration Guide: IP Services.

Skip Navigation Links
Exit Print View
	Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10