JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Administrator's Procedures     Oracle Solaris 10 8/11 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Trusted Extensions Administration Concepts

2.  Trusted Extensions Administration Tools

3.  Getting Started as a Trusted Extensions Administrator (Tasks)

4.  Security Requirements on a Trusted Extensions System (Overview)

5.  Administering Security Requirements in Trusted Extensions (Tasks)

6.  Users, Rights, and Roles in Trusted Extensions (Overview)

7.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

8.  Remote Administration in Trusted Extensions (Tasks)

9.  Trusted Extensions and LDAP (Overview)

10.  Managing Zones in Trusted Extensions (Tasks)

11.  Managing and Mounting Files in Trusted Extensions (Tasks)

12.  Trusted Networking (Overview)

The Trusted Network

Trusted Extensions Data Packets

Trusted Network Communications

Network Configuration Databases in Trusted Extensions

Network Commands in Trusted Extensions

Trusted Network Security Attributes

Network Security Attributes in Trusted Extensions

Host Type and Template Name in Security Templates

Default Label in Security Templates

Domain of Interpretation in Security Templates

Label Range in Security Templates

Security Label Set in Security Templates

Trusted Network Fallback Mechanism

Overview of Routing in Trusted Extensions

Background on Routing

Routing Table Entries in Trusted Extensions

Trusted Extensions Accreditation Checks

Source Accreditation Checks

Gateway Accreditation Checks

Destination Accreditation Checks

Administration of Routing in Trusted Extensions

Choosing Routers in Trusted Extensions

Gateways in Trusted Extensions

Routing Commands in Trusted Extensions

13.  Managing Networks in Trusted Extensions (Tasks)

14.  Multilevel Mail in Trusted Extensions (Overview)

15.  Managing Labeled Printing (Tasks)

16.  Devices in Trusted Extensions (Overview)

17.  Managing Devices for Trusted Extensions (Tasks)

18.  Trusted Extensions Auditing (Overview)

19.  Software Management in Trusted Extensions (Tasks)

A.  Quick Reference to Trusted Extensions Administration

B.  List of Trusted Extensions Man Pages

Index

Trusted Network Fallback Mechanism

The tnrhdb database can assign a security template to a particular host either directly or indirectly. Direct assignment assigns a template to a host's IP address. Indirect assignment is handled by a fallback mechanism. The trusted network software first looks for an entry that specifically assigns the host's IP address to a template. If the software does not find a specific entry for the host, it looks for the “longest prefix of matching bits”. You can indirectly assign a host to a security template when the IP address of the host falls within the “longest prefix of matching bits” of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. Entries 3 – 6 in Table 12-1 illustrate this fallback mechanism.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 12-1 tnrhdb Host Address and Fallback Mechanism Entries

IP Version
tnrhdb Entry
Addresses Covered
IPv4
 
192.168.118.57:cipso
192.168.118.57/32:cipso
 
192.168.118.57
The /32 sets a prefix length of 32 fixed bits.
 
192.168.118.128/26:cipso
From 192.168.118.0 through 192.168.118.63
 
192.168.118.0:cipso
192.168.118.0/24:cipso
All addresses on 192.168.118. network
 
192.168.0.0/24:cipso
All addresses on 192.168.0. network.
 
192.168.0.0:cipso
192.168.0.0/16:cipso
All addresses on 192.168. network
 
192.0.0.0:cipso
192.0.0.0/8:cipso
All addresses on 192. network
 
192.168.0.0/32:cipso
Network address 192.168.0.0. Not a wildcard address.
 
192.168.118.0/32:cipso
Network address 192.168.118.0. Not a wildcard address.
 
192.0.0.0/32:cipso
Network address 192.0.0.0. Not a wildcard address.
 
0.0.0.0/32:cipso
Host address 0.0.0.0. Not a wildcard address.
 
0.0.0.0:cipso
All addresses on all networks
IPv6
 
2001\:DB8\:22\:5000\:\:21f7:cipso
 
2001:DB8:22:5000::21f7
 
2001\:DB8\:22\:5000\:\:0/52:cipso
From 2001:DB8:22:5000::0 through 2001:DB8:22:5fff:ffff:ffff:ffff:ffff
 
0\:\:0/0:cipso
All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. The tnrhdb entry 0.0.0.0/32:admin_low is useful on a system where the literal address, 0.0.0.0, is used as a source IP address. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry on a Sun Ray server that serves DHCP clients, see Example 13-13. Because 0.0.0.0:admin_low is the default wildcard entry, see How to Limit the Hosts That Can Be Contacted on the Trusted Network for issues to consider before removing or changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Designing Your CIDR IPv4 Addressing Scheme in System Administration Guide: IP Services and IPv6 Addressing Overview in System Administration Guide: IP Services.

Copyright © 1992, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next