Trusted Network Fallback Mechanism

A host IP address can be added to a security template either directly or indirectly. Direct assignment adds a host's IP address. Indirect assignment adds a range of IP addresses that includes the host. To match a particular host, the trusted network software first looks for the specific IP address. If the search does not find a specific entry for the host, it looks for the “longest prefix of matching bits”. You can indirectly assign a host to a security template when the IP address of the host falls within the “longest prefix of matching bits” of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. For examples, see Table 15-1.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 15-1 Trusted Extensions Host Address and Fallback Mechanism Entries

IP Version	Host Entry for `host_type=cipso`	IP Addresses Covered
IPv4	192.168.118.57 192.168.118.57/32	192.168.118.57 The `/32` sets a prefix length of 32 fixed bits.
	192.168.118.128/26	From `192.168.118.0` through `192.168.118.63`
	192.168.118.0 192.168.118.0/24	All addresses on `192.168.118.` subnet.
	192.168.0.0/24	All addresses on `192.168.0.` subnet.
	192.168.0.0 192.168.0.0/16	All addresses on `192.168.` subnet.
	192.0.0.0 192.0.0.0/8	All addresses on `192.` subnet.
	192.168.118.0/32	Host address `192.168.118.0`. Not a range of addresses.
	192.168.0.0/32	Host address `192.168.0.0`. Not a range of addresses.
	192.0.0.0/32	Host address `192.0.0.0`. Not a range of addresses.
	0.0.0.0/32	Host address `0.0.0.0`. Not a range of addresses.
	0.0.0.0	All addresses on all networks
IPv6	2001\:DB8\:22\:5000\:\:21f7	2001:DB8:22:5000::21f7
	2001\:DB8\:22\:5000\:\:0/52	From `2001:DB8:22:5000::0` through `2001:DB8:22:5fff:ffff:ffff:ffff:ffff`
	0\:\:0/0	All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. By adding the 0.0.0.0/32 entry to a system's unlabeled security template, you enable hosts with the specific address, 0.0.0.0, to contact the system. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry for an application that serves DHCP clients, see Example 16-16. The 0.0.0.0:admin_low network is the default entry in the admin_low unlabeled host template. Review How to Limit the Hosts That Can Be Contacted on the Trusted Network for security issues that would require changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Deciding on an IP Addressing Format for Your Network in Oracle Solaris Administration: IP Services and IPv6 Addressing Overview in System Administration Guide: IP Services.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11 Information Library