Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Trusted Network Fallback Mechanism

A host IP address can be added to a security template either directly or indirectly. Direct assignment adds a host's IP address. Indirect assignment adds a range of IP addresses that includes the host. To match a particular host, the trusted network software first looks for the specific IP address. If the search does not find a specific entry for the host, it looks for the "longest prefix of matching bits". You can indirectly assign a host to a security template when the IP address of the host falls within the "longest prefix of matching bits" of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. For examples, see Figure 19, Table 19, Trusted Extensions Host Address and Fallback Mechanism Entries.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 19  Trusted Extensions Host Address and Fallback Mechanism Entries
IP Version
Host Entry for host_type=cipso
IP Addresses Covered
IPv4
192.168.118.57
192.168.118.57/32
192.168.118.57
The /32 sets a prefix length of 32 fixed bits.
192.168.118.128/26
From 192.168.118.0 through 192.168.118.63
192.168.118.0
192.168.118.0/24
All addresses on 192.168.118. subnet.
192.168.0.0/24
All addresses on 192.168.0. subnet.
192.168.0.0
192.168.0.0/16
All addresses on 192.168. subnet.
192.0.0.0
192.0.0.0/8
All addresses on 192. subnet.
192.168.118.0/32
Host address 192.168.118.0. Not a range of addresses.
192.168.0.0/32
Host address 192.168.0.0. Not a range of addresses.
192.0.0.0/32
Host address 192.0.0.0. Not a range of addresses.
0.0.0.0/32
Host address 0.0.0.0. Not a range of addresses.
0.0.0.0
All addresses on all networks
IPv6
2001\:DB8\:22\:5000\:\:21f7
2001:DB8:22:5000::21f7
2001\:DB8\:22\:5000\:\:0/52
From 2001:DB8:22:5000::0 through 2001:DB8:22:5fff:ffff:ffff:ffff:ffff
0\:\:0/0
All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. By adding the 0.0.0.0/32 entry to a system's unlabeled security template, you enable hosts with the specific address, 0.0.0.0, to contact the system. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry for an application that serves DHCP clients, see Example 41, Making the Host Address 0.0.0.0/32 a Valid Initial Address. The 0.0.0.0:admin_low network is the default entry in the admin_low unlabeled host template. Review How to Limit the Hosts That Can Be Contacted on the Trusted Network for security issues that would require changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Obtaining IP Addresses for Your Network in Planning for Network Deployment in Oracle Solaris 11.4.