Location-Based Security

When a user makes a connection, his or her location is identified by a Physical Location Identifier (PLId), which is a function of the method of connection used, and the location of the user. The user can read, but not set, the PLId.

This information can be used in Reality to apply different constraints to the user, depending on their location. For more information on PLIds and the use of SSM to set up their network profiles, see Securing the Database Using SSM.

Note

When you use DDA for connection to another host, the current PLId is passed to the called host. If you use a character circuit, however, a new PLId is assigned.

Common PLId Formats

The most common PLId formats are listed below:

NT-SerialNo-Session

This form is used for telnet sessions to a Windows system. SerialNo is the called system's serial number and Session is the session number.

Note that the session number is allocated dynamically at logon and may therefore be different each time a user logs on.

Example: NT-123456-6

INET-HexAddress-Session

This form is used for DDA connections from PCs via TCP. HexAddress is the caller's IP address (in hexadecimal) and Session is the PC session number.

Example: INET-98.72.0C.0C-2

A similar form is used for telnet connections that use location-based security (see below).

INET-DecimalAddress-Port

This form is used for telnet connections that use location-based security. DecimalAddress is the IP address (in decimal) and Port is the port or session number (see Telnet Security for more details).

Example: INET-152.114.132.39-1100

Other PLId Formats

CHAR-Address-Port

This form is used for character circuit connections. On OSI circuits Address is the calling NSAP and Port is the calling TSAP. On TCP/IP circuits Address is the calling IP address and Port is the calling port identifier.

Example: CHAR-49000100112233445501-0203

CHAR2-Address-Port

This form is used for character mode connections to a type 2 Listening entry - that is, one which uses the called TSAP instead of the calling TSAP. Type 2 Listening entries are used for connection via non-NEC terminal servers that do not associate a TSAP with each physical port.

On OSI circuits Address is the calling NSAP and Port is the called TSAP. On TCP/IP circuits Address is the calling IP address and Port is the called port identifier specified in the ROUTE-FILE Listening entry.

Example: CHAR2-152.114.132.39-1100

MPS-Address-Port

This form is used for connections initiated from a Multi-protocol Server (MPS). Address is the Ethernet address of the server and Port is the port number on that server.

Example: MPS-001122334455-0005

NETX-Address

This form is used for connections through a NetworkX node configured to convert OSI transport class 3 to transport class 4, and to include the X.25 calling address in the call user data of the connect request. Address is the X.25 calling address in SPAG Y / 13 format.

Example: NETX-1442987654

PLAN-SerialNo-Port

This form is used for NEC Software Solutions Series 18 / 19 PLAN connected terminals. SerialNo is the serial number of the Series 18 / 19 system and Port is the PLAN port number.

Example: PLAN-004000-0012

SLAN-Address-Port

This form is used for:

In both cases, Address is the Ethernet (MAC) address of the caller.

TNET-Location

This form is used for connections via the telnet LBS daemon (see Telnet Security).

TSRV-Address-Port

This form is used for connections initiated from a Multi-protocol Terminal Server (MPTS). Address is the Ethernet address of the server and Port is the port number on that server.

Example: TSRV-008023050F27-0008

TYM-Node-Host-Port

This form is used for an incoming call from a TYMNET network. Node is the Tymnet node identifier, Host is the host number and Port is the port number.

Example: TYM-309951-0033-0078

UNET-SerialNo-Name

This form is used for Reality-initiated processes connected to a network terminal (that is, using NET-LOGON).SerialNo is the calling system's UNIX serial number and Name is the name of the ROUTE-FILE entry on that system.

Example: UNET-200433-support.port11

UNIX-SerialNo

This form is used for daemon processes which do not already have a PLId, if the environment variable UC_PROCPLID is not set or has the value 0. SerialNo is the calling system's UNIX serial number.

If a unique PLId is required, the environment variable UC_PROCPLID can be set to 1; a PLId with the form UPROC-SerialNo-Process (see below) will then be generated.

Example: UNIX-123456

UNIX-SerialNo-Port

This form is used for terminals connected directly to a UNIX system and UNIX telnet sessions connected via the standard telnet daemon. SerialNo is the called system's UNIX serial number and Port is the tty port number.

Note that for telnet connections the tty port number is allocated dynamically at logon and may therefore be different each time a user logs on.

Example: UNIX-123456-tty06

UNIX-SerialNo-rtSsPp

This form is used for terminals connected via an annex terminal server using the proprietary call protocol. SerialNo is the calling system's UNIX serial number, Ss denotes the terminal server number and Pp the port on the terminal server.

Example: UNIX-123456-rt0102

UPROC-SerialNo-Process

If the environment variable UC_PROCPLID has the value 1, daemon processes that do not already have a PLId will have PLIds in this format. SerialNo is the calling system's UNIX serial number, and Process is the UNIX process id.

Example: UPROC-123456-3751

X25-Address

This form is used for X.25 PAD connections. Address is the X.121 address of the calling PAD.

Example: X25-03323674900234

User-defined PLId Format

This optional feature (enabled by software key) is intended for use when logging on to Reality via a port specified in the devices file using the OPEN keyword. The format is defined in the host environment variable REALPLIDFORMAT - this can contain literal text and the place-holder %d which, when used, is replaced by the port number. For example, if REALPLIDFORMAT is set to PORT-%d and a user logs onto port 35 (by using the reality command with the -t option), the PLId assigned will be PORT-35.

Note

The %d place-holder is a C language printf format string and can therefore accept flags, width, precision and length parameters. For example, to place the port number in a field five characters wide with leading zeros, use %05d. Refer to the C or C++ language documentation for details of the available options.

Telnet Security

Telnet location based security (LBS) provides location-based security for telnet-connected users. On Windows, you set the Telnet LBS mode when you add or edit a listening entry using the Network Administration Utility, netadminClosed either UNIX or Windows. On UNIX, Telnet LBS must be set up in the files /etc/services and /etc/inetd.conf - for details see the section Configuring Telnet LBS in UNIX-Connect System Administration.

Telnet LBS has six modes of operation:

Mode 0 Standard telnet operation - a PLId with the following format is assigned:

NT-SerialNo-Session

SerialNo is the called system's serial number and Session is the session number. Note that the session number is allocated dynamically at logon and may therefore be different each time a user logs on.

Example: NT-123456-6

Mode 1 The daemon requests that the caller (that is the remote host, PC or terminal server) performs a telnet SEND-LOCATION. If the caller supports this option, the connection is assigned a PLId based on the location string sent by the caller:

  • If the location string consists of an Ethernet address and a port or session number, a PLId is generated with the form:

    TNET-Address-Port

    where Address is the Ethernet address and Port is the port or session number.

  • If the location string consists of a hexadecimal IP address and a port or session number, a PLId is generated with the form:

    INET-Address-Port

    where Address is the IP address (in decimal) and Port is the port or session number.

  • If the caller does not support the SEND-LOCATION option, the connection proceeds, but a Mode 0 PLId is assigned (see above).

Mode 2 The PLId assigned to the connection takes the form:

INET-Address-Port

where Address is the caller's IP address and Port is the number of the TCP port to which the connection was made.

This mode should be used for connections via terminal servers that do not associate a port number with each physical port. One TCP port will be required for each terminal server port. Note, however, that because each terminal server is uniquely identified by its IP address, the actual number of TCP ports required is that of the number of ports on the largest terminal server. For example, if your largest terminal server has 16 ports, you will need 16 TCP ports, however many terminal servers you have.

Mode 3 The daemon attempts to create a Mode 1 PLId but, if the caller does not support SEND-LOCATION, a Mode 2 PLId is assigned. This is the default value for Reality telnet LBS on Windows.

Mode 10 As for mode 2, except that the port number field of the PLId is the caller's TCP port number. This mode can be used for connections via terminal servers that generate a calling port id that is consistent and related to the physical port being used. It has the advantage that only one TCP port is needed.

Mode 11 As for mode 3, except that, if a Mode 2 PLId is assigned, the port number field of the PLId is the caller's TCP port number.

This mode gives the greatest flexibility, in that it can be used for both callers that support SEND-LOCATION, and terminal servers and other callers that do not. Note, however, that, as with Mode 10, a terminal server must generate a calling port id that is consistent and related to the physical port being used.

Mode 18 Windows only. As mode 2, but suppress telnet negotiation codes.

Any of the above modes can be modified by adding 4 to the mode number - this has the effect of disabling the normal 60 second login timeout.