Location-based Security

The Physical Location Identifier (PLId) determines the restrictions applied according to the location of a user.

Physical Location Identifier (PLId)

The PLId identifies uniquely the physical location from which a user has attempted logon. A port number is not sufficient, firstly because the port may be connected across a network and therefore the port number may not be unique, and secondly, because there is no guarantee that a connection to a network host from a given location will always be allocated the same port number as port numbers are assigned dynamically at connection time.

The information received in a connection request allows the system to determine the physical location of the originator and construct the Physical Location Identifier (PLId).

Network profile

The network profile defines the security and other characteristics always applied for a particular PLId or group of PLIds. This can include:

PLId formats

The format of each PLId is connection-type dependent, but in each case it is designed to reflect the originator's location in a structured way. It consists of a variable number of fields separated by hyphens. The leftmost field specifies the connection type, the next field, a general area, the next field, a more specific area, and so on.

Examples of PLId formats are given in the table below.

Format

Example

CHAR2-Address-Port

CHAR2-152.114.132.39-1100

CHAR-Address-Port

CHAR-49000100112233445501-0203

INET-Address-Session

INET-98.72.0C.0C-2

MPS-Address-Port

MPS-001122334455-0005

NETX-Address

 NETX-1442987654

NT-SerialNo-con

 NT-123456-con

NT-SerialNo-SessionNo

NT-123456-0123

PLAN-SerialNo-Port

PLAN-004000-0012

SLAN-Address-Port

SLAN-56A9D3EE6B27-0426

TNET-Location

TNET-008023050F27-0003

TSRV-Address-Port

TSRV-008023050F27-0008

TYM-Node-Host-Port

TYM-309951-0033-0078

UNET-SerialNo-Name

UNET-200433-support.port11

UNIX-SerialNo

UNIX-123456

UNIX-SerialNo-Port

UNIX-123456-tty06

UNIX-SerialNo-rtSsPp

UNIX-123456-rt0102

UPROC-SerialNo-Process

UPROC-123456-3751

X25-Address

X25-03323674900234

Refer to Location-Based Security for descriptions of these PLId formats.

Partial PLId

There are instances where, in addition to specifying a security profile for a particular location, you may wish to specify a profile for a more general class of location. You achieve this by removing the most specific fields from the PLId until you arrive at the desired level of generality. The resultant item-id is called a partial PLId. For example, for the PLId:

TYM-309951-0033-0078

You could define the following partial PLIds with increasing levels of generality:

TYM-309951-0033
TYM-309951
TYM

You could define items in the NETWORK file for the complete PLId or for some or all of the partial PLIds. The security system always searches for the most specific PLId first, then eliminates fields from the right to search for more general PLIds.

Consistent Circuit Identifier (CCI)

Because the PLId is a fairly unwieldy collection of letters and digits and many existing applications based on port number expect an integer value, each PLId is mapped via the NETWORK file to a Consistent Circuit Identifier (CCI), which is a signed 16-bit integer value (0 - 32767). This means that the CCI can be tailored to user requirement and is flexible enough to provide an easy upgrade for users wishing to migrate their existing applications to a networked environment by using an identifier with a format consistent with port number.

The mapping of PLId to CCI can be one to one, or many to one (that is, one or more related PLIds can map to a single CCI), allowing the option of giving physically close locations the same logical identifier.

Allocation of CCI

When an incoming network call is received, it is allocated a PLId. Only one PLId is associated with any location and that same PLId is always allocated to a call from that location, so that the PLId is unique and consistent.

The system uses the entire PLId as a key (item-id) to access the NETWORK file to find the corresponding network profile for this PLId. If a match is found (that is, an item exists with that name), the CCI contained in that profile is allocated to that connection. If no match is found, the least significant (rightmost) field of the PLId is dropped, and what is left (representing a less specific network location) is used for another lookup attempt. This continues until a match is found. If the key becomes exhausted and a match is not found, then a default CCI of -1 (X'FFFF') is allocated to the process.