dn6(6M) DG/UX B2 Security R4.12MU02 dn6(6M)
NAME
dn6 - DG Network Security Information eXchange
DESCRIPTION
Dn6, or Trusted IP, is a mechanism which associates security
attributes with network sessions. The exact set of security
attributes depends on the configuration of the system and the
network; attributes such as MAC labels, capabilities, authentication
IDs (AUTHIDs), and user IDs are often transmitted between machines.
When a network session is established, Trusted IP makes the
attributes of the remote peer available to the local peer. Trusted
IP also ensures that mandatory access control is enforced and session
events are audited.
When a user invokes a command to establish a virtual terminal session
or file transfer session, or sends mail, Trusted IP passes the user's
credentials and security attributes to the remote machine. When
Trusted IP receives a new network session request, it ensures the new
session runs with the correct MAC label and other security attributes
as appropriate. The AUTHID and PID (if these are passed) are audited
to provide user identification and ensure accountability.
Parts
Trusted IP is automatically activated if the kernel includes the dn6
device. This device is included in the DG/UX information security
option by default and is required as part of the attribute
translation mechanism.
Configuration
Trusted IP provides considerable administrative control through the
use of the dn6d.config(4M) configuration file.
Common operations on the configuration files are provided through
sysadm(1M) under
Networking->TCP/IP->Trusted IP.
These menus can manipulate multiple configuration files. This lets
you develop a new configuration file while preserving a currently
working configuration file. The initial system comes with a default
configuration file named proto which allows all traffic between
unlabeled systems as well as labeled DG/UX systems. Any changes made
to the current configuration file do not take effect until it is
activated.
Domains
A domain defines how to map attributes from local to network
representation, and vice-versa. When new hosts with different
attribute mappings are added to the network, the administrator will
need to add entries for the new mapping domain to the configuration
file. Administrators may also need to customize the attribute
mapping information. This will be necessary, for example, after a
new MAC category is defined which you want passed across the network
to a machine of a different domain.
Dn6d
Trusted IP requires a server program, dn6d(1M), to perform various
attribute mapping tasks. This server is automatically started
whenever a kernel containing the dn6 device is booted. If for some
reason the server is not running, a kernel with dn6 will not allow
new sessions to be established. Any attempt to create a new session
will fail with an error of "Protocol driver not attached". If the
server is not running, it may be restarted by a user with the
appropriate privilege. Attempts to start a second server will fail
because the system allows only one server to run at a time. See
dn6d(1M) for more information.
After the configuration file has been changed, the Trusted IP daemon,
dn6d, must be told to re-read the new configuration file; this
process is called activation. The current configuration file can be
activated through sysadm or by sending a SIGHUP signal to dn6d.
Programming
The security attributes of network sessions can be obtained by
calling library functions. See the nseclibrary(3) and the
nsecmaplibrary(3) for more information.
FILES
/etc/tcb/dn6/dn6d.config
SEE ALSO
admdn6(1M), dn6d(1M), dn6d.config(4M), nseclibrary(3),
nsecmaplibrary(3).
Licensed material--property of copyright holder(s)