Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dn6(6M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

admdn6(1M)

dn6d(1M)

dn6d.config(4M)



dn6(6M)                  DG/UX B2 Security R4.12MU02                 dn6(6M)


NAME
       dn6 - DG Network Security Information eXchange

DESCRIPTION
       Dn6, or Trusted IP, is a mechanism which associates security
       attributes with network sessions.  The exact set of security
       attributes depends on the configuration of the system and the
       network;  attributes such as MAC labels, capabilities, authentication
       IDs (AUTHIDs), and user IDs are often transmitted between machines.
       When a network session is established, Trusted IP makes the
       attributes of the remote peer available to the local peer.  Trusted
       IP also ensures that mandatory access control is enforced and session
       events are audited.

       When a user invokes a command to establish a virtual terminal session
       or file transfer session, or sends mail, Trusted IP passes the user's
       credentials and security attributes to the remote machine.  When
       Trusted IP receives a new network session request, it ensures the new
       session runs with the correct MAC label and other security attributes
       as appropriate.  The AUTHID and PID (if these are passed) are audited
       to provide user identification and ensure accountability.

   Parts
       Trusted IP is automatically activated if the kernel includes the dn6
       device.  This device is included in the DG/UX information security
       option by default and is required as part of the attribute
       translation mechanism.

   Configuration
       Trusted IP provides considerable administrative control through the
       use of the dn6d.config(4M) configuration file.

       Common operations on the configuration files are provided through
       sysadm(1M) under

            Networking->TCP/IP->Trusted IP.

       These menus can manipulate multiple configuration files.  This lets
       you develop a new configuration file while preserving a currently
       working configuration file.  The initial system comes with a default
       configuration file named proto which allows all traffic between
       unlabeled systems as well as labeled DG/UX systems.  Any changes made
       to the current configuration file do not take effect until it is
       activated.

   Domains
       A domain defines how to map attributes from local to network
       representation, and vice-versa.  When new hosts with different
       attribute mappings are added to the network, the administrator will
       need to add entries for the new mapping domain to the configuration
       file.  Administrators may also need to customize the attribute
       mapping information.  This will be necessary, for example, after a
       new MAC category is defined which you want passed across the network
       to a machine of a different domain.

   Dn6d
       Trusted IP requires a server program, dn6d(1M), to perform various
       attribute mapping tasks.  This server is automatically started
       whenever a kernel containing the dn6 device is booted.  If for some
       reason the server is not running, a kernel with dn6 will not allow
       new sessions to be established.  Any attempt to create a new session
       will fail with an error of "Protocol driver not attached".  If the
       server is not running, it may be restarted by a user with the
       appropriate privilege.  Attempts to start a second server will fail
       because the system allows only one server to run at a time.  See
       dn6d(1M) for more information.

       After the configuration file has been changed, the Trusted IP daemon,
       dn6d,  must be told to re-read the new configuration file; this
       process is called activation.  The current configuration file can be
       activated through sysadm or by sending a SIGHUP signal to dn6d.

   Programming
       The security attributes of network sessions can be obtained by
       calling library functions.  See the nseclibrary(3) and the
       nsecmaplibrary(3) for more information.

FILES
       /etc/tcb/dn6/dn6d.config

SEE ALSO
       admdn6(1M), dn6d(1M), dn6d.config(4M), nseclibrary(3),
       nsecmaplibrary(3).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026