Access control prevents the forwarding of DNA IV (Long Format) data packets on
the basis of source address, destination address, and interface. Access control
does not affect routing packets, because they use a different packet format. This
makes configuring access control safer, because you cannot break the routing
protocol.
To implement access control, addresses are masked and compared. That is, the
address in question is masked with 1s in the bit positions to be tested, and 0s in
the free area. The address is then compared to a fixed value. For example, you
could use a mask of 63.1023 (all 1s), and compare it to a result of 6.23 which
would be true only for node 6.23. You could use a mask of 63.0 and a result of 9.0
which would be true for any node in area 9.
These mask and compare values come in pairs for source and destination address.
They are then formed into lists for an interface. Each interface can have one access
control list, which is applied to packets received on that interface. This list may be
inclusive or exclusive. An inclusive list is a set of address pairs that designates a
corridor for traffic flow. An exclusive list is a set of address pairs that does not allow
traffic flow.
In an inclusive list, the source and destination addresses are tested using the mask
and compare values. If any entry’s source and destination matches, the packet is
forwarded. In an exclusive list, the source and destination addresses are tested
using the mask and compare values. If any entry’s source and destination matches,
the packet is dropped. The choice between exclusive and inclusive should be made
on the basis of which list will be shorter. However, exclusive access control is
usually easier to configure.
When packets are dropped due to access controls, the Return to Sender Request
(RQR) bit is set in the Long Format Data Packet header and the packet is returned.
Then, the connect request immediately fails, because NSP Connect Initiate packets
are normally sent with the RQR bit set.
Configuring Access Control
Access control limits access to a particular host or group of hosts. You must assign
access control to all routes to that host, not just the preferred route. Otherwise,
access control functions when the primary route is up, but fails when the secondary
route is in use.
On your network map, draw a line to isolate the secure region from the rest of the
network. Ideally the line should cross the minimum possible set of adjacencies so
that the least number of interfaces are running with access control. For broadcast
networks (Ethernet and Token-Ring), draw the line through the drop cable to the
node, to identify the interface to filter. For each interface crossed by the access
control line, use NCP to define the same access control list.
Note: Because all DECnet applications use the NSP protocol, which requires
bidirectional connectivity, you do not need to define access controls in both
directions.
Inclusive Access Control
In Figure 16 on page 255, node 1.13 wants to communicate with nodes 1.2 and 1.4
only. Access control allows you to secure nodes from all nodes connected by
routers. Therefore, in Figure 16 on page 255 you can protect node 1.13 from all
Using DNA IV
254
MRS V3.2 Protocol Config Ref Vol 2