17.10 - Example: Complex Mapping - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

A company must use the IP/mask 141.206.0.0/13 to restrict all employees of certain departments from accessing the database. This mask, with a value not divisible by 8, includes many additional IP addresses beyond the 255 x 255 addresses represented by the zeros in segments three and four, because it also partially masks segment two.

The following masking analysis helps explain the effect of a partial segment mask on the content of the top level subnet address:
  • AND the binary values of the subnet address with those of the mask:
    10001101.11001110.00000000.00000000 (141.206.0.0)
    11111111.11111000.00000000.00000000 (255.248.0.0 or /13)
    ________________________________
     10001101.11001000.00000000.00000000 (141.200.0.0)
  • The result shows the first 13 digits in bold text to indicate that they must be present in any address allowed by the allow element. Note that the first 13 digits of the result match the first 13 digits of the original range. The remaining 19 digits appear in normal text to indicate that they can be either a zero or a 1 and still be part of the subnet.
  • Expressing all 19 digits as 1, while retaining the first 13 digits as shown in bold, results in the largest possible address in this subnet, or 10001101.11001111.11111111.11111111 (141.207.255.255).
  • The total range of addresses in subnet 141.206.0.0/13 includes all addresses from 141.200.0.0 through 141.207.255.255.

To apply partial segment masking to IP filters, see Example: Secondary Element Processing—Single Address Exception and Example: Secondary Element Processing—Carve Out Exception.