16.10 - Example: Complex Mapping - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

A company must use the IP/mask 141.206.0.0/13 to restrict all employees of certain departments from accessing the database. This mask, with a value not divisible by 8, includes many additional IP addresses beyond the 255 x 255 addresses represented by the zeros in segments three and four, because it also partially masks segment two.

The following masking analysis helps explain the effect of a partial segment mask on the content of the top level subnet address:

  • AND the binary values of the subnet address with those of the mask:
    10001101.11001110.00000000.00000000 (141.206.0.0)
    11111111.11111000.00000000.00000000 (255.248.0.0 or /13)
    ________________________________
     10001101.11001000.00000000.00000000 (141.200.0.0)
  • The result shows the first 13 digits in bold text to indicate that they must be present in any address allowed by the allow element. Note that the first 13 digits of the result match the first 13 digits of the original range. The remaining 19 digits appear in normal text to indicate that they can be either a zero or a 1 and still be part of the subnet.
  • Expressing all 19 digits as 1, while retaining the first 13 digits as shown in bold, results in the largest possible address in this subnet, or 10001101.11001111.11111111.11111111 (141.207.255.255).
  • The total range of addresses in subnet 141.206.0.0/13 includes all addresses from 141.200.0.0 through 141.207.255.255.

To apply partial segment masking to IP filters, see Example: Secondary Element Processing--Single Address Exception and Example: Secondary Element Processing-Carve Out Exception.