Teradata Database provides the following methods for restricting database access by IP address:
- Create IP restrictions in an XML document or a directory and then transfer them to the IP restriction GDO. See the topics that follow this one.
- Create a security policy that defines IP restrictions. For details about configuration and use of policy IP restrictions, see Network Security Policy.
IP restrictions apply to direct database logons, and logons through Unity. For logons through Unity, in addition to the logon user name and IP address, the Teradata Gateway also receives the Unity user ID and IP address.
IP restrictions are not applicable to users who logon through middle-tier applications because the Teradata Gateway does not see the originating IP address. The exception to this rule is Unity, which passes the client IP address to the Teradata Gateway.
Link-local IP Addresses
IPv6 and IPv4 link-local IP addresses are blocked from connecting to the database. During Teradata Database installation, an ipfilter is added to the ipfilter GDO restricting access to the link-local IP address range (fe80:: for IPv6 and 169.254.0 for IPv4).
The following ipfilter is added to ipfilter.xml to permit all IP addresses to connect to the database, except for blocked addresses in the listed ranges:
<ipfilter name="linklocal" type="permissive">
<appliesto tagref="allusers" />
Once the link-local restrictions are configured, backing down to an earlier release of Teradata Database will not remove the restrictions. If Link-local IP addresses are needed, they must be manually allowed.
If the upgrade or installation detects the customer is currently using ipfilters, the link-local restriction will not be imposed and a warning message will advise the customer to add the link-local restrictions manually.
To modify the link-local IP address configuration, see Editing or Disabling IP Restrictions.
For information on how to configure IP restrictions, see Creating XML-Based IP Restrictions.