The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter's point of view), as well as the passwords required to set up the connection (corresponds to a substring).
It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and if so, which ones.
Standard entries in a route permission table have the following syntax:
P/S/D <source-host> <dest-host> <dest-serv> <password>
SNC entries for incoming connections have the following syntax:
KT <SNCname src-host> <src-host> <src-serv>
SNC entries for outgoing connections have the following syntax:
KT <SNCname dest-host> <dest-host> <dest-serv>
KD-, KP and KS entries have the following syntax:
K<D/P/S> <SNCname source-host> <dest-host> <dest-serv> <Kennwort>
The beginning of the line can be as follows:
Entry | Meaning |
---|---|
P (Permit) |
Triggers the SAProuter to open the connection. P(permit) entries can contain a password. SAProuter checks whether this password corresponds to that sent by the client. Directly after the P, you can specify the maximum number of SAProuters permitted before and after this SAProuter on the route for the connection to be allowed: Pv,n. v is the maximum number of preceding SAProuters on this route, and n is the maximum number of following SAProuters. |
S (Secure) |
Only permits connections with the NI protocol. Connections with other protocols, for example TCP, are not permitted. With Sv,n you can determime the number of preceding and succeeding SAProuters on the route, the same as you can with P. |
D (Deny) |
Prevents the connection from being set up. |
KT (Key Target) |
This defines which connections should be SNC connections. This can be defined for both incoming and outgoing connections (from the point of view of this SAProuter). |
K<D/P/S> | The (encrypted) SNC connection is set up if the route string contains the correct <password>. |
# |
With # you can insert comment lines. |
SNC entries always start with the letter K (key).
So that SNC connections are possible, the appropriate SAProuters must have been started with option -K, and the route permission table must contain the appropriate KT entry.
Security Note:
For security reasons SAP recommends that you do not use wildcards ( *) for the target host ( <dest-host>) and the target port ( <dest-serv>) in P and S lines in the route permission table. If the table contains these lines, the SAProuter issues a warning message:
WARNING: wildcard character used in route target
Element | |
---|---|
<source-host> | This element describes the host from where the connection comes (from the view point of the SAProuter). Here you can specify a host name, an IP address, or an IP subnetwork. <source-host> can be a SAProuter. |
<dest-host> | With the <dest-host> element you can specify the host to which the connection is to go (from the view point of the SAProuter). Here you can specify a host name, an IP address, or an IP subnetwork. <dest-host> can be a SAProuter. |
<dest-serv> | With the <dest-serv> element you can specify the port of the target host. Here you can also specify port ranges by separating the two ports that enclose the port range with a point. If <dest-serv> has value 3200.3298, this means connections to the target server on all ports between 3200 and 3298. |
If a <source-host> client wants to set up a connection to <dest-host> <dest-serv> through a SAProuter, SAProuter checks its route permission before the connection is set up. If the password and route that SAProuter has received correspond to the entries in the route permission table, SAProuter sets up the connection. In this is not the case, SAProuter does not set up the connection, and issues the message "route permission denied".
The following rules apply when the SAProuter evaluates the route permission table.
First Match:
The lines in the route permission table are evaluated from top to bottom. The first entry in the route permission table for which the source address, target address, and target port match determines whether a connection is permitted or denied.
If there is no matching entry in the table for a route, the connection is denied. It behaves as though the last line were a
D * * *.