Validation of an incoming IP address

This feature enables you to validate incoming IP addresses against a table in the ECAIPLSx member in IOA.PARM library. This list of IP addresses is a source table that contains IP addresses that are allowed or forbidden to communicate with IOAGATE. All incoming addresses are checked against the table.

Define these IP addresses using one of the following methods:

Note: When IPv6 is enabled on the z/OS system, IOAGATE messages display incoming IPv4 connections in the form of IPv4-mapped IPv6 addresses. However, do not use IPv4-mapped IPv6 addresses in the ECAIPLSx member. Use the IPv4 addresses instead. IPv6 addresses can be specified in full (39 characters) or abbreviated format (for example, 'fd66:bc12:ac12:101::3'.

• Defining specific IP addresses. For IPv4 addresses, these entries define the implicit subnet mask, 255.255.255.255
• For IPv4 addresses, defining the full range of IP addresses for a given IP segment, by placing asterisks in that segment and in all subordinate segments. With this notation, the IP address range a.b.*.* means that the last two segments of the incoming IP address can be anything and you only want to check the first two segments. Such entries define an implicit subnet mask with zeros in the segments where the asterisks appear and 255 in the other segments. For example, the range 165.4.*.* defines the subnet mask 255.255.0.0. This subnet means that only the first two segments are checked.
• For IPv4 addresses, defining a range using a standard subnet mask. You should use this method when you want to define a range of IP address which does not fall in exact segment boundary. For example, 165.4.240.0,MASK=255.255.240.0 means that you want to check the first two segments and also the four leftmost bits of the third segment (240=X'F0').
• For IPv6 addresses, defining a range of addresses by specifying the lowest and highest addresses in the range. For example:

  ALLOW FD66:BC12:AC12:101::1-FD66:BC12:AC12:101::FFFF

  The low and high addresses must be separated by one hyphen, no spaces.

  Note: ALLOW * and FORBID * apply also to IPv6 addresses.

  If the text extends beyond column 70 (for example, if the 2 IP addresses are 39 character long each), use the following 2-line format:

  • Line 1: ALLOWFR or FORBIDFR in column 1, followed by a space and the low IP address.
  • Line 2: ALLOWTO or FORBIDTO in column 1, followed by a space and the high IP address.

  Example:

  ALLOW *

  FORBIDFR 2001:500:100:1191:250:56FF:FEB7:4A30

  FORBIDTO 2001:500:100:1191:250:56FF:FEB7:4A39

  Note: The subnet mask applies both to the incoming address and the specified address in the entry. The mask selects the exact bits in both addresses that are matched. The rest of the bits are ignored.

For details on how to define IP addresses, see Guidelines for defining IP addresses.

For examples on how to code IP addresses, see Examples.