OIT Networking & Monitoring Services

Host Database Field: OIT-NETGROUP, ADD-OIT-NETGROUP

[This document describes a field in the Princeton University Host Database. You may also view descriptions of other fields.]

These fields are used to apply a variety of "tags" to a Host Database entry.

Originally, these fields resulted in the hostname being added to actual NIS (a.k.a. "YP") netgroups maintained by OIT. That's why these fields are still referred to as "netgroups" in the Host Database.

While a few of these fields still influence the contents of real netgroups, in most cases these fields no longer have anything to do with actual NIS netgroups. Instead, these field have become a extensible mechanism for "tagging" Host Database entries. These tags are used for a variety of purposes, such as indicating the Host Database entry is a member of a group (e.g. IP addresses used for some OIT service), marking the device ineligible for certain services, or locking some or all of the Host Database entry.

You can't specify these fields via the Web forms. Some netgroup values are determined automatically for you based upon the information you enter in the other fields. Others are set (or unset) manually by OIT Networking & Monitoring Services staff as necessary.

Some netgroups that you may see in entries include:

dhcp-and-bootp-ineligible

This netgroup may be added by Networking & Monitoring Services staff to mark all hardware addresses that may appear in the Host Database entry as ineligible for OIT BootP Service and OIT DHCP Service.

This tells the servers which provide those services to not provide BootP assignments or DHCP leases to a client using any of those hardware addresses.

lockedcanonicalname

This netgroup may be added by Networking & Monitoring Services staff to mark the Host Database entry's canonical DNS name as locked. This prevents the ENTRY-NAME and DNS-DOMAIN fields from being changed. It also prevents the Host Database entry as a whole from being deleted (as that would result in the DNS canonical name being deleted from the Host Database).

OIT locks the canonical DNS name in a Host Database entry when there is some special handling in DNS for that name.

It's important to understand that this netgroup represents a lock on the canonical DNS name in the Host Database entry, not a block.

lockeddnsnames

This netgroup may be added by Networking & Monitoring Services staff to mean the same thing as adding all of the following netgroups to the Host Database entry: lockedcanonicalname, lockedhostaliases, and lockedinterfacealiases.

It's important to understand that this netgroup represents a lock on the DNS names in the Host Database entry, not a block.

lockedentrytypes

This netgroup may be added by Networking & Monitoring Services staff to mark the value of the ENTRY-TYPE field in the Host Database entry as locked. This prevents the value of that field from being changed.

It's important to understand that this netgroup represents a lock on the ENTRY-TYPE in the Host Database entry, not a block.

lockedhardwareaddresses

This netgroup may be added manually by Networking & Monitoring Services staff to mark the hardware addresses in the Host Database entry as locked. This prevents any of the hardware addresses in the entry from being changed or deleted. It also prevents additional hardware addresses from being added to this entry. It also prevents the Host Database entry as a whole from being deleted (as that would result in the hardware address(es) being deleted from the Host Database.)

OIT locks the hardware addresses in a Host Database entry when there is some special handling in the network infrastructure for one or more of those hardware addresses. Such special handling might include:

It's important to understand that this netgroup represents a lock on the hardware addresses in the Host Database entry, not a block. It just happens that often the hardware address in the Host Database entrty is locked because it has been blocked in the network, but not always.

The reason OIT Networking & Monitoring Services locks a hardware address in a Host Database entry becomes clear when we consider what would happen if the hardware address were blocked in the network infrastructure (e.g. because the device is the source of harmful traffic), but the hardware address were not locked in the Host Database entry. If the customer replaced the device with a new one (changing the hardware address in the Host Database entry, or deleting the Host Database entry and adding an entirely new entry), then gave the old device to someone else, the new owner would encounter mysterious difficulties because the old device's traffic is still blocked in the network infrastructure. Another troublesome scenario would be for the owner to replace the device's network interface card with another one (changing the hardware address in the Host Database entry); the device would regain network access despite the fact that problem causing the harmful traffic has not been fixed.

Locking the hardware addresses in the Host Database entry prevents the scenarios above, and other related scenarios. In those cases, when the owner tries to change hardware addresses in the Host Database entry or delete the entire Host Database entry, s/he will find it is not possible to do so; instead a terse error message will be displayed. When the owner contacts OIT, the terse error message (which is intended to be decipherable to OIT Networking & Monitoring Services staff) will lead us back to the reason the hardware addresses are locked (e.g. they are blocked in the network infrastructure due to the harmful traffic). That will allow OIT to remind the customer that the underlying problem (the harmful traffic) needs to be resolved before we may allow the hardware addresses to be changed or deleted.

lockedhostaliases

This netgroup may be added by Networking & Monitoring Services staff to mark the Host Database entry's host aliases as locked. This prevents any host aliases from being added, changed, or deleted. (If the entry presently has any host aliases, it also prevents the Host Database entry as a whole from being deleted (as that would result in the host alias(es) being deleted from the Host Database).

OIT locks the host aliases in a Host Database entry when there is some special handling in DNS for one of those host aliases, or special reliance in DNS on the non-existance of host aliases.

It's important to understand that this netgroup represents a lock on the host aliases in the Host Database entry, not a block.

lockedhostdbentries

This netgroup may be added manually by Networking & Monitoring Services staff to mark an entire Host Database entry as locked. This prevents the entry from being changed or deleted.

OIT may use this when there is some special relationship between the Host Database entry and other data hardcoded in the Host Database, and changing or deleting this entry would break that relationship in a particularly harmful way.

As a rule of thumb, when the necessary restriction(s) may be accomplished through the other more granular locks available in the Host Database, we prefer to use one or more of the more granular locks, rather than using the coarse lockedhostdbentries lock. For example, if the need is to prevent the entry's canonical name and IP addresses from being changed, we prefer to apply the lockedcanonicalname and lockedipaddresses locks to the Host Database entry rather than applying the lockedhostdbentries lock to the entry. That's because using the coarser lock would unecessarily restrict other changes to the entry (for example, updating the Technical Contacts). Using the granular locks also better describes the necessary restriction(s).

lockedinterfacealiases

This netgroup may be added by Networking & Monitoring Services staff to mark the Host Database entry's interface aliases as locked. This prevents any interface aliases from being added, changed, or deleted. (If the entry presently has any interface aliases, it also prevents the Host Database entry as a whole from being deleted (as that would result in the interface alias(es) being deleted from the Host Database).

OIT locks the interface aliases in a Host Database entry when there is some special handling in DNS for one of those interface aliases, or special reliance in DNS on the non-existance of interface aliases.

It's important to understand that this netgroup represents a lock on the interface aliases in the Host Database entry, not a block.

lockedipaddresses

This netgroup may be added manually by Networking & Monitoring Services staff to mark the IP addresses in the Host Database entry as locked. This prevents any of the IP addresses from being changed or deleted. It also prevents additional IP addresses from being added to this entry. It also prevents the Host Database entry as a whole from being deleted (as that would result in the IP address(es) being deleted from the Host Database.)

OIT locks the IP addresses in a Host Database entry when there is some special handling in the network infrastructure for one or more of those IP addresses. Such special handling might include:

It's important to understand that this netgroup represents a lock on the IP addresses in the Host Database entry, not a block. It just happens that sometimes the IP address in the Host Database entry are locked because it has been blocked in the network, but not always.

The reason OIT Networking & Monitoring Services locks an IP address in a Host Database entry becomes clear when we consider what would happen if traffic to that IP address were blocked in the network infrastructure (e.g. because the device is the source of harmful traffic), but the IP address were not locked in the Host Database entry. If the customer replaced the device with a new one by deleting the Host Database entry and adding an entirely new entry, that would put the IP address back into the pool of available IP addresses. Eventually that IP address would be re-assigned to another Host Database entry, probably belonging to another customer. Another troublesome scenario would be for the owner to change the Host Database entry to cause a different IP address to be assigned; the device would regain network access despite the fact that problem causing the harmful traffic has not been fixed.

Locking the IP addresses in the Host Database entry prevents the scenarios above, and other related scenarios. In those cases, when the owner tries to change IP addresses in the Host Database entry or delete the entire Host Database entry, s/he will find it is not possible to do so; instead a terse error message will be displayed. When the owner contacts OIT, the terse error message (which is intended to be decipherable to OIT Networking & Monitoring Services staff) will lead us back to the reason the IP addresses are locked (e.g. they are blocked in the network infrastructure due to the harmful traffic). That will allow OIT to remind the customer that the underlying problem (the harmful traffic) needs to be resolved before we may allow the IP addresses to be changed or deleted.

mobileipineligible

This netgroup may be manually added by Networking & Monitoring Services staff to mark the Host Database entry ineligible for OIT Mobile IP Service. It applies to all hardware addresses that appear in the Host Database entry.

There are a variety of reasons OIT may mark a Host Database ineligible for OIT Mobile IP Service. Common reasons include the device being compromised, or the device's DHCP client software being misconfigured or broken. When OIT staff mark a Host Database entry ineligible for OIT Mobile IP Service, some notification is normally sent to the person responsible for the device; that notification would contain the reason for the device being made ineligible for OIT Mobile IP Service.

It is also possible for a hardware address to be marked ineligible for OIT Mobile IP Service independent of any Host Database entry. As a result, the absence of the mobileipineligible netgroup from a Host Database entry does not mean that all the entry's hardware addresses are eligible for OIT Mobile IP Service. A list of all hardware addresses marked ineligible for OIT Mobile IP Service appears in Devices Blocked from Mobile IP Service. Also leep in mind that there are other characteristics of a Host Database entry (e.g., ENTRY-TYPE) that may make some or all of the entry's hardware addresses ineligible for OIT Mobile IP Service; see OIT Mobile IP Services for a complete list of the eligibility requirements for OIT Mobile IP Service.

oit

This netgroup is sometimes added to an entry when the entry's DEPARTMENT-NAME contains "Office of Information Technology".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

oitwirelessineligible

This netgroup may be manually added by Networking & Monitoring Services staff to mark the Host Database entry partially or completely ineligible for OIT Wireless Service. It applies to all hardware addresses that appear in the Host Database entry.

princetonbridges

This netgroup is added to an entry if the ENTRY-TYPE contains "BRIDGE".

Once added to an entry, nothing automatically removes this netgroup from an entry.

princetondynamics

This netgroup appears in entries for IP addreses that belong to OIT Mobile IP Address Service. These IP addresses are leased to OIT Mobile IP clients.

princetonhosts

This netgroup is added to all entries.

princetonhubs

This netgroup is added to an entry if the ENTRY-TYPE contains "HUB".

Once added to an entry, nothing automatically removes this netgroup from an entry.

princetonmipsdec

This netgroup is added to an entry when the entry's SYSTEM-TYPE starts with "DECS".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

princetonnexts

This netgroup is added to an entry when the entry's SYSTEM-TYPE starts with "NEXT".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

princetonrouters

This netgroup is added to an entry if the ENTRY-TYPE contains "ROUTER".

Once added to an entry, nothing automatically removes this netgroup from an entry.

princetonsgis

This netgroup is added to an entry when the entry's SYSTEM-TYPE starts with "SGI".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

princetonsuns

This netgroup is added to an entry when the entry's SYSTEM-TYPE starts with "SUN".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

princetonunixhosts

This netgroup is added to an entry if the OPERATING-SYSTEM contains "AUSPEX", "IX", "FREEBSD", "NETBSD", "MACH", "MAC-OS-X", "NEXT", "OSF", "SUNOS", "SOLARIS", "LINUX", or "UX".

Once added to an entry, nothing automatically removes this netgroup from an entry. There is no negative impact to having this netgroup appear in a Host Database entry, even if the device no longer (or never) runs a UNIX-ish operating system.

It is possible that nothing uses this netgroup any more.

princetonvaxen

This netgroup is added to an entry when the entry's SYSTEM-TYPE starts with "VAX".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

princetonvips

This netgroup appears in entries for IP addreses that belong to Visitor IP (VIP) Service. These IP addresses are leased to VIP clients.

princetonvmshosts

This netgroup is added to an entry if the OPERATING-SYSTEM contains "VMS".

Once added to an entry, nothing automatically removes this netgroup from an entry.

This netgroup is historical, and should no longer be relied upon.

sirfexempt

This netgroup may be added manually by Networking & Monitoring Services staff to mark all the OIT Static IP Addresses in the entry exempt from being recycled by the OIT Static IP Recycling Facility (SIRF).

suppressforwarddns

This netgroup may be added manually by Networking & Monitoring Services staff. It's used to specify that any DNS resource records based on this entry that would normally be added to the the DNS "forward" zone file should instead be suppressed.

tvwnaips

This netgroup appears in entries for IP addreses that belong to Temporary Visitor Wireless Network Access (TVWNA). These IP addresses are leased to TVWNA clients.

wirelessineligible

This netgroup may be manually added by Networking & Monitoring Services staff to mark the Host Database entry completely ineligible for all wireless services provided by OIT. That presently includes OIT Wireless Service and Temporary Visitor Wireless Network Access (TVWNA). (As TVWNA is not provided to hardware addresses registered in active Host Database entries, this marking is superfluous for TVWNA.)

This is intended to apply also to Eduroam Wireless Service, but Eduroam wireless service ignores this block.

servicenet wireless service ignores this block.

OIT operates other undocumented wireless services; they also ignore this block.

This marking applies to all hardware addresses that appear in the Host Database entry.

There are a variety of reasons OIT may mark a Host Database completely ineligible for all wireless services provided by OIT. Common reasons include a defective wireless interface, the device being compromised, or the device's DHCP client software being misconfigured or broken. When OIT staff mark a Host Database entry copmpletely ineligible for all wireless services, some notification is normally sent to the person responsible for the device; that notification would contain the reason for the device being made ineligible for all wireless services provided by OIT.


A service of OIT Networking & Monitoring Services
The Office of Information Technology,
Princeton University