550 likes | 809 Views
TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development. CAVMEN April 17, 2008. Agenda. General IPv6 Support Level 520 Enhancements Level 530 Enhancements Service Strategy. IPv6 support currently in z/VM. CP support for IPv6 QDIO and HIPERSOCKETS Guest LANs support IPv6
E N D
TCP/IP for z/VM UpdateTracy Adams, z/VM Connectivity Development CAVMEN April 17, 2008
Agenda • General IPv6 Support • Level 520 Enhancements • Level 530 Enhancements • Service Strategy
IPv6 support currently in z/VM • CP support for IPv6 • QDIO and HIPERSOCKETS Guest LANs support IPv6 • Layer 2 VSWITCH supports IPv6 • TCP/IP support for IPv6 • HiperSockets (QDIOIP) and OSA-Express (QDIOETHERNET) devices • Dynamic routing with MPROUTE • Static routing and IPv6 Router Advertisements • IFCONFIG, IPWIZARD, NETSTAT, PING and TRACERTE • Failover and Virtual IP address (VIPA) support
Function: IPv6 • Steps toward support for IPv6 networks • Address constraint relief • Auto-configuration • Other improvements • Support for IPv6 networks connected through OSA Express (QDIO) adapter • Static routing • Router Advertisements • TRACERTE, PING, and IFCONFIG support • IPv6 sockets through Language Environment and OpenExtensions Callable Services
Function: IPv6 … • v4 and v6 networks treated separately • Separate HOME lists, filters (BLOCK statement) address translation tables, static routing tables (GATEWAY statement), PORT lists • No routing between networks • New DEVICE OSD statement options • IPv6PriRouter • IPv6SecRouter • IPv6NonRouter • New LINK QDIOEthernet statement options • EnableIPv6 • DupAddrXmits
Function: IPv6 … • New RouterAdv statement • Defines characteristics of router advertisements for a link • New RouterAdvPrefix statement • Defines address prefix to be used for link router advertisements and associated on-link determination, autonomous, and lifetime characteristics • New AssortedParms statement options • IgnoreIPv6Redirect • EqualCostIPv6MultiPath
Function: IPv6 … • New NCBPoolSize statement • Defines size of IPv6 Neighbor Control Block pool • New ICMPErrorLimit statement • Define maximum rate per second of IPv6 ICMP error packets transmitted on a link • New Neighbor and DelNeighbor functions of NETSTAT • Display/delete neighbor cache entries • NETSTAT DEVLINKS reports • Maximum frame size (Hipersockets links) • MTU size • IPv6 status • Multicast addresses
TCP/IP Level 520 New Function • New MPROUTE • Standard GATEWAY Statement Syntax • Sniffer data formatting tool • Enhanced IPMailerAddress statement • Improved SSL support • IPv6 Hipersockets (Post GA) • GVRP Support (Post GA)
Function: New MPROUTE • Initial MPROUTE implementation ported z/OS Communications Server OMPROUTE to CMS • Recompile with CMS C compiler • Fix code incompatibilities • Add VM-specific interfaces (e.g., SMSG) • Renumber all messages • Problems • Service and enhancements require refit • Divergent code bases • No IPv6 support • No simultaneous use of RIPv1 and RIPv2 • Limited documentation
Function: New MPROUTE … • New MPROUTE implementation uses z/OS Communications Server V1.7 OMPROUTE as-is • Use z/OS binary in CMS unchanged • Enhance CMS cradling environment to provide equivalents of z/OS functions used by OMPROUTE • Use z/OS messages • Benefits • Current routing technology • Common code base • Functional equivalence • OMPROUTE service handled by z/OS service team • Upgrade requires minimal effort • Less VM-specific documentation
Function: Standard GATEWAY Statement Syntax .-----------------------------. v | >>-GATEWAY-+-----------------------------+---------------------->< |-| IPv4 GATEWAY list entry |-| '-| IPv6 GATEWAY list entry |-' IPv4 GATEWAY list entry: |-+-ipv4_dest/maskLength--+-first_hop-link-+-max_packet_size-+---| |-ipv4_dest-subnet_mask-+ |-DEFAULTSIZE-----| '-DEFAULTNET------------' '-0---------------' IPv6 GATEWAY list entry: |-+-ipv6_dest/prefixLength-+-first_hop-link-+-max_packet_size-+--| '-DEFAULTNET6------------' |-DEFAULTSIZE-----| '-0---------------'
Function: Standard Gateway Statement Syntax HOME 9.130.48.78/24 ETH0 9.130.15.128 255.255.255.0 ETH1 * Subnet Mask Next hop Intfc MTU GATEWAY 9.150.20.0/24 9.130.48.5 ETH0 0 9.150.30.0 255.255.255.0 9.130.15.16 ETH1 0defaultnet 9.130.48.1 ETH0 0
Function: Sniffer Data Formatting Tool • New CP facility to record Guest LAN traffic • IPFORMAT command provided to format and display data • Configuration file defines • RPC program names • NFS procedure types • Telnet Option Names • ASCII-EBCDIC translation • Colors
Function: Sniffer Data Formatting Tool … .-TRCDATA *----. >>-IPFORMAT-fn-+--------------+-+---------------+->< | .-*--. | '-(-| Options |-' '-ft----+----+-' '-fm-' Options: .-OUTFile--fn--IPFDATA--rwm--------. .-VIew---. |--+----------------------------------+-+--------+-| | .--IPFDATA---rwm-. | '-NOView-' '-OUTFile--ofn--+----------------+-' | .-rwm-. | '--oft---+-----+-' '-ofm-'
Function: Sniffer Data Formatting Tool … • Subcommands • FILTER packets by source and destination IP address or range, source and destination port number or range, time, protocol, and application • SAVE data • APPEND data to existing file • VIEW detailed packet information • HEADER display control
Function: Enhanced IPMailerAddress (PTF) • Host names and IP addresses allowed • ALL redirects all non-local mail >>-IPMAILERADDRESS-+-----+-+-+-ip_address-+-----+->< | | | | '-ALL-' +- hostname ---------+ | | '- Destination List –' Destination List: .----------------. v | |--LIST-+-+-ip_address-+-+-ENDIPMAILERADDRESS--| | | '-hostname---'
SSL – Secure Sockets Layer • Provides security functions for any server • SSL for VM TCP/IP clients • Negotiated security • Client authentication • Certificate database and management
Function: Improved SSL Support • Additional distribution support • SUSE SLES8 Service Pack 3 (31-bit) • SUSE SLES9 Service Pack 2 (31-bit) • SUSE SLES9 Service Pack 2 (64-bit) • Red Hat Enterprise Linux AS V3 (31-bit) • Red Hat Enterprise Linux AS V3 (64-bit) • Industry-standard encryption algorithms • Includes DES, triple-DES, RC2, and RC4 • Keys up to 128 bits • Hashes provided by SHA-1 and MD5 • Certificate activation and removal without server restart • Federal Information Processing Standard (FIPS 140-2) operational mode support
Function: IPv6 Hipersockets • IPv6-related parameters accepted • HIPERS devices • QDIOIP links • Corresponding NETSTAT response changes for IPv6-enabled devices and links
Function: GVRP Support • GARP (Generic Attribute Registration Protocol) VLAN Registration Protocol • Provides more of standard switch semantics by automatically registering VLAN identifiers with GVRP-aware network switches • Eliminates manual configuration of individual physical switch port VLAN assignments for VSWITCH and QDIO links |-GVRP---| >>-LINK-QDIOETHernet-...-VLAN-nnn-+--------+-...->< |-NOGVRP-|
TCP/IP Level 520 Serviceability Improvements • Report PROFILE file attributes • Log access violations on console • NETSTAT CONFIG • Load address in NETSTAT LEVEL
Serviceability: Report PROFILE File Attributes • Display PROFILE file characteristics during stack initialization • Identify source of configuration data • Help identify cause of configuration problems DTCIPI006IUsing profile file name type mode dated date time
Serviceability: Log Access Violations on Console • Access violation detected when user in RESTRICT list attempts to use TCP/IP services • Now recorded in console log as well as in separate file DTCUTI044I Unauthorized TCP/IP access attempt byuser
Serviceability: NETSTAT CONFIG • New NETSTAT command options to display current stack configuration '-PARMS-TRACE-----' >>-NETSTAT-CONFIG-+-----------------+----->< | .-------------. | | v | | '-+-|ACCESS---|-+-' |ALL------| |HELP-----| |OBEY-----| |PARMS----| |PORT-----| |TRANSLATE| 'TRACE----'
Serviceability: Load Address in NETSTAT LEVEL • NETSTAT LEVEL displays stack module load address • Useful for computing trace trap addresses IBM 2094; z/VM Version 5 Release 2.0, service level 0000 (64-bit), VM TCP/IP Level 520; RSU 0000 running TCPIP MODULE E2 dated 10/17/05 at 16:53 TCP/IP Module Load Address: 00BAC000
TCP/IP Level 520 Performance Improvements • 64-bit Diagnose X’98’
Performance: 64-bit Diagnose X’98’ • TCP/IP stack uses Diagnose X’98’ to lock real memory for QDIO, ATM, HyperChannel, CLAW, CTCA, and LCS devices • Diagnose X’98’ extended in z/VM 5.2.0 to allow pages to be locked above 2G in real memory • TCP/IP stack attempts to use pages above 2G to reduce system-wide pressure on memory below 2G
TCP/IP Level 520 Infrastructure Improvements • NETSTAT CP output limit increased • Up to 32767 bytes
TCP/IP Level 520 Packaging Enhancements • Preconfigured VSWITCH controllers • Migration support
Packaging: Preconfigured VSWITCH Controllers • Two new virtual machines defined as VSWITCH controllers • DTCVSW1 and DTCVSW2 • Started by AUTOLOG1 • No configuration required • Define VSWITCHes withCONTROLLER *(default) • Designed to simplify VSWITCH implementation • Demonstrates best practices
Packaging: Migration Support • TCP/IP migration exit • Examines existing configuration files • Controls copying actions to new system • Recommends areas requiring customer attention • E.g., Reports session connection exit interface changes
TCP/IP Level 530 New Function • LDAP Server and Client • IP Takeover (IPv4 and IPv6) • Delete Device and Link • SSL upgrade • TLS support • SNMP for Virtual Switches • MPROUTE V1R8 • RouteD and BootP discontinued
LDAP • Solves a problem: the ability to have RACF be a central repository for your z/VM and Linux passwords • Lightweight Directory Access Protocol (RFC 2251) • Standard way for a client to retrieve data stored in a Directory Information Tree (DIT) • z/OS 1.8 IBM Tivoli Directory Server (ITDS)
Function: LDAP Server and Client • LDAP Server provides: • Multiple concurrent database instances (referred to as backends) • Interoperability with LDAP V2 or V3 protocol-capable clients • LDAP Version 2 and Version 3 protocol support • Native authentication using Challenge-Response Authentication Method (CRAM-MD5), DIGEST-MD5 • Authentication, and Simple (unencrypted) authentication • Root DSE information master/slave and peer-to-peer replication
Function: LDAP Server and Client • LDAP Server provides: • The ability to refer clients to additional directory servers • The capability to create an alias entry in the directory to point to another entry in the directory • Access controls on directory information • Change logging • Schema publication and update • SSL communication (SSL V3 and TLS V1) • Client and server authentication using SSL/TLS
Function: LDAP Server and Client • LDAP client utilities provides a way to add, modify, search, and delete entries in any server that accepts LDAP protocol requests.
Interface High Availability – IP Takeover • IP takeover is supported to minimize the impact of an hardware interface failure • QDIO ethernet and LCS ethernet devices only • No special parameters or options necessary • If the TCP/IP stack determines two interfaces are on the same network, IP takeover will be enabled for those interfaces • For IPv4, determination is based on the IP addresses and subnet masks of the interfaces • Subnet masks may be defined on the HOME statement, the GATEWAY statement, or in the MPROUTE CONFIG file
IP Takeover Details z/VM TCP/IP OSA1 10.1.1.1 OSA2 10.1.1.2 10.1.1.0/24 Host 10.1.1.3 forms a connection with 10.1.1.1 (OSA1) 10.1.1.3
IP Takeover Details (cont.) z/VM TCP/IP OSA2 10.1.1.2 10.1.1.1 OSA1 10.1.1.1 10.1.1.0/24 OSA1 Fails 10.1.1.3 OSA2 informs host that traffic for 10.1.1.1 should be sent through this interface
IP Takeover Details (cont.) z/VM TCP/IP OSA2 10.1.1.2 10.1.1.1 OSA1 10.1.1.1 10.1.1.0/24 10.1.1.3 starts sending packets to OSA2 10.1.1.3
Function: Delete Device and Link • Device and Link statements can now be dynamically removed from the z/VM TCP/IP stack. • New -Remove option for IFCONFIG IFCONFIG –REMOVE • New SIOCDINTERFACE subcommand for REXX and C
Function: SSL upgrade • Support for • Novell(R) SUSE(R) Linux Enterprise Server (SLES) 9 Service Pack 3 (64-bit) • Novell SUSE Linux Enterprise Server (SLES) 9 Service Pack 3 (31-bit) • Red Hat Enterprise Linux(R) (RHEL) AS 4 Update 4 (64-bit) • Red Hat Enterprise Linux (RHEL) AS 4 Update 4 (31-bit)
Function: TLS Support • Secure Sockets Layer/Transport Layer Security (SSL/TLS) • FTP • Telnet • SMTP • Data Transmission can start in clear text and be converted to secure text at a later time.
Function: SNMP for Virtual Switches • Management IP address for Virtual Switch • New HOME statement • Generic SNMP Subagent • Bridge MIBS for Virtual Switch reporting
Function: MPROUTE • MPROUTE support upgraded to V1R8
RouteD and BootP support discontinued • MPROUTE and DHCP are available and recommended to provide the services formally performed by RouteD and BootP.