1 / 54

TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development

TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development. CAVMEN April 17, 2008. Agenda. General IPv6 Support Level 520 Enhancements Level 530 Enhancements Service Strategy. IPv6 support currently in z/VM. CP support for IPv6 QDIO and HIPERSOCKETS Guest LANs support IPv6

maleah
Download Presentation

TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TCP/IP for z/VM UpdateTracy Adams, z/VM Connectivity Development CAVMEN April 17, 2008

  2. Agenda • General IPv6 Support • Level 520 Enhancements • Level 530 Enhancements • Service Strategy

  3. IPv6 support currently in z/VM • CP support for IPv6 • QDIO and HIPERSOCKETS Guest LANs support IPv6 • Layer 2 VSWITCH supports IPv6 • TCP/IP support for IPv6 • HiperSockets (QDIOIP) and OSA-Express (QDIOETHERNET) devices • Dynamic routing with MPROUTE • Static routing and IPv6 Router Advertisements • IFCONFIG, IPWIZARD, NETSTAT, PING and TRACERTE • Failover and Virtual IP address (VIPA) support

  4. Function: IPv6 • Steps toward support for IPv6 networks • Address constraint relief • Auto-configuration • Other improvements • Support for IPv6 networks connected through OSA Express (QDIO) adapter • Static routing • Router Advertisements • TRACERTE, PING, and IFCONFIG support • IPv6 sockets through Language Environment and OpenExtensions Callable Services

  5. Function: IPv6 … • v4 and v6 networks treated separately • Separate HOME lists, filters (BLOCK statement) address translation tables, static routing tables (GATEWAY statement), PORT lists • No routing between networks • New DEVICE OSD statement options • IPv6PriRouter • IPv6SecRouter • IPv6NonRouter • New LINK QDIOEthernet statement options • EnableIPv6 • DupAddrXmits

  6. Function: IPv6 … • New RouterAdv statement • Defines characteristics of router advertisements for a link • New RouterAdvPrefix statement • Defines address prefix to be used for link router advertisements and associated on-link determination, autonomous, and lifetime characteristics • New AssortedParms statement options • IgnoreIPv6Redirect • EqualCostIPv6MultiPath

  7. Function: IPv6 … • New NCBPoolSize statement • Defines size of IPv6 Neighbor Control Block pool • New ICMPErrorLimit statement • Define maximum rate per second of IPv6 ICMP error packets transmitted on a link • New Neighbor and DelNeighbor functions of NETSTAT • Display/delete neighbor cache entries • NETSTAT DEVLINKS reports • Maximum frame size (Hipersockets links) • MTU size • IPv6 status • Multicast addresses

  8. TCP/IP Level 520 New Function • New MPROUTE • Standard GATEWAY Statement Syntax • Sniffer data formatting tool • Enhanced IPMailerAddress statement • Improved SSL support • IPv6 Hipersockets (Post GA) • GVRP Support (Post GA)

  9. Function: New MPROUTE • Initial MPROUTE implementation ported z/OS Communications Server OMPROUTE to CMS • Recompile with CMS C compiler • Fix code incompatibilities • Add VM-specific interfaces (e.g., SMSG) • Renumber all messages • Problems • Service and enhancements require refit • Divergent code bases • No IPv6 support • No simultaneous use of RIPv1 and RIPv2 • Limited documentation

  10. Function: New MPROUTE … • New MPROUTE implementation uses z/OS Communications Server V1.7 OMPROUTE as-is • Use z/OS binary in CMS unchanged • Enhance CMS cradling environment to provide equivalents of z/OS functions used by OMPROUTE • Use z/OS messages • Benefits • Current routing technology • Common code base • Functional equivalence • OMPROUTE service handled by z/OS service team • Upgrade requires minimal effort • Less VM-specific documentation

  11. Function: Standard GATEWAY Statement Syntax .-----------------------------. v | >>-GATEWAY-+-----------------------------+---------------------->< |-| IPv4 GATEWAY list entry |-| '-| IPv6 GATEWAY list entry |-' IPv4 GATEWAY list entry: |-+-ipv4_dest/maskLength--+-first_hop-link-+-max_packet_size-+---| |-ipv4_dest-subnet_mask-+ |-DEFAULTSIZE-----| '-DEFAULTNET------------' '-0---------------' IPv6 GATEWAY list entry: |-+-ipv6_dest/prefixLength-+-first_hop-link-+-max_packet_size-+--| '-DEFAULTNET6------------' |-DEFAULTSIZE-----| '-0---------------'

  12. Function: Standard Gateway Statement Syntax HOME 9.130.48.78/24 ETH0 9.130.15.128 255.255.255.0 ETH1 * Subnet Mask Next hop Intfc MTU GATEWAY 9.150.20.0/24 9.130.48.5 ETH0 0 9.150.30.0 255.255.255.0 9.130.15.16 ETH1 0defaultnet 9.130.48.1 ETH0 0

  13. Function: Sniffer Data Formatting Tool • New CP facility to record Guest LAN traffic • IPFORMAT command provided to format and display data • Configuration file defines • RPC program names • NFS procedure types • Telnet Option Names • ASCII-EBCDIC translation • Colors

  14. Function: Sniffer Data Formatting Tool …

  15. Function: Sniffer Data Formatting Tool …

  16. Function: Sniffer Data Formatting Tool …

  17. Function: Sniffer Data Formatting Tool …

  18. Function: Sniffer Data Formatting Tool … .-TRCDATA *----. >>-IPFORMAT-fn-+--------------+-+---------------+->< | .-*--. | '-(-| Options |-' '-ft----+----+-' '-fm-' Options: .-OUTFile--fn--IPFDATA--rwm--------. .-VIew---. |--+----------------------------------+-+--------+-| | .--IPFDATA---rwm-. | '-NOView-' '-OUTFile--ofn--+----------------+-' | .-rwm-. | '--oft---+-----+-' '-ofm-'

  19. Function: Sniffer Data Formatting Tool … • Subcommands • FILTER packets by source and destination IP address or range, source and destination port number or range, time, protocol, and application • SAVE data • APPEND data to existing file • VIEW detailed packet information • HEADER display control

  20. Function: Enhanced IPMailerAddress (PTF) • Host names and IP addresses allowed • ALL redirects all non-local mail >>-IPMAILERADDRESS-+-----+-+-+-ip_address-+-----+->< | | | | '-ALL-' +- hostname ---------+ | | '- Destination List –' Destination List: .----------------. v | |--LIST-+-+-ip_address-+-+-ENDIPMAILERADDRESS--| | | '-hostname---'

  21. SSL – Secure Sockets Layer • Provides security functions for any server • SSL for VM TCP/IP clients • Negotiated security • Client authentication • Certificate database and management

  22. Function: Improved SSL Support • Additional distribution support • SUSE SLES8 Service Pack 3 (31-bit) • SUSE SLES9 Service Pack 2 (31-bit) • SUSE SLES9 Service Pack 2 (64-bit) • Red Hat Enterprise Linux AS V3 (31-bit) • Red Hat Enterprise Linux AS V3 (64-bit) • Industry-standard encryption algorithms • Includes DES, triple-DES, RC2, and RC4 • Keys up to 128 bits • Hashes provided by SHA-1 and MD5 • Certificate activation and removal without server restart • Federal Information Processing Standard (FIPS 140-2) operational mode support

  23. Function: IPv6 Hipersockets • IPv6-related parameters accepted • HIPERS devices • QDIOIP links • Corresponding NETSTAT response changes for IPv6-enabled devices and links

  24. Function: GVRP Support • GARP (Generic Attribute Registration Protocol) VLAN Registration Protocol • Provides more of standard switch semantics by automatically registering VLAN identifiers with GVRP-aware network switches • Eliminates manual configuration of individual physical switch port VLAN assignments for VSWITCH and QDIO links |-GVRP---| >>-LINK-QDIOETHernet-...-VLAN-nnn-+--------+-...->< |-NOGVRP-|

  25. TCP/IP Level 520 Serviceability Improvements • Report PROFILE file attributes • Log access violations on console • NETSTAT CONFIG • Load address in NETSTAT LEVEL

  26. Serviceability: Report PROFILE File Attributes • Display PROFILE file characteristics during stack initialization • Identify source of configuration data • Help identify cause of configuration problems DTCIPI006IUsing profile file name type mode dated date time

  27. Serviceability: Log Access Violations on Console • Access violation detected when user in RESTRICT list attempts to use TCP/IP services • Now recorded in console log as well as in separate file DTCUTI044I Unauthorized TCP/IP access attempt byuser

  28. Serviceability: NETSTAT CONFIG • New NETSTAT command options to display current stack configuration '-PARMS-TRACE-----' >>-NETSTAT-CONFIG-+-----------------+----->< | .-------------. | | v | | '-+-|ACCESS---|-+-' |ALL------| |HELP-----| |OBEY-----| |PARMS----| |PORT-----| |TRANSLATE| 'TRACE----'

  29. Serviceability: Load Address in NETSTAT LEVEL • NETSTAT LEVEL displays stack module load address • Useful for computing trace trap addresses IBM 2094; z/VM Version 5 Release 2.0, service level 0000 (64-bit), VM TCP/IP Level 520; RSU 0000 running TCPIP MODULE E2 dated 10/17/05 at 16:53 TCP/IP Module Load Address: 00BAC000

  30. TCP/IP Level 520 Performance Improvements • 64-bit Diagnose X’98’

  31. Performance: 64-bit Diagnose X’98’ • TCP/IP stack uses Diagnose X’98’ to lock real memory for QDIO, ATM, HyperChannel, CLAW, CTCA, and LCS devices • Diagnose X’98’ extended in z/VM 5.2.0 to allow pages to be locked above 2G in real memory • TCP/IP stack attempts to use pages above 2G to reduce system-wide pressure on memory below 2G

  32. TCP/IP Level 520 Infrastructure Improvements • NETSTAT CP output limit increased • Up to 32767 bytes

  33. TCP/IP Level 520 Packaging Enhancements • Preconfigured VSWITCH controllers • Migration support

  34. Packaging: Preconfigured VSWITCH Controllers • Two new virtual machines defined as VSWITCH controllers • DTCVSW1 and DTCVSW2 • Started by AUTOLOG1 • No configuration required • Define VSWITCHes withCONTROLLER *(default) • Designed to simplify VSWITCH implementation • Demonstrates best practices

  35. Packaging: Migration Support • TCP/IP migration exit • Examines existing configuration files • Controls copying actions to new system • Recommends areas requiring customer attention • E.g., Reports session connection exit interface changes

  36. TCP/IP Level 530 New Function • LDAP Server and Client • IP Takeover (IPv4 and IPv6) • Delete Device and Link • SSL upgrade • TLS support • SNMP for Virtual Switches • MPROUTE V1R8 • RouteD and BootP discontinued

  37. LDAP • Solves a problem: the ability to have RACF be a central repository for your z/VM and Linux passwords • Lightweight Directory Access Protocol (RFC 2251) • Standard way for a client to retrieve data stored in a Directory Information Tree (DIT) • z/OS 1.8 IBM Tivoli Directory Server (ITDS)

  38. Function: LDAP Server and Client • LDAP Server provides: • Multiple concurrent database instances (referred to as backends) • Interoperability with LDAP V2 or V3 protocol-capable clients • LDAP Version 2 and Version 3 protocol support • Native authentication using Challenge-Response Authentication Method (CRAM-MD5), DIGEST-MD5 • Authentication, and Simple (unencrypted) authentication • Root DSE information master/slave and peer-to-peer replication

  39. Function: LDAP Server and Client • LDAP Server provides: • The ability to refer clients to additional directory servers • The capability to create an alias entry in the directory to point to another entry in the directory • Access controls on directory information • Change logging • Schema publication and update • SSL communication (SSL V3 and TLS V1) • Client and server authentication using SSL/TLS

  40. Function: LDAP Server and Client • LDAP client utilities provides a way to add, modify, search, and delete entries in any server that accepts LDAP protocol requests.

  41. Interface High Availability – IP Takeover • IP takeover is supported to minimize the impact of an hardware interface failure • QDIO ethernet and LCS ethernet devices only • No special parameters or options necessary • If the TCP/IP stack determines two interfaces are on the same network, IP takeover will be enabled for those interfaces • For IPv4, determination is based on the IP addresses and subnet masks of the interfaces • Subnet masks may be defined on the HOME statement, the GATEWAY statement, or in the MPROUTE CONFIG file

  42. IP Takeover Details z/VM TCP/IP OSA1 10.1.1.1 OSA2 10.1.1.2 10.1.1.0/24 Host 10.1.1.3 forms a connection with 10.1.1.1 (OSA1)‏ 10.1.1.3

  43. IP Takeover Details (cont.)‏ z/VM TCP/IP OSA2 10.1.1.2 10.1.1.1 OSA1 10.1.1.1 10.1.1.0/24 OSA1 Fails 10.1.1.3 OSA2 informs host that traffic for 10.1.1.1 should be sent through this interface

  44. IP Takeover Details (cont.)‏ z/VM TCP/IP OSA2 10.1.1.2 10.1.1.1 OSA1 10.1.1.1 10.1.1.0/24 10.1.1.3 starts sending packets to OSA2 10.1.1.3

  45. Function: Delete Device and Link • Device and Link statements can now be dynamically removed from the z/VM TCP/IP stack. • New -Remove option for IFCONFIG IFCONFIG –REMOVE • New SIOCDINTERFACE subcommand for REXX and C

  46. Function: SSL upgrade • Support for • Novell(R) SUSE(R) Linux Enterprise Server (SLES) 9 Service Pack 3 (64-bit) • Novell SUSE Linux Enterprise Server (SLES) 9 Service Pack 3 (31-bit) • Red Hat Enterprise Linux(R) (RHEL) AS 4 Update 4 (64-bit) • Red Hat Enterprise Linux (RHEL) AS 4 Update 4 (31-bit)

  47. Function: TLS Support • Secure Sockets Layer/Transport Layer Security (SSL/TLS) • FTP • Telnet • SMTP • Data Transmission can start in clear text and be converted to secure text at a later time.

  48. Function: SNMP for Virtual Switches • Management IP address for Virtual Switch • New HOME statement • Generic SNMP Subagent • Bridge MIBS for Virtual Switch reporting

  49. Function: MPROUTE • MPROUTE support upgraded to V1R8

  50. RouteD and BootP support discontinued • MPROUTE and DHCP are available and recommended to provide the services formally performed by RouteD and BootP.

More Related