© 2007 IBM Corporation IBM ^ ™ TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development...
-
Upload
arthur-glenn -
Category
Documents
-
view
246 -
download
7
Transcript of © 2007 IBM Corporation IBM ^ ™ TCP/IP for z/VM Update Tracy Adams, z/VM Connectivity Development...
© 2007 IBM Corporation
IBM ^ ™
TCP/IP for z/VM Update
Tracy Adams, z/VM Connectivity Development
CAVMENApril 17, 2008
© 2007 IBM Corporation
IBM ^ ™
Agenda
General IPv6 Support
Level 520 Enhancements
Level 530 Enhancements
Service Strategy
© 2007 IBM Corporation
IBM ^ ™
IPv6 support currently in z/VM
CP support for IPv6 QDIO and HIPERSOCKETS Guest LANs support IPv6
Layer 2 VSWITCH supports IPv6 TCP/IP support for IPv6
HiperSockets (QDIOIP) and OSA-Express (QDIOETHERNET) devices
Dynamic routing with MPROUTE
Static routing and IPv6 Router Advertisements
IFCONFIG, IPWIZARD, NETSTAT, PING and TRACERTE
Failover and Virtual IP address (VIPA) support
© 2007 IBM Corporation
IBM ^ ™
Function: IPv6
Steps toward support for IPv6 networks Address constraint relief Auto-configuration Other improvements
Support for IPv6 networks connected through OSA Express (QDIO) adapter
Static routing Router Advertisements TRACERTE, PING, and IFCONFIG support IPv6 sockets through Language Environment and OpenExtensions
Callable Services
© 2007 IBM Corporation
IBM ^ ™
Function: IPv6 …
v4 and v6 networks treated separately Separate HOME lists, filters (BLOCK statement) address translation
tables, static routing tables (GATEWAY statement), PORT lists No routing between networks New DEVICE OSD statement options
– IPv6PriRouter– IPv6SecRouter– IPv6NonRouter
New LINK QDIOEthernet statement options– EnableIPv6– DupAddrXmits
© 2007 IBM Corporation
IBM ^ ™
Function: IPv6 …
New RouterAdv statement Defines characteristics of router advertisements for a link
New RouterAdvPrefix statement Defines address prefix to be used for link router advertisements
and associated on-link determination, autonomous, and lifetime characteristics
New AssortedParms statement options IgnoreIPv6Redirect EqualCostIPv6MultiPath
© 2007 IBM Corporation
IBM ^ ™
Function: IPv6 …
New NCBPoolSize statement Defines size of IPv6 Neighbor Control Block pool
New ICMPErrorLimit statement Define maximum rate per second of IPv6 ICMP error packets transmitted on a link
New Neighbor and DelNeighbor functions of NETSTAT Display/delete neighbor cache entries
NETSTAT DEVLINKS reports Maximum frame size (Hipersockets links) MTU size IPv6 status Multicast addresses
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 520 New Function
New MPROUTE Standard GATEWAY Statement Syntax Sniffer data formatting tool Enhanced IPMailerAddress statement Improved SSL support IPv6 Hipersockets (Post GA) GVRP Support (Post GA)
© 2007 IBM Corporation
IBM ^ ™
Function: New MPROUTE
Initial MPROUTE implementation ported z/OS Communications Server OMPROUTE to CMS
Recompile with CMS C compiler Fix code incompatibilities Add VM-specific interfaces (e.g., SMSG) Renumber all messages
Problems Service and enhancements require refit Divergent code bases
– No IPv6 support– No simultaneous use of RIPv1 and RIPv2
Limited documentation
© 2007 IBM Corporation
IBM ^ ™
Function: New MPROUTE …
New MPROUTE implementation uses z/OS Communications Server V1.7 OMPROUTE as-is
Use z/OS binary in CMS unchanged Enhance CMS cradling environment to provide equivalents of z/OS
functions used by OMPROUTE Use z/OS messages
Benefits Current routing technology Common code base
– Functional equivalence– OMPROUTE service handled by z/OS service team– Upgrade requires minimal effort
Less VM-specific documentation
© 2007 IBM Corporation
IBM ^ ™
Function: Standard GATEWAY Statement Syntax
.-----------------------------. v |>>-GATEWAY-+-----------------------------+---------------------->< |-| IPv4 GATEWAY list entry |-| '-| IPv6 GATEWAY list entry |-' IPv4 GATEWAY list entry:
|-+-ipv4_dest/maskLength--+-first_hop-link-+-max_packet_size-+---| |-ipv4_dest-subnet_mask-+ |-DEFAULTSIZE-----| '-DEFAULTNET------------' '-0---------------'
IPv6 GATEWAY list entry:
|-+-ipv6_dest/prefixLength-+-first_hop-link-+-max_packet_size-+--| '-DEFAULTNET6------------' |-DEFAULTSIZE-----| '-0---------------'
© 2007 IBM Corporation
IBM ^ ™
Function: Standard Gateway Statement SyntaxHOME
9.130.48.78/24 ETH09.130.15.128 255.255.255.0 ETH1
* Subnet Mask Next hop Intfc MTUGATEWAY
9.150.20.0/24 9.130.48.5 ETH0 0 9.150.30.0 255.255.255.0 9.130.15.16 ETH1 0defaultnet 9.130.48.1 ETH0 0
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool
New CP facility to record Guest LAN traffic IPFORMAT command provided to format and display data
Configuration file defines
– RPC program names
– NFS procedure types
– Telnet Option Names
– ASCII-EBCDIC translation
– Colors
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
.-TRCDATA *----. >>-IPFORMAT-fn-+--------------+-+---------------+->< | .-*--. | '-(-| Options |-' '-ft----+----+-' '-fm-' Options: .-OUTFile--fn--IPFDATA--rwm--------. .-VIew---. |--+----------------------------------+-+--------+-| | .--IPFDATA---rwm-. | '-NOView-' '-OUTFile--ofn--+----------------+-' | .-rwm-. | '--oft---+-----+-' '-ofm-'
© 2007 IBM Corporation
IBM ^ ™
Function: Sniffer Data Formatting Tool …
Subcommands FILTER packets by source and destination IP address or range,
source and destination port number or range, time, protocol, and application
SAVE data
APPEND data to existing file
VIEW detailed packet information
HEADER display control
© 2007 IBM Corporation
IBM ^ ™
Function: Enhanced IPMailerAddress (PTF)
Host names and IP addresses allowed ALL redirects all non-local mail
>>-IPMAILERADDRESS-+-----+-+-+-ip_address-+-----+->< | | | | '-ALL-' +- hostname ---------+ | | '- Destination List –'
Destination List: .----------------. v ||--LIST-+-+-ip_address-+-+-ENDIPMAILERADDRESS--| | | '-hostname---'
© 2007 IBM Corporation
IBM ^ ™
SSL – Secure Sockets Layer
Provides security functions for any server
SSL for VM TCP/IP clients
Negotiated security
Client authentication
Certificate database and management
© 2007 IBM Corporation
IBM ^ ™
Function: Improved SSL Support
Additional distribution support SUSE SLES8 Service Pack 3 (31-bit) SUSE SLES9 Service Pack 2 (31-bit) SUSE SLES9 Service Pack 2 (64-bit) Red Hat Enterprise Linux AS V3 (31-bit) Red Hat Enterprise Linux AS V3 (64-bit)
Industry-standard encryption algorithms Includes DES, triple-DES, RC2, and RC4 Keys up to 128 bits
Hashes provided by SHA-1 and MD5
Certificate activation and removal without server restart
Federal Information Processing Standard (FIPS 140-2) operational mode support
© 2007 IBM Corporation
IBM ^ ™
Function: IPv6 Hipersockets
IPv6-related parameters accepted HIPERS devices
QDIOIP links
Corresponding NETSTAT response changes for IPv6-enabled devices and links
© 2007 IBM Corporation
IBM ^ ™
Function: GVRP Support
GARP (Generic Attribute Registration Protocol) VLAN Registration Protocol
Provides more of standard switch semantics by automatically registering VLAN identifiers with GVRP-aware network switches
Eliminates manual configuration of individual physical switch port VLAN assignments for VSWITCH and QDIO links
|-GVRP---|>>-LINK-QDIOETHernet-...-VLAN-nnn-+--------+-...->< |-NOGVRP-|
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 520 Serviceability Improvements
Report PROFILE file attributes
Log access violations on console
NETSTAT CONFIG
Load address in NETSTAT LEVEL
© 2007 IBM Corporation
IBM ^ ™
Serviceability: Report PROFILE File Attributes
Display PROFILE file characteristics during stack initialization
Identify source of configuration data
Help identify cause of configuration problems
DTCIPI006I Using profile file name type mode dated date time
© 2007 IBM Corporation
IBM ^ ™
Serviceability: Log Access Violations on Console
Access violation detected when user in RESTRICT list attempts to use TCP/IP services
Now recorded in console log as well as in separate file
DTCUTI044I Unauthorized TCP/IP access attempt by user
© 2007 IBM Corporation
IBM ^ ™
Serviceability: NETSTAT CONFIG
New NETSTAT command options to display current stack configuration
'-PARMS-TRACE-----'>>-NETSTAT-CONFIG-+-----------------+----->< | .-------------. | | v | | '-+-|ACCESS---|-+-' |ALL------| |HELP-----| |OBEY-----| |PARMS----| |PORT-----| |TRANSLATE| 'TRACE----'
© 2007 IBM Corporation
IBM ^ ™
Serviceability: Load Address in NETSTAT LEVEL
NETSTAT LEVEL displays stack module load address
Useful for computing trace trap addresses
IBM 2094; z/VM Version 5 Release 2.0, service level 0000 (64-bit), VM TCP/IP Level 520; RSU 0000 running TCPIP MODULE E2 dated 10/17/05 at 16:53
TCP/IP Module Load Address: 00BAC000
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 520 Performance Improvements
64-bit Diagnose X’98’
© 2007 IBM Corporation
IBM ^ ™
Performance: 64-bit Diagnose X’98’
TCP/IP stack uses Diagnose X’98’ to lock real memory for QDIO, ATM, HyperChannel, CLAW, CTCA, and LCS devices
Diagnose X’98’ extended in z/VM 5.2.0 to allow pages to be locked above 2G in real memory
TCP/IP stack attempts to use pages above 2G to reduce system-wide pressure on memory below 2G
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 520 Infrastructure Improvements
NETSTAT CP output limit increased Up to 32767 bytes
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 520 Packaging Enhancements
Preconfigured VSWITCH controllers
Migration support
© 2007 IBM Corporation
IBM ^ ™
Packaging: Preconfigured VSWITCH Controllers
Two new virtual machines defined as VSWITCH controllers DTCVSW1 and DTCVSW2
Started by AUTOLOG1
No configuration required
– Define VSWITCHes with CONTROLLER * (default) Designed to simplify VSWITCH implementation Demonstrates best practices
© 2007 IBM Corporation
IBM ^ ™
Packaging: Migration Support
TCP/IP migration exit Examines existing configuration files
Controls copying actions to new system
Recommends areas requiring customer attention
– E.g., Reports session connection exit interface changes
© 2007 IBM Corporation
IBM ^ ™
TCP/IP Level 530 New Function
LDAP Server and Client
IP Takeover (IPv4 and IPv6)
Delete Device and Link
SSL upgrade
TLS support
SNMP for Virtual Switches
MPROUTE V1R8
RouteD and BootP discontinued
© 2007 IBM Corporation
IBM ^ ™
LDAP
Solves a problem: the ability to have RACF be a central repository for your z/VM and Linux passwords
Lightweight Directory Access Protocol (RFC 2251)
Standard way for a client to retrieve data stored in a Directory Information Tree (DIT)
z/OS 1.8 IBM Tivoli Directory Server (ITDS)
© 2007 IBM Corporation
IBM ^ ™
Function: LDAP Server and Client
LDAP Server provides: Multiple concurrent database instances (referred to as backends) Interoperability with LDAP V2 or V3 protocol-capable clients LDAP Version 2 and Version 3 protocol support Native authentication using Challenge-Response Authentication Method
(CRAM-MD5), DIGEST-MD5 Authentication, and Simple (unencrypted) authentication Root DSE information master/slave and peer-to-peer replication
© 2007 IBM Corporation
IBM ^ ™
Function: LDAP Server and Client
LDAP Server provides: The ability to refer clients to additional directory servers The capability to create an alias entry in the directory to point to
another entry in the directory Access controls on directory information Change logging Schema publication and update SSL communication (SSL V3 and TLS V1) Client and server authentication using SSL/TLS
© 2007 IBM Corporation
IBM ^ ™
Function: LDAP Server and Client
LDAP client utilities provides a way to add, modify, search, and delete entries in any server that accepts LDAP protocol requests.
© 2007 IBM Corporation
IBM ^ ™
Interface High Availability – IP Takeover IP takeover is supported to minimize the impact of an
hardware interface failureQDIO ethernet and LCS ethernet devices only
No special parameters or options necessaryIf the TCP/IP stack determines two interfaces are on the
same network, IP takeover will be enabled for those interfaces
For IPv4, determination is based on the IP addresses and subnet masks of the interfaces
– Subnet masks may be defined on the HOME statement, the GATEWAY statement, or in the MPROUTE CONFIG file
© 2007 IBM Corporation
IBM ^ ™
IP Takeover Details
z/VM TCP/IP
OSA110.1.1.1
OSA210.1.1.2
10.1.1.0/24
10.1.1.3Host 10.1.1.3 forms a connection with 10.1.1.1 (OSA1)
© 2007 IBM Corporation
IBM ^ ™
IP Takeover Details (cont.)
z/VM TCP/IP
OSA110.1.1.1
OSA210.1.1.210.1.1.1
10.1.1.0/24
10.1.1.3OSA1 Fails
OSA2 informs host that traffic for 10.1.1.1
should be sent through this interface
© 2007 IBM Corporation
IBM ^ ™
IP Takeover Details (cont.)
z/VM TCP/IP
OSA110.1.1.1
OSA210.1.1.210.1.1.1
10.1.1.0/24
10.1.1.310.1.1.3 starts sending packets to OSA2
© 2007 IBM Corporation
IBM ^ ™
Function: Delete Device and Link
Device and Link statements can now be dynamically removed from the z/VM TCP/IP stack.
New -Remove option for IFCONFIG
IFCONFIG –REMOVE
New SIOCDINTERFACE subcommand for REXX and C
© 2007 IBM Corporation
IBM ^ ™
Function: SSL upgrade
Support for Novell(R) SUSE(R) Linux Enterprise Server (SLES) 9 Service
Pack 3 (64-bit)
Novell SUSE Linux Enterprise Server (SLES) 9 Service Pack 3 (31-bit)
Red Hat Enterprise Linux(R) (RHEL) AS 4 Update 4 (64-bit)
Red Hat Enterprise Linux (RHEL) AS 4 Update 4 (31-bit)
© 2007 IBM Corporation
IBM ^ ™
Function: TLS Support
Secure Sockets Layer/Transport Layer Security (SSL/TLS) FTP
Telnet
SMTP
Data Transmission can start in clear text and be converted to secure text at a later time.
© 2007 IBM Corporation
IBM ^ ™
Function: SNMP for Virtual Switches
Management IP address for Virtual Switch New HOME statement
Generic SNMP Subagent
Bridge MIBS for Virtual Switch reporting
© 2007 IBM Corporation
IBM ^ ™
Function: MPROUTE
MPROUTE support upgraded to V1R8
© 2007 IBM Corporation
IBM ^ ™
RouteD and BootP support discontinued
MPROUTE and DHCP are available and recommended to provide the services formally performed by RouteD and BootP.
© 2007 IBM Corporation
IBM ^ ™
Statement of Direction
Support for the following will be withdrawn in a future release:
Network Database (NDB) system
Trivial File Transfer Protocol (TFTP)
X25 (including X25IBI server) interface
SNALINK server
© 2007 IBM Corporation
IBM ^ ™
Recommended Service Strategy
Apply the latest RSU
Visit the TCP/IP for z/VM Feature home page for late-breaking service news
© 2007 IBM Corporation
IBM ^ ™
Summary
TCP/IP for VM is alive and well
Level 520 delivered major advances
Level 530 continued the trend
We still have more to do Anticipate where most z/VM TCP/IP customers are going next
Your requirements are important to us
© 2007 IBM Corporation
IBM ^ ™
References
In person:[email protected]
On the Web: http://www.vm.ibm.com/networking/ipv6/ <- IPv6 support in z/VM
http://www.ibm.com/vm/related/tcpip/ <- TCP/IP for z/VM
Feature Pagehttp://www.rfc-editor.org/rfc.htmlhttp://www.redbooks.ibm.com/
Via mailing lists:[email protected]@[email protected]