IBM z/OS Communications Server IPv6 Support
advertisement
IBM z/OS Communications Server IPv6 Support Linda Harrison lharriso@us.ibm.com 1 Agenda ● ● ● ● ● ● ● ● ● ● IPv6 History, Address, Protocol IPv6 Support in z/OS and Dual-Mode Stack (BPXPRMxx) PROFILE.TCPIP Routing Resolver FTP Enterprise Extender inetd SMF More Information 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 2 2 IPv6 History, Address, and Protocol 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 3 3 Total IP Addresses ● ● IPv4 Address example 100.114.165.211 • Started to be used in 1970s and 80s ➔ United States has the bulk of the IPv4 Addresses • 32-bit address means around 4,200,000,000 nodes • Network Address Translation (NAT) increases total nodes • Huge routing tables on Internet Routers (backbone) IPv6 Address example 2001:0DB8:0000:000:0206:2AFF:FE71:4400 • Started to be used in 1990s • 128-bit address means around 340 (billion)4 addresses • Routing Tables Manageable through CIDR ➔ Classless InterDomain Routing (CIDR) manages the routing, reducing the size of the routing tables on the backbone. CIDR aggregates sets of routes into a single route by using the common, highest-level denominator for the sets of routes. CIDR is also referred to as "supernetting." 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 4 4 IPv4 vs. IPv6 IPv4 IPv6 Addressing 32 bits (4 bytes) 4,200,000,000 addresses 128 bits (16 bytes) 340 (billion4) addresses Communicating to all on subnet Broadcast Addresses Scoped Multicast Addresses Fragmentation Supported at originating and intermediate nodes Supported only at originating nodes Checksum Included in IP Header Not included in IP Header IPSec Optional Included as part of IPV6 Discovery of best default gateway Optional (with ICMP Route Discovery) Included – ICMPv6 Router Solicitation and Router Advertisement Resolving IP layer address to link layer address ARP (Address Resolution Protocol) Multicast Neighbor Solicitation Messages Local Subnet Group Membership Internet Group Management Protocol (IGMP) Multicast Listener Discovery (MLD) Address Configuration Manually or through DHCP Automatically assigned via stateless address configuration or DHCPv6 or manually DNS Configuration “A” records for host name/address mapping, “PTR” records in INADDR.ARPA domain address/name mapping “AAAA” or “A6” records for name/address mapping, “PTR” records in IP6.ARPA or IP6.INT domain for address/name mapping QoS Support Differentiated and Integrated Services Differentiated and Integrated Services, also Flow Label for more granularity Payload Identification for QoS Not included in IP Header Included in Flow Label 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 5 This chart represents a summary of the information present in Table 1 of the IPv6 Network and Application Design Guide (SC27-3663). DHCP and DHCPv6 are not supported on z/OS. Additional differences... IP Header Format IPv4 -- Variable: Min of 20 Bytes + Options IPv6 -- 40 Bytes IP Options IPv4 -- Part of IP Header IPv6 -- Inserted as Extensions between IP Header and Payload QoS, DHCPv6, and Mobility are not part of the Implementation of IPv6. The Internet Assigned Numbers Authority (IANA) website includes the pointers to the most up-to-date information on IPv6: www.iana.org Some IPv6 RFCs from the IANA website: RFC 3330 - Special-Use IPv4 Addresses RFC 3177 - IAB/IESG Recommendations on IPv6 Address Allocations to Sites RFC 2928 - Initial IPv6 Sub-TLA ID Assignments RFC 2450 - Proposed TLA and NLA Assignment Rules RFC 2373 - IP Version 6 Addressing Architecture RFC 2050 - Internet Registry IP Allocation Guidelines RFC 1918 - Address Allocation for Private Internets RFC 1518 - An Architecture for IP Address Allocation with CIDR IPv6 provides for both stateless and stateful autoconfiguration. Stateless autoconfiguration allows a node to be configured in the absence of any configuration server. Stateless autoconfiguration further makes it possible for a node to configure its own globally routable addresses in cooperation with a local IPv6 router by combining the 64-bit Interface ID (48-bit MAC address plus random number) of the adapter with network prefixes that are learned from the neighboring router. IPv6 allows the use of DHCPv6 for stateful autoconfiguration. DHCPv6 relies on a configuration server that maintains static tables to determine the addresses that are assigned to newly connected nodes. z/OS CS does not support DHCPv6. Manual configuration of addresses may be used in environments where complete local control is required (ie. VIPA or LOOPBACK). 5 IP Address Structure ● IPv4 Dotted Decimal • • ● Documented in RFC 1166 9.67.122.66 IPv4 Address/Subnet Mask: 9.67.122.66/8 IPv6 Colon-Hexadecimal • Documented in RFC 3513 ➔ • • 0000:0000:0000:0000:0000:0000:0000:0001=::1 Can skip one sequence of zero words leaving two colons: ➔ • Supersedes RFC 2373 IPv6 Address: 2001:0DB8:0000:0000:0206:2AFF:FE71:4400 Can eliminate leading zeroes: ➔ ● IPv4 Address: 9.67.122.66 2001:0DB8:0000:000:0206:2AFF:FE71:4400=2001:DB8::206:2AFF:FE71:4400 Can specify a prefix by "/length" 2001:0DB8::/64 04/13/14 IPv6 Address/Prefix-Length: 2001:0DB8:0000:0000:0206:2AFF:FE71:4400/64 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 6 IPv4 addresses are represented in dotted-decimal format. The 32-bit address is divided along 8-bit boundaries. Each set of 8 bits is converted to its decimal equivalent and separated by periods. Each IP address consist of an IP network id and an IP host id on that IP network. In contrast, IPv6 addresses are 128 bits divided along 16-bit boundaries. Therefore, IPv6 notation is eight 16 bit integers separated by colons. Each 16-bit block is converted to a 4-digit hexadecimal number -- still separated by colons. One group of multiple zeroes can be represented with a double colon. Leading zeroes within each individual field can be omitted. The resulting representation is called colon-hexadecimal. 6 Types of IPv6 Addresses ● FF00::/8 • ● • • ● • • • • • 2001:0DB8::0206:2AFF:FE71:4400/64 Represented by :: (0000:0000:0000:0000:0000:0000:0000:0000) Cannot be used as destination address :: Must never be assigned to any node Represented by ::1 (0000:0000:0000:0000:0000:0000:0000:0001) Used by a node to send an IPv6 packet to itself ::1 Must never be assigned to any physical interface IPv4-mapped IPv6 address: • • • • ● Global Scope unicast addresses are everything else Will be passed by any router; can be routed anywhere Loopback address • ● FE80::99:1AC6:77:9/16 Link-Local Scope unicast addresses all begin with "FE80" Will not be passed by any router (local to the LAN that it is attached to) Unspecified address (similar to IPv4 inaddr_any) • ● FF02::1 Anything else • ● Multicast addresses all begin with "FF" FE80::/16 Represented by ::FFFF:a.b.c.d (9.67.115.69 = ::FFFF:9.67.115.69) or ::FFFF:<hex>:<hex> (9.67.115.69 = ::FFFF:0943:7345) IPv6 address with IPv4 address embedded Not sent onto the network by z/OS IPv4-compatible IPv6 address: represented by ::a.b.c.d • • Not supported in z/OS Such addresses typically used for tunneling IPv4 across IPv6 network 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation ::FFFF:9.67.115.69 ::FFFF:0943:7345 ::9.67.115.69 Page 7 IPv4 addresses are represented in dotted-decimal format. The 32-bit address is divided along 8-bit boundaries. Each set of 8 bits is converted to its decimal equivalent and separated by periods. Each IP address consist of an IP network id and an IP host id. In contrast, IPv6 addresses are 128 bits divided along 16-bit boundaries. Therefore, IPv6 notation is eight 16 bit integers separated by colons. Each 16-bit block is converted to a 4-digit hexadecimal number. One group of multiple zeroes can be represented with a double colon. Leading zeroes within each individual field can be omitted. The resulting representation is called colon-hexadecimal. Unicast addresses identify a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. This is the same concept with which you are already familiar in IPv4. Anycast addresses identify a set of interfaces (typically different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one). Concept not used in IPv4. Not part of z/OS IPv6 support either. Multicast addresses identify a set of interfaces (typically different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address. This is the same concept as in IPv4. Routing protocols like RIP and OSPF use multicast addresses, but so can other applications. All Multicast control information flows using ICMPv6 instead of IPv4 Internet Group Management Protocol (IGMP). There are no broadcast addresses in IPv6, their function is replaced by multicast addresses. CS allows the customer to assign other LOOPBACK addresses for IPv6. For IPv6, one interface can have multiple IP addresses. For IPv4 this is only supported for Loopback. IPv4-mapped IPv6 addresses - Only implementations that support Stateless IP/ICMP Translation Algorithm (SIIT), RFC 2765, should send outbound packets with IPv4mapped IPv6 addresses in the IP header. z/OS Communications Server does not support SIIT. - That is, z/OS does not support sending IPv4-Mapped IPv6 addresses out onto an attached network. - This address type is used to represent the addresses of IPv4 nodes as IPv6 addresses. - It is used when an IPv6 application needs to communicate with an IPv4 peer - Resolver can return IPv4-mapped IPv6 addresses. IPv4-mapped addresses can be written in two ways. IPv4 address 9.67.115.69 can be written as an IPv4-mapped IPv6 address: ::FFFF:0943:7345 (this is the hexadecimal notation) ::FFFF:9.67.115.69 (this is the dotted-decimal notation) IPv4-compatible IPv6 address (::<IPv4_address>) - Used when IPv6 traffic is tunneled across existing IPv4 networks. - Formed by placing 96 bits of zero in front of a valid 32-bit IPv4 address, such that address 1.2.3.4 becomes ::1.2.3.4 - IPv4-compatible IPv6 addresses are not included in the z/OS implementation. Link-local address: - Only used on the physical network that a host's interface is attached to. In IPv6 an interface can have multiple addresses. Aggregatable Global Unicast Address - Assigned to ISPs by International "Internet Registry Services" (IRS) ARIN Registry Services (American Registry for Internet Numbers) www.arin.net/library/guidelines/ipv6_initial.html (North America and Sub-Sahara Africa) RIPE-NCC Network Coordination Center in Europe (Reseau IP Europeans) www.ripe.net/ripencc/mem-services/reistration/ipv6.html (Europe, Middle East, Central Asia, and African north of the equator) APNIC Asia Pacific Network Information Center www.apnic.nbet/faq/IPv6-FAQ.html (LACNIC Regional Latin-American and Caribbean Address Registry) How to request Internet addresses in general? www.iana.org/ipaddress/ip-addresses.htm How to discover what has already been allocated? : www.iana.org/ipaddress/ip-addresses.htm How does a company or an end-user obtain an address? Consult with your ISP: AT&T, Verizon, etc. 7 Required Addresses for a Host ● • Its Link-Local Address for each interface ➔ • • • • • ● FE80::99:1AC6:77:9/16 Addresses identifying an IPv6 host: 2001:0DB8::99:1AC6:77:9/64 z/OS CS only allows a single link-local address per interface. ::1 Assigned Unicast Addresses (autoconfigured OR manually defined) FF02::1 Loopback Address (::1) The All-Nodes Multicast Address (FF02::1)(Routers FF02::2) Solicited Node Multicast Addresses for each of its assigned unicast and anycast addresses (FF02::1:FF00:0 - FF02::1:FFFF:FFFF) Multicast Addresses of all other groups to which the host belongs. Addresses identifying an IPv4 host: • • • • • 9.67.122.66 Assigned Unicast Addresses Loopback Address 127.0.0.1 Broadcast Address for each of its assigned unicast addresses 255.255.255.255 The All hosts Multicast Address Multicast Addresses of all other groups to which the host belongs 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 8 An IPv6 host is required to recognize a certain set of addresses as identifying itself. An IPv4 host is required to recognize a different list of addresses as identifying itself. There is no broadcast support in IPv6. It has been replaced with multicast for specific scopes. The Global Unicast Address must be requested from the ISP that services your company or your site; the ISP itself must request IPv6 addresses from an Internet Registry Services. Solicited Node Multicast Address - This address is formed by taking the low-order 24 bits of the address (unicast or anycast) and appending those bits to the prefix FF02:0:0:0:0:1:FF00::/104. - Range of addresses is FF02:0:0:0:0:1:FF00:0000 to FF02:0:0:0:0:1:FFFF:FFFF - A node is required to compute and join the associated Solicited Node multicast address for every unicast and anycast address it is assigned. The solicited-node multicast address facilitates the efficient querying of network nodes during address resolution. The following well-known multicast addresses are pre-defined. Use of these group IDs for any other scope values, with the T flag equal to 0, is not allowed: FF01::, FF02::, FF03::, FF04::, FF05::, FF06::, FF07::, FF08::, FF09::, FF0A::, FF0B::, FF0C::, FF0D::, FF0E::, and FF0F::. Unicast: - Assigned to one interface. Packets destined for a unicast address are sent to only one node. - Can be link-local scope, or global scope Multicast: - Provides a means for a source to communicate with a group Anycast - Special Type of Unicast - not used in CS for z/OS: - Allows the source to communicate with the closest member of a group Every IPv6 interface except VIPA and LOOPBACK will have an automatically generated link-local address. A packet with a link-local source or destination address will not leave a LAN. A router receiving the packet will not forward it. Link-local addresses are used for any kind of temporary network: Autoconfiguration, Neighbor discovery, Networks without routers. VIPAs and LOOPBACKs use global addresses. Global addresses can either be manually configured or autoconfigured dynamically. If a packet cannot be forwarded due to reaching a scope boundary, an ICMPv6 BEYOND SCOPE is returned. 8 ICMPv6 Neighbor Discovery (NeD) Router Advertisement Link-Local address Link-Layer (MAC) address Default Router Yes/No MTU Size Hop Limit Prefix Information for Routing and Autoconfiguration ● Router Discovery ● Prefix Discovery Parameter Discovery Address Autoconfiguration Address Resolution Next-Hop Determination Neighbor Reachability / Unreachability Detection Duplicate Address Detection (DAD) Redirect ● ● ● ● ● ● ● Neighbor Advertisement Link-Local address Link-Layer (MAC) address IPv6 Host IPv6 Host 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 9 Neighbor Discovery replaces several IPv4 protocols: ARP, ICMP Router Discovery and ICMP Redirect. Neighbor Discovery uses ICMPv6 rather than ARP. It enables a node to identify other hosts and routers on its links. It maintains routes, MTU, retransmit times, reachability time, and prefix information based on information received from the routers. NeD uses Duplicate Address Detection (DAD) to verify the host's home addresses are unique on the LAN. NeD uses Address Resolution to determine the link-layer addresses for neighbors on the LAN and Reachability Detection to determine neighbor reachability. Maintains information about neighbors in a local 'Neighbor Cache'. Router Discovery defines how hosts can automatically locate routers that reside on an attached link. ICMPv6 Router Solicitations / Advertisements are used to determine the best default gateway. Router Advertisements are sent by routers to announce their availability. z/OS receives Router Advertisements but does not originate them. Router Advertisements are the mechanism for plug and play. Prefix Discovery specifies how hosts discover the set of prefixes that are defined as being on-link (IPv6 address prefixes that reside on the shared link (ie.ethernet)), as well as those which are to be used when implementing Stateless Address Autoconfiguration. Parameter Discovery allows a host to learn link parameters, such as the link MTU, and IP parameters, such as the hop limit to place in outgoing packets. IPv6 provides for both stateless and stateful autoconfiguration. Stateless autoconfiguration allows a node to be configured in the absence of any configuration server. Stateless autoconfiguration further makes it possible for a node to configure its own globally routable addresses in cooperation with a local IPv6 router, by combining the 48- or 64-bit MAC address of the adapter with network prefixes that are learned from the neighboring router. IPv6 allows the use of DHCPv6 for stateful autoconfiguration. DHCPv6 relies on a configuration server that maintains static tables to determine the addresses that are assigned to newly connected nodes. z/OS does not support DHCPv6. Address resolution in IPv6 is similar to ARP processing in IPv4, except ICMP neighbor solicitations, neighbor advertisements, router redirects, and router advertisements are used to obtain the link-layer (MAC) address. Next-hop determination specifies the algorithm for mapping the IP destination address into the IP address of the neighbor to which traffic should be sent. Architected neighbor reachability/unreachability replaces old dead gateway logic. Neighbor unreachability detection is used to verify that two-way communication with a neighbor node exists. The host sends a neighbor solicitation to a node and waits for a solicited neighbor advertisement. Duplicate Address Detection (DAD) is used to verify that an IPv6 home address is unique on the LAN before assigning the address to a physical interface. z/OS responds to other nodes doing DAD for IP addresses assigned to the interface. DAD is not done for VIPAs or loopback addresses. A node may receive a Redirect message from an on-link router if the router determines that the destination is on-link or if there is a better first-hop router for the given destination. z/OS can be configured to ignore the IPv6 Redirects sent by routers by defining the IGNOREREDIRECT keyword on the IPCONFIG6 statement. If processing of Redirect messages is enabled, z/OS will begin using the new destination which is identified in the Redirect message. 9 IPv6 Support in z/OS and Dual-Mode Stack (BPXPRMxx) 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 10 10 z/OS IPv6 Enablement ● • • ● • • • • • • • • • ● IP Stack is IPv6-enabled Resolver DLC – QDIO Static Routing Static VIPA Support New IPv6 Socket APIs TCP/IP Utility Applications ➔ FTP (ftpd), inetd, ftp, telnetd, USS rshd, USS rexec, USS rexecd, ping, tracert, netstat Service Tools ➔ Netstat long format, Packet Trace, Dump Formatters, CTRACE, Data Trace • • • ● • • • • • • • • • • • 04/13/14 www.ibm.com/support/techdocs Document ● • • Configurable default address selection algorithm ➔ Prefer a temporary or public source addr Router advertisement enhancements IPv6 address support for DNS address z/OS V1R13 • ● Stateless Addr auto-configuration enhancements z/OS V1R12 • ● FRCA Resolver Enhancements z/OS V1R11 • ● Scoped Address support z/OS V1R10 • Network Management CICS Sockets Enterprise Extender (hostname) DLC - XCF, Samehost, Ficon (MPCPTP) OMPRoute RIPng Applications ➔ TN3270, syslogd, sntp, tftpd, rexecd/rshd, sendmail Policy Agent ➔ QoS (Differentiated Services) NetAccess SNMP MIBs SMF records Integrated filtering and IPSec RPCBIND server z/OS V1R9 • ● SNMP UDP MIBs Advanced Socket APIs (RFC3542) IPv6 Two Default Routers support DLC – HiperSockets z/OS V1R8 • ● Dynamic VIPA including Sysplex Distributor OMPROUTE OSPFv3 SNMP MIB enhancements z/OS V1R7 • z/OS V1R5 • z/OS V1R6 • BPXPRMxx Network AF_INET6 Socket calls support IPv4-mapped addrs z/OS V1R4 • ● ● OS/390 V2R10 Intrusion Detection Services (IDS) IPV6 Attacks support z/OS V2R1 • Enterprise Extender (IPv6 address) © 2014 IBM Corporation Page 11 With z/OS the only configuration statement required to enable IPv6 is the AF_INET6 NETWORK statement in BPXPRMxx. IPv6 applications communicating with IPv4 partners is functionally equivalent to IPv4 applications communicating with IPv4 partners. 11 z/OS IPv6 Enablement Applications AF_INET6 PFS IPv6 Raw Transport AF_INET PFS Common TCP and UDP Transport IPv4 Raw Transport ● IPv4 IPv6 ● IP Address translation IPv6 to IPv4 and vice versa occurs at the Transport Layer AF_INET6 Applications • NeD MLD Stateless autoconfig QoS TRM IDS ARP IGMP ICMP ● Raw Applications • ICMPv6 Firewall Functions ● Common DLC Functions ● IPv6 DLCs (QDIO) IPv4 DLCs Common TCP or UDP Transport Layer selects IPv6 or IPv4 Layer 3 (Network Layer) to match partner. Application itself selects Layer 3 Both IPv6 and IPv4 remote partners may connect to z/OS IPv6 application. Only IPv4 remote partner may connect to z/OS IPv4 only application. OSA QDIO IPv6 and IPv4 packets on the same LAN 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 12 z/OS Comm Server can be an IPv4-only stack or a dual-mode stack. There is no support for an IPv6 only stack. The dual-mode stack is also called the "dual stack." However, to avoid any ambiguity, it is probably best to call it a "dual-mode" stack, since, in the past we have often talked about "dual stacks" when discussing the coexistence of multiple stacks in a single MVS image. Physical File System (PFS) "AF_INET6." It can coexist with the AF_INET PFS that is available for IPv4. Both file systems are defined in BPXPRMxx. A dual-mode (or dual-stack) TCP/IP implementation supports both IPv4 and IPv6 interfaces; both old AF_INET and new AF_INET6 applications. If address translation is necessary because the network is IPv6 when the connection partners are IPv4, or because the network is IPv4 when the connection partners are IPv6, the transport layer provides the mapping services. For AF_INET6 applications, the common TCP or UDP transport layer determines per communication partner if the partner is an IPv4 or an IPv6 partner - and chooses IPv4 or IPv6 networking layer component based on that. Raw applications make the determination themselves when they choose IPv4 or IPv6 raw transport. IPv4 and IPv6 applications can coexist on a single dual stack. Unmodified applications continue to send data over the IPv4 network. A single application can communicate using IPv4 and IPv6; requires application modification. By default, IPv6 applications can communicate with both IPv4 and IPv6 peers. The socket option IPv6_V6ONLY makes an IPv6 application require all peers to be IPv6. 12 z/OS IPv6 Enablement IPv6 Enabled Applications AF_INET6 PFS IPv4 Only Applications AF_INET PFS Transport Layer IPv4 IPv6 Common DLC Functions IPv6 DLCs (QDIO) IPv4 DLCs OSA QDIO 9.67.115.5 2001:0DB8::9:67:115:5 2001:0DB8::9:67:115:17 04/13/14 9.67.115.69 Application IPv6 Source Address 2001:0DB8::9:67:115:17 Dest Address 2001:0DB8::9:67:115:5 Transport IPv6 Source Address 2001:0DB8::9:67:115:17 Dest Address 2001:0DB8::9:67:115:5 IPv6 Packet IPv6 Source Address 2001:0DB8::9:67:115:17 Dest Address 2001:0DB8::9:67:115:5 Application IPv4 Source Address ::FFFF:9.67.115.69 Dest Address ::FFFF:9.67.115.5 Transport IPv4 Source Address 9.67.115.69 --- ::FFFF:9.67.115.69 Dest Address 9.67.115.5 --- ::FFFF:9.67.115.5 IPV6 Packet IPv4 Source Address 9.67.115.69 Dest Address 9.67.115.5 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 13 An application that has bound to an IPv6 native address has to use some transition mechanism to be able to communicate with an IPv4 partner. IPv4-mapping is defined as the function of mapping an IPv4 address into the IPv6 address field of an AF_INET6 addressing structure. It is done at the transport protocol layer when the remote partner is an IPv4 partner. An IPv6 application on a dual-mode stack can communicate with IPv4 and IPv6 partners as long as it doesn't bind to a native IPv6 address. If it bound to a native IPv6 address, then it cannot communicate with an IPv4 partner, since the native IPv6 address cannot be converted to an IPv4 address. A 32-bit AF_INET address can always fit into an AF_INET6 address field. An IPV6 address cannot fit into an AF_INET address field. If the partner is IPv6, all communication will use IPv6 packets. If partner is IPv4 then both source/destination will be IPv4-mapped IPv6 addresses. On inbound the transport protocol layer will map the IPv4 address to its corresponding IPv4-mapped IPv6 address before returning to the application with AF_INET6 addresses. On outbound the transport protocol layer will convert the IPv4-mapped addresses to native IPv4 addresses and send IPv4 packets. 13 Application / Transport Layer Mapping AF_INET6 Socket AF_INET6 Socket AF_INET6 Socket AF_INET Socket AF_INET Socket IPv6 Specific Address in6addr_any IPv4 Mapped Address IPv4 Specific Address or inaddr_any ?????? IPv6 partner IPv4 IPv6 Mapped partner partner IPv4 Mapped partner IPv4 partner IPv6 partner IPv6 Packet IPv4 Packet IPv6 Packet IPv6 Routing IPv4 Routing IPv6 Routing An AF_INET (IPv4) Server program on a Dual-Mode stack cannot communicate with an IPv6-only partner because AF_INET cannot fit an IPv6 address into 32 bits. 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 14 AF_INET Sockets Only send using IPv4 packets AF_INET6 Sockets Bound to IPv4 mapped address Send IPv4 packets only Partner specified using an IPv4 mapped address Bound to IPv6 native address Send IPv6 packets only Partner specified using IPv6 address Bound to in6addr_any - (UDP - implicit Bind is done at send/connect time) Send IPv4 or IPv6 packet depending on how partner address is specified (IPv4 mapped or IPv6 native) Can receive IPv4 or IPv6 packets A listening TCP socket can receive both IPv4 and IPv6 SYNs. Note that when sending/receiving IPv4 packets, all existing V4 functions are supported - firewall, policy, sysplex etc. 14 BIND-Specific and PORT PROFILE.TCPIP PORT Statement PORT 2001 20 21 21 2020 2020 3001 3001 3001 3001 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP MYSERVER * NOAUTOLOG 1 NM1AFTP1 BIND 12AB::2 FTPD3 BIND 9.67.2.1 2 CICS1 SHAREPORT 3 CICS2 MYIP6AP1 SHAREPORT MYIP6AP2 4 MYIP4AP1 MYIP4AP2 1. Port reserved without regard to IPv4 and IPv6. 2. BIND forces server to listen only on a particular IPv4 or IPv6 address. ● One job for IPv4 clients ● One job for IPv6 clients 3. Shareport provides load balancing by the stack. 4. IPv4 clients are load-balanced to all IPv4 and IPv6 servers. NETSTAT PORTLIST MVS TCP/IP NETSTAT CS... Port# Prot User Flags Range ----- ---- ------- ----- ----00020 TCP NM1AFTP1 D 00021 TCP NM1AFTP1 DAB BindSpecific: 12AB::2 00021 TCP FTPD3 DAB BindSpecific: 9.67.2.1 02001 TCP MYSERVER DA 02020 TCP CICS1 DAU 02020 TCP CICS2 DAU 03001 TCP MYIP6AP1 DAU 03001 TCP MYIP6AP2 DAU 03001 TCP MYIP4AP1 DAU 03001 TCP MYIP4AP2 DAU 04/13/14 port 21 9.67.2.1 port 2020 IPv4 Clients port 3001 port 21 12AB::2 IPv6 Clients www.ibm.com/support/techdocs Document port 3001 © 2014 IBM Corporation FTPD3 CICS1 CICS2 MYIP4AP1 MYIP4AP2 NM1AFTP1 MYIP6AP1 MYIP6AP2 Page 15 The PORT statement reserves a port for the use of a particular server. It normally does not distinguish between IPv4 and IPv6; the port is reserved regardless of which flavor of address the application uses. The BIND keyword on the port statement allows you to force an INADDR_ANY listener to listen on a particular IP address. You may now specify an IPv6 address on this keyword. INADDR_ANY listeners will be converted to an IPv4 address, but will ignore an IPv6 address on the BIND keyword. IN6ADDR_ANY listeners will be converted to either an IPv4 address (the v4-mapped form of that address) or an IPv6 address, depending on what is specified with the BIND keyword. By using the BIND keyword, a server listens on a particular IP address; i.e., it will be either IPv4 or IPv6. To have the same service serve both IPv4 and IPv6 clients, you may need to start up two instances of it, one bound to an IPv4 address and one to an IPv6 address. The example here illustrates two different FTP servers: one for IPv4 and one for IPv6. FTP always opens AF_INET6 (if you are on a dual-mode stack). SHAREPORT allows multiple listeners to bind to the same port. It causes incoming connections to be load-balanced between the listeners. All IPv4 connection requests will be load-balanced between the set of IPv4 listeners (including AF_INET6 IN6ADDR_ANY listeners), while all IPv6 connection requests will be load-balanced between the set of IPv6 listeners. 15 INET BPXPRMxx Definitions Socket Applications LFS AF_INET PFS ● IPv4-only BPXPRMxx Example for INET FILESYSTYPE TYPE(INET) ENTRYPOINT(EZBPFINI) NETWORK DOMAIN(AF_INET) DOMAINNUMBER(2) MAXSOCKETS(2000) TYPE(INET) TCP and UDP Transport QoS TRM IDS ARP IPv4 Raw Transport IGMP ICMP IPV4 DLCs ● IPv4/IPv6 BPXPRMxx Example for INET (Dual-Mode) FILESYSTYPE TYPE(INET) ENTRYPOINT(EZBPFINI) NETWORK DOMAINNAME(AF_INET) Socket Applications DOMAINNUMBER(2) LFS MAXSOCKETS(2000) TYPE(INET) AF_INET PFS AF_INET6 PFS NETWORK DOMAINNAME(AF_INET6) DOMAINNUMBER(19) IPv6 Raw IPv4 Raw TCP and UDP Transport MAXSOCKETS(3000) Transport Transport TYPE(INET) NeD MLD Stateless autoconfig ICMPv6 IPv6 DLCs (QDIO) 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation QoS TRM IDS ARP IGMP ICMP IPv4 DLCs Page 16 Dual stack (IPv4/IPv6) is defined by using two NETWORK statements (AF_INET & AF_INET6) in BPXPRMxx. When the INET is defined, only a single TCP/IP stack can be started. The single stack is IPv4/IPv6 capable. With dual-mode stack IPv6 functions and protocols ICMPv6, NeD, MLD, and Autoconfig are automatically enabled. ICMPv6 - The IP protocol concerns itself with moving data from one node to another. However, in order for IP to perform this task successfully, there are many other functions that need to be carried out: error reporting, route discovery, and diagnostics, among others. In IPv6 , all these tasks are carried out by the Internet Control Message Protocol (ICMPv6). In addition, ICMPv6 provides a framework for Multicast Listener Discovery (MLD) and Neighbor Discovery (NeD), which carry out the tasks of conveying multicast group membership information ( the equivalent of the IGMP protocol in IPv4) and address resolution (performed by ARP in IPv4). Neighbor discovery is an ICMPv6 function that enables a node to identify other hosts and routers on its links. It corresponds to a combination of IPv4 protocols (ARP, ICMP Router Discovery, and ICMP Redirect). It maintains routes, MTU, retransmit times, reachability time, and prefix information based on information received from the routers. NeD uses Duplicate Address Detection (DAD) to verify the host's home addresses are unique on the LAN. NeD uses Address Resolution to determine the link-layer addresses for neighbors on the LAN and Reachability Detection to determine neighbor reachability. Multicast Listener Discovery (MLD) is the protocol used by an IPv6 router to discover the presence of multicast listeners (that is, nodes wishing to receive multicast packets) on its directly attached links, and to discover specifically which multicast addresses are of interest to those listeners. This information is then provided to whichever multicast routing protocol is being used by the router, in order to ensure that multicast packets are delivered to all links where there are interested receivers. MLD is derived from IGMPv2. One important difference to note is that MLD uses ICMPv6 message types, rather than IGMP message types. IPv6 provides for both stateless and stateful autoconfiguration. Stateless autoconfiguration allows a node to be configured in the absence of any configuration server. Stateless autoconfiguration makes it possible for a node to configure its own globally routable addresses in cooperation with a local IPv6 router, by combining the 48- or 64-bit MAC address of the adapter with network prefixes that are learned from the neighboring router. IPv6 allows the use of DHCPv6 for stateful autoconfiguration. DHCPv6 relies on a configuration server that maintains static tables to determine the addresses that are assigned to newly connected nodes. z/OS CS does not support DHCPv6. D OMVS,PFS OMVS 000E ACTIVE OMVS=(N3) PFS CONFIGURATION INFORMATION PFS TYPE DESCRIPTION ENTRY MAXSOCK OPNSOCK HIGHUSED UDS SOCKETS AF_UNIX BPXTUINT 64 2 2 INET SOCKETS AF_INET6 EZBPFINI 3000 1 1 SOCKETS AF_INET 2000 7 7 16 Multiple Stacks IPv4 CINET Socket Applications AF_INET PFS TCP and UDP Transport QoS TRM IDS IPv4 Raw Transport NM1ATCP ARP IGMP IPv4 DLCs ICMP TCP and UDP Transport QoS TRM IDS IPv4 Raw Transport NM1BTCP ARP IGMP ICMP TCP and UDP Transport QoS TRM IDS IPv4 Raw Transport NM1CTCP ARP IPv4 DLCs IGMP ICMP IPv4 DLCs IPv4-only BPXPRMxx Example for CINET FILESYSTYPE TYPE(CINET) ENTRYPOINT(BPXTCINT) NETWORK DOMAINNAME(AF_INET) DOMAINNUMBER(2) MAXSOCKETS(2000) TYPE(CINET) INADDRANYPORT(20000) INADDRANYCOUNT(100) SUBFILESYSTYPE NAME(NM1ATCP)TYPE(CINET) ENTRYPOINT(EZBPFINI) SUBFILESYSTYPE NAME(NM1BTCP)TYPE(CINET) ENTRYPOINT(EZBPFINI) SUBFILESYSTYPE NAME(NM1CTCP)TYPE(CINET) ENTRYPOINT(EZBPFINI) 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 17 A single MVS image can contain up to 8 TCP/IP stacks. Depicted here are three stacks running in MVS. This type of configuration is called Common INET and is defined in the BPXPRMxx member of hlq.PARMLIB. Multi-stack support is not new, but CINET support for IPv6 is. Up to 8 CS TCP/IP stacks can be active at one time whether they are running single-mode or dual-mode. Three IPv4 AF_INET stacks are depicted. These definitions are identical to what was used prior to IPv6 support. Multiple TCP/IP stacks in one MVS image or LPAR are only supported by using Common INET (CINET). Each TCP/IP stack is defined in the BPXPRMxx parmlib member using a SUBFILESYSTYPE statement. D OMVS,PFS BPXO046I 16.18.01 DISPLAY OMVS 023 OMVS 000D ACTIVE OMVS=(Z4) PFS CONFIGURATION INFORMATION PFS TYPE DESCRIPTION ENTRY MAXSOCK OPNSOCK HIGHUSED AUTOMNT LOCAL FILE SYSTEM BPXTAMD TFS LOCAL FILE SYSTEM BPXTFS CINET SOCKETS AF_INET BPXTCINT 10000 34 38 UDS SOCKETS AF_UNIX BPXTUINT 64 5 6 HFS LOCAL FILE SYSTEM GFUAINIT BPXFTCLN CLEANUP DAEMON BPXFTCLN BPXFTSYN SYNC DAEMON BPXFTSYN BPXFPINT PIPES BPXFPINT BPXFCSIN CHARACTER SPECIAL BPXFCSIN PFS NAME DESCRIPTION ENTRY STATUS FLAGS NM1ATCP SOCKETS EZBPFINI ACT SC NM1BTCP SOCKETS EZBPFINI ACT NM1CTCP SOCKETS EZBPFINI ACT PFS TYPE PARAMETER INFORMATION HFS CURRENT VALUES: FIXED(0) VIRTUAL(249) This command displays the Physical File Systems available to UNIX System Services. This is a CINET (multi-stack) configuration for IPv4 only (Sockets AF_INET) with Entry type of BPXTCINT. Each individual stack has an entrypoint of EZBPFINI. 17 Multipe Stacks IPv4/IPv6 CINET Socket Applications AF_INET6 PFS IPv6 Raw Transport TCP and UDP Transport NeD MLD Stateless autoconfig ICMPv6 IPv6 DLCs ● AF_INET PFS IPv4 Raw Transport ARP QoS TRM IDS IGMP ICMP IPv4 DLCs AF_INET6 PFS IPv6 Raw Transport AF_INET PFS TCP and UDP Transport NeD MLD Stateless autoconfig ICMPv6 IPv6 DLCs IPv4 Raw Transport ARP QoS TRM IDS IGMP ICMP IPv4 DLCs AF_INET6 PFS IPv6 Raw Transport AF_INET PFS TCP and UDP Transport NeD MLD Stateless autoconfig ICMPv6 IPv6 DLCs IPv4 Raw Transport ARP QoS TRM IDS IGMP ICMP IPv4 DLCs IPv4/IPv6 BPXPRMxx Example for CINET (Dual-Mode) FILESYSTYPE TYPE(CINET) ENTRYPOINT(BPXTCINT) NETWORK DOMAINNAME(AF_INET) DOMAINNUMBER(2) MAXSOCKETS(2000) TYPE(CINET) MAXSOCKETS is enforced independently for AF_INET and AF_INET6 sockets. INADDRANYPORT(20000) INADDRANYPORT, INADDRANYCOUNT values for NETWORK AF_INET6 from INADDRANYCOUNT(100) values specified on NETWORK AF_INET. NETWORK DOMAINNAME(AF_INET6) INADDRANYPORT, INADDRANYCOUNT values are ignored if specified on the NETWORK statement for AF_INET6. DOMAINNUMBER(19) MAXSOCKETS(3000) TYPE(CINET) SUBFILESYSTYPE NAME(NM1ATCP) TYPE(CINET) ENTRYPOINT(EZBPFINI) SUBFILESYSTYPE NAME(NM1BTCP) TYPE(CINET) ENTRYPOINT(EZBPFINI) SUBFILESYSTYPE NAME(NM1CTCP) TYPE(CINET) ENTRYPOINT(EZBPFINI) 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 18 Dual stack (IPv4/IPv6) is defined by using two NETWORK statements in BPXPRMxx: one for IPv4 and one for IPv6. Each TCP/IP stack is defined in the BPXPRMxx parmlib member with SUBFILESYSTYPE. All CS TCP/IP stacks defined under the two NETWORK statements will be IPv4/IPv6 stacks. Stacks that are not IPv6-aware (like AnyNet Sockets over SNA) will continue to operate as IPv4-only stacks. If MAXSOCKETS on AF_INET6 NETWORK is specified as 0, any TCP/IP stacks started will be v4-only stacks. MAXSOCKETS is enforced independently for AF_INET and AF_INET6 sockets. For TCP/IP Socket APIs (Macro, CALL, REXX, C and CICS) the maximum number of sockets allowed is 2000 regardless of socket type and subject to the MAXSOCKETS limit. See z/OS Communication Server: IP Application Programming Interface Guide, SC31-8788, for details or how to set the maximum socket limit for the TCP/IP Socket APIs. For Unix sockets apps Maxsockets determines number of each type of socket that may be open at one time. D OMVS,PFS OMVS 000E ACTIVE OMVS=(N3) PFS CONFIGURATION INFORMATION PFS TYPE DESCRIPTION ENTRY MAXSOCK OPNSOCK HIGHUSED UDS SOCKETS AF_UNIX BPXTUINT 64 2 2 INET SOCKETS AF_INET6 EZBPFINI 3000 1 1 SOCKETS AF_INET 2000 7 7 The information about whether the stack is IPv6 enabled or not is added to the Netstat UP/-u report. Example from an IPv4 only stack MVS TCP/IP NETSTAT CS V1R4 TCPIP Name: NM1ATCP 14:34:37 Tcpip started at 14:27:29 on 05/21/2003 with IPv6 disabled Example from an IPv6 enabled stack MVS TCP/IP NETSTAT CS V1R4 TCPIP Name: NM1ATCP 23:01:27 Tcpip started at 22:40:32 on 05/21/2003 with IPv6 enabled Netstat HOME in an IPv6-enabled stack displays the LOOPBACK6 Interface -- whether or not you have made any changes whatsoever to the current TCP/IP Profile. INTFNAME: LOOPBACK6 ADDRESS: ::1 TYPE: LOOPBACK FLAGS: The LOOPBACK6 interface appears at the bottom of the HOMELIST, beneath the IPv4 LOOPBACK device. 18 PROFILE.TCPIP 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 19 19 Format Long ● IPCONFIG FORMAT SHORT and NETSTAT FORMAT SHORT • • ● IPCONFIG default when stack not in Dual-Mode (not IPv6 enabled) IPv4 only output IPCONFIG FORMAT LONG and NETSTAT FORMAT LONG • • Only option when stack in Dual-Mode (IPv6 enabled) IPv6 and IPv4 output NETSTAT HOME MVS TCP/IP NETSTAT CS V1R4 TCPIP Name:... Home address list: NETSTAT HOME FORMAT LONG Address Link Flg MVS TCP/IP NETSTAT CS V1R4... -----------Home address list: 9.82.5.120 VLINK1 LinkName: VLINK1 9.82.5.121 VLINK2 Address: 9.82.5.120 10.1.1.1 LOOPBACK Flags: 9.82.4.168 OSATRB10 P ... 172.18.2.168 CTCC128 LinkName: LOOPBACK FORMAT 192.168.11.168 TRLSM92A Address: 10.1.1.1 192.168.31.168 TRLSM93A FORMAT SHORT Flags: 192.168.51.168 TRLSM94A LONG LinkName: OSATRB10 192.168.5.168 EZASAMEMVS Address: 9.82.4.168 192.168.5.168 EZAXCFM2 Flags: Primary 9.82.5.122 VIPL0952057A ... 127.0.0.1 LOOPBACK 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 20 FORMAT - The FORMAT keyword is optional. The FORMAT keyword is only meaningful for stacks that are not enabled for IPv6. It controls the format of the command output. If FORMAT SHORT is specified and the stack is enabled for IPv6, then an error message will be displayed. If the stack is not enabled for IPv6 and the user specified LONG format, the command output is displayed as if it could contain IPv6 addresses. If the stack is not enabled for IPv6 and the user specified SHORT format or did not specify the FORMAT keyword, then the command output is displayed as if it could contain only IPv4 addresses and not the longer IPv6 addresses. If the stack is enabled for IPv6, then specifying the FORMAT keyword does not make any difference to the command output format. The FORMAT LONG display above is done on a stack that does not have IPv6 enabled. Most Netstat Output Format output keyword LONG or SHORT FORMAT LONG to support longer IPv6 addresses LONG FORMAT always used when IPv6 is enabled No message identifiers in FORMAT LONG output FORMAT SHORT same as pre-V1R4 FORMAT defaults to SHORT when IPv6 is not enabled FORMAT SHORT is not supported when IPv6 is enabled FORMAT can be defined in IPCONFIG No Message Identifiers in the Output when FORMAT LONG is used. If you have developed REXX programs that issue Netstat commands under TSO and parse the output lines based on message identifiers, you may need to change those REXX programs to use some other token in the output lines to decide the format of the line you are trying to parse. Implement IPCONFIG FORMAT LONG now to prepare for an eventual IPV6 implementation. Since messages routinely change when the z/OS release changes it is recommended to implement IPCONFIG FORMAT LONG when z/OS is upgraded. Automation that relies on the message output will be checked after upgrade anyway and a separate check for FORMAT LONG will be avoided. 20 IPv6 Interface Statement ● Combines the definitions of DEVICE, LINK and HOME • • • • • ● LOOPBACK6 defines loopback addresses IPAQENET6 configures OSA-Express adapter (Ethernet QDIO) MPCPTP6 defines IUTSAMEH, XCF, or ESCON/FICON link VIRTUAL6 defines IPv6 VIPA IPAQIDIO6 defines HiperSockets LAN Some of the Keywords • DEFINE/DELETE (not for LOOPBACK6) • ADDADDR/DEPRADDR/DELADDR ➔ ➔ • ➔ ➔ statically defines IPv6 address without IPADDR indicates autoconfiguration SOURCEVIPAINTERFACE (IPAQENET6 and MPCPTP6) ➔ • optionally statically defines 64-bit interface ID (predictable link-local address) IPADDR (not for LOOPBACK6) ➔ • equals TRLE portname or cpname (XCF) or IUTSAMEH equals device name for physical device to support both IPv4 and IPv6 INTFID (IPAQENET6 and MPCPTP6) ➔ • adds, deletes, or deprecates IPv6 home address(es) PORTNAME (IPAQENET6)/TRLENAME (MPCPTP6) ➔ • defines or deletes the IPv6 device indicates the static VIPA to be used DUPADDRDET (IPAQENET6) ➔ indicates number of times to attempt duplicate address detection 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 21 INTERFACE and IPCONFIG6 are statements in z/OS CS to support IPv6. The stack must be enabled for IPv6 to use these statements. Multiple IPv6 addresses may be configured on an INTERFACE statement. Start or Stop an interface via: START or STOP statement in profile VARY TCPIP,,START or VARY TCPIP,,STOP command The Interface statement allows the definition or deletion of IPv6 interfaces as well as the addition, deletion or deprecation of IPv6 addresses for these interfaces. IPv6 provides the capability of autoconfiguring addresses for an interface by using information provided by IPv6 routers. Descriptions of this function can be found in RFC 2461 and RFC 2462. The term autoconfigured IP address is used to mean an IP address that is created as a result of information received from a router advertisement. z/OS TCP/IP allows autoconfiguration if no IP addresses are defined on the profile INTERFACE statement using the IPADDR keyword. If the INTERFACE statement contains IPADDR definitions, this indicates that the installation is defining its own IP addresses and autoconfiguration is not desired. Manually configured addresses describes the addresses that are defined using the IPADDR keyword. TCP creates an autoconfigured IP address for an interface if all three of the following conditions are met: The interface is active. A valid router advertisement containing prefix info with the autonomous flag on is received over the interface. No manually configured home addrs are defined for the interface at the time the router advert is received. The IP address that is created by autoconfiguration is formed by appending the interface ID to the prefix supplied by the router advertisement. Autoconfigured addresses can be identified in the netstat home report by the 'Autoconfigured' flag. PRI/SEC/NONROUTER function works the same way for IPv6 as for IPv4. There are separate primary router attributes for IPv4 and IPv6 packets, so one stack sharing the OSA may be primary router for IPv4 while a different stack may be primary router for IPv6. Configure IPv4 PRIROUTER/SECROUTER attribute on DEVICE statement Configure IPv6 PRIROUTER/SECROUTER attribute on INTERFACE statement NETSTAT DEVLINKS/-d displays the PRI/SEC/NONROUTER attributes. Virtual MAC is preferred over PRIROUTER parameter. Each stack registers each non-loopback IP address in its home list to OSA. To add/delete an IPv4 home addr you need to use Obeyfile with a new HOME which replaces the IPv4 home. For IPv6 you can use ADDADDR and DELADDR on the INTERFACE statement to add/delete individual IP addrs. To delete the last or only IPv6 address for a VIRTUAL6, use INTERFACE DELETE similar to IPv4 DELETE LINK and DELETE DEVICE. 21 Loopback Interface Statement ::1 ● INTERFACE LOOPBACK6 Statement for IPv6: INTERFACE LOOPBACK6 ADDADDR 2001:0DB8::14:0 • • There is only one LOOPBACK6 interface generated automatically. ➔ Default address ::1 ➔ Cannot be deleted Additional IP addresses may be defined/deleted/deprecated. 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 22 There is only one LOOPBACK6 interface. The default LOOPBACK6 address ::1 is generated automatically and cannot be deleted. Therefore, you cannot DEFINE or DELETE the LOOPBACK6 interface. You can add additional IP addresses for LOOPBACK6 in the initial profile or in an obeyfile. Additionally, you can delete and deprecate one or more of these additional IP addresses in a vary obeyfile. 22 OSA QDIO Interface Statement ● ● Single OSA adapter can support both IPv4 and IPv6 concurrently. TRLE Required: OSAQDIO TRLE LNCTL=MPC,READ=(0E28),WRITE=(0E29), DATAPATH=(0E2A,0E2B),MPCLEVEL=QDIO, PORTNAME=(OSAQDIO2,0) ● INTERFACE IPAQENET6 Statement for IPv6: INTERFACE OSAQDIO26 DEFINE IPAQENET6 PORTNAME OSAQDIO2 IPADDR 2001:0DB8:1:0:50C9:C2D4:0:1 ● INTERFACE IPAQENET Statement for IPv4: INTERFACE OSAD2INT DEFINE IPAQENET PORTNAME OSAQDIO2 IPADDR 10.15.43.38/24 ● DEVICE MPCIPA and LINK IPAQENET Statement for IPv4: DEVICE OSAQDIO2 MPCIPA LINK LINK2 IPAQENET OSAQDIO2 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 23 TCP/IP can be configured to use the OSA for IPv4-only, for IPv6-only, or both. To use an OSA for both specify the same PORTNAME on both IPV6 and IPV4 INTERFACEs or the IPV6 Interface and the devicename on the IPV4 DEVICE. IPv6 OSA QDIO - Configured using INTERFACE IPAQENET6. Requires TRLE definition, same as IPv4. Optional IPADDR to manually configure IP address(es) - Full IPv6 address or 64 bit prefix (TCP/IP appends interface ID). Separate start and stop statements and separate Netstat Devlinks interface counters for IPv4 and IPv6. For IPv4, ARP is offloaded to and performed by OSA. For IPv6, TCP/IP Neighbor Discovery performs Address resolution for OSA. Two device addresses defined in Datapath in the Example on this page: Required for two stacks in same LPAR sharing OSA. Optional Backup - If two device addrs are defined for only one stack and the first path fails the second is used. 23 Interface ID and MTU from OSA ● OSA returns MAC address and unique instance value during START interface. INTERFACE ID (64 BITS) 24 bits 16 bits MAC ADDR (BYTES 1-3) INSTANCE VALUE 24 bits MAC ADDR (BYTES 4-6) LINK_LOCAL ADDRESS (128 BITS) 64 bits 64 bits LINK_LOCAL PREFIX INTERFACE ID ● TCP/IP uses the lower of the configured MTU and the MTU value returned by the OSA • • 8992 for Gigabit Ethernet 1492 for Fast Ethernet INTERFACE OSAQDIO26 DEFINE IPAQENET6 PORTNAME OSAQDIO2 PRIROUTER MTU 4000 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 24 Multiple stacks which share an OSA get unique interface IDs TCP/IP constructs interface ID and link-local address Interface ID remains the same across restart of interface (with rare exceptions) Interface ID will change after recycle of TCP/IP RFC2373 describes an algorithm to build an EUI-64 interface ID from a MAC address by inserting xFFFE into the middle of MAC address. However this algorithm does not consider the case where an adapter is shared by multiple stacks as each would derive the same interface ID and therefore get the same link-local address. To allow an OSA to be shared by multiple stacks, OSA returns a unique instance value during activation. TCP/IP ensures that universal/local bit is off in the interface ID (seventh bit of interface ID). To help provide fault tolerance, TCP/IP requests that OSA return the same interface ID when an interface is restarted. One reason the interface ID could change on a restart of interface is if the customer changes the MAC address of the OSA. MTU Configure MTU on INTERFACE statement (<= size supported by router) The minimum MTU for IPv6 is 1280. The stack sends certain IPv6 packets to the link local address of a router using the interface MTU. For OSA Gigabit Ethernet jumbo frame is supported, this MTU is 8992. NETSTAT DEV/-d displays both the configured MTU (if configured) and the actual MTU (if interface is active). 24 MPC Interface Statement ● ● Single MPC adapter can support both IPv4 and IPv6 concurrently. TRLE Required: OSAQDIO TRLE LNCTL=MPC,READ=(0C28),WRITE=(0C29), DATAPATH=(0C2A,0C2B),MPCLEVEL=HPDT, PORTNAME=(ESCONP1,0) ● INTERFACE MPCPTP6 Statement for IPv6: INTERFACE ESCONI1 DEFINE MPCPTP6 PORTNAME ESCONP1 IPADDR 2001:44:5:4:1000:C200:0:1 ● DEVICE MPCPTP and LINK MPCPTP Statement for IPv4: DEVICE ESCONP1 MPCPTP LINK ESCONL1 MPCPTP ESCONP1 ● Static XCF • ● TRLENAME is VTAM CPname Same Host • TRLENAME is reserved name IUTSAMEH 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 25 TCP/IP can be configured to use the OSA for IPv4-only, for IPv6-only, or both. To use an OSA for both by specifing the same PORTNAME on the INTERFACE and the devicename on the DEVICE. IPv6 OSA QDIO - Configured using INTERFACE IPAQENET6. Requires TRLE definition, same as IPv4. Optional IPADDR to manually configure IP address(es) - Full IPv6 address or 64 bit prefix (TCP/IP appends interface ID). Separate start and stop statements and separate Netstat Devlinks interface counters for IPv4 and IPv6. For IPv4, ARP is offloaded to and performed by OSA. For IPv6, TCP/IP Neighbor Discovery performs Address resolution for OSA. Two device addresses defined in Datapath in the Example on this page: Required for two stacks in same LPAR sharing OSA. Optional Backup - If two device addrs are defined for only one stack and the first path fails the second is used. 25 VIPA Interface Statement ● IPv6 VIPA and SourceVIPA • IPv6 Source VIPA is enabled in IPCONFIG6 Statement: IPCONFIG6 SOURCEVIPA • INTERFACE VIRTUAL6 Statement for IPv6: INTERFACE VIPAV61 DEFINE VIRTUAL6 IPADDR 2001:0DB8:0:A:9:67:115:5 INTERFACE VIPAV62 DEFINE VIRTUAL6 IPADDR 2001:0DB8:0:A:9:67:115:6 • IPv6 Source VIPA is specified on OSA interface Statement: INTERFACE OSAQDIO16 DEFINE IPAQENET6 PORTNAME OSAQDIO1 SOURCEVIPAINTerface VIPAV61 INTERFACE OSAQDIO26 DEFINE IPAQENET6 PORTNAME OSAQDIO2 SOURCEVIPAINTerface VIPAV62 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 26 All static VIPA must be manually configured. IPv6 Static VIPA are configured using INTERFACE VIRTUAL6. Link-local VIPAs are disallowed since link-local are for use only on the associated LAN and there is no VIPA LAN. SourceVIPA for IPv6 is controlled via the IPCONFIG6 SOURCEVIPA and INTERFACE SOURCEVIPAINTERFACE. When multiple addresses are configured for a SOURCEVIPA interface, the default source address selection algorithm will select the correct source address for each outbound packet based upon its destination address. Use different prefixes for IPv6 static VIPAs and for the IPv6 addresses assigned to real interfaces. To allow other hosts that share a LAN with the z/OS TCP/IP stack to access the IPv6 VIPAs without the need for manual route configuration, a router on each LAN should include the VIPA prefix in its router advertisements. The router advertisements should define the prefix as being on-link and should indicate that the prefix not be used for autoconfiguration. No duplicate address check is done for VIPA addresses. When the application or upper-layer protocol has not selected a source address for an outbound IPv6 packet (using bind or ipv6_pktinfo), the default source address selection algorithm will select one: The goal of default source address selection is to select the address that is most likely to allow the packet to reach its destination and to support site renumbering. The group of candidate addresses consists of the addresses assigned to the outbound interface (both configured and/or dynamically generated) or the addresses configured for the outbound interface's SOURCEVIPA interface. The default source address selection algorithm is explained in detail in the IPv6 Network and Application Design Guide, SC31-8885. Transparent fault tolerance - redundant IPv6 connectivity onto a LAN Define and start multiple IPAQENET6 interfaces onto the same LAN If one interface becomes inactive for any reason then another interface performs Interface Takeover Gratuitous Neighbor Advertisements with new MAC address are sent IPv6 traffic targeting original IP address(es) will continue to flow over another interface Similar to existing IPv4 ARP takeover function for LCS and MPCIPA QDIO except: IPv6 support only sends gratuitous advertisements for VIPAs the stack previously received a Neighbor Solicitation for on that LAN. 26 Dynamic VIPA (DVIPA) ● IPv6 Dynamic VIPA Support (VIPADYNAMIC) VIPADYNAMIC VIPADEFINE dvipav61 2001:0DB8:0:A:9:67:115:7 ENDVIPADYNAMIC VIPADYNAMIC VIPABACKUP dvipav62 2001:0DB8:0:A:9:67:115:8 ENDVIPADYNAMIC VIPADYNAMIC VIPADELETE dvipav63 ENDVIPADYNAMIC VIPADYNAMIC VIPARANGE dvipav64 2001:0DB8:0:A/64 ENDVIPADYNAMIC VIPADYNAMIC VIPADISTRIBUTE DEFINE dvipav61 PORT 23 DESTIP ALL ENDVIPADYNAMIC 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 27 See the detailed VIPA presentation out on the TecDocs web site: http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS789 27 IPCONFIG6 Statement ● IPCONFIG6 options similar to IPCONFIG • • • • • • DATAGRAMFWD/NODATAGRAMFWD enables/disables the transfer of data between networks interfaces. FWDMULTIPATH PERPACKET/NOFWDMULTIPATH enables/disables interface to interface packet routing on an approximate round-robin basis. IGNOREREDIRECT causes TCP/IP to ignore ICMP Redirect packets. SOURCEVIPA/NOSOURCEVIPA enables/disables use of a VIPA assigned to the SOURCEVIPAINT interface as the source address for outbound datagrams that do not have an explicit source address. MULTIPATH/NOMULTIPATH enables/disables multipath routing. DYNAMICXCF configures IPv6 Dynamic XCF (and IUTSAMEH). ➔ ➔ ➔ ● INTFID optionally statically defines 64-bit interface ID XCF interface name is EZ6XCFnn where nn is the sysclone value IUTSAMEH interface name is EZ6SAMEMVS IPCONFIG6 options with no IPCONFIG equivalent • • • HOPLIMIT limits number of hops a packet can travel enroute. IGNOREROUTERHOPLIMIT/NOIGNOREROUTERHOPLIMIT enables/disables the configured global hop limit value being overridden by a router advertisement value. ICMPERRORLIMIT controls the rate at which ICMP error messages can be sent to a particular IPv6 destination address. 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 28 If the stack is not configured for IPv6 and IPCONFIG6 is specified TCP/IP starts up with EZZ0695I IPCONFIG6 NOT VALID -IPv6 SUPPORT IS NOT ENABLED. NODATAGRAMFWD -Stops transfer of data between networks by disabling IP routing between different network interfaces. DATAGRAMFWD - Enables the routing of data between interfaces. NOFWDMULTIPATH - If multiple equal-cost paths to a destination the first active route is used. The default. FWDMULTIPATH PERPACKET - A route on a round-robin basis is selected. IGNOREREDIRECT - Causes TCP/IP to ignore ICMP Redirect packets. NOSOURCEVIPA - Specifies TCP/IP does not request to use VIPA address as source IP address for outbound datagrams. The default. SOURCEVIPA - TCP/IP uses VIPA assigned to SOURCEVIPAINT interface as the source addr for outbound datagrams that do not have an explicit source addr. If multiple addrs are assigned to SOURCEVIPAINT interface, the source addr will be selected from the addrs according to default source address selection algorithm. NOMULTIPATH - Disables multipath routing selection algorithm for outbound traffic. If there are multiple equal-cost routes to a destination and NOMULTIPATH is specified, TCP/IP uses the first active route. The default. MULTIPATH - Enables the multipath routing selection algorithm for outbound IP traffic. If MULTIPATH is specified without any subparameters, the default is PERCONNECTION. PERCONNECTION - A route on a round-robin basis is selected for each destination. Connection or connectionless oriented IP packets using the same association always use the same route. PERPACKET - A route on an approximate round-robin basis is selected for each packet. All IP packets for a given association with a destination host are spread across the multiple equal-cost routes. HOPLIMIT - Number of hops a packet can travel enroute to the destination. If the destination is more hops away, the packet will never reach the destination. The valid range is between 1 and 255. The default is 255. IGNOREROUTERHOPLIMIT - Your configuredHOPLIMIT value is always used. Any router advertisement from a router with a different hop limit value is ignored. NOIGNOREROUTERHOPLIMIT - Causes TCP/IP to Not ignore a Router Advertisement from a router with a different hop limit value. This results in the configured global hop limit value being overridden by the router advertisement value for all routes using the interface the router advertisement was received on. This is the default. ICMPERRORLIMIT - This parameter controls rate at which ICMP error messages can be sent to an IPv6 destination address. The number specified is messages per second. The default is 3 messages per second, and the valid range is 1-20 messages per second. DYNAMICXCF - creates XCF and IUTSAMEH link. Dynamic XCF must be either static or dynamic; either static IPv4 XCF and static IPv6 XCF, or dynamic IPv4 XCF and dynamic IPv6 XCF. Once the IPv6 dynamic XCF address has been established/enabled, it cannot be changed without recycling the TCP stack. 28 IPv6 Source IP Address ● IPCONFIG and IPCONFIG6 SOURCEVIPA • • • ● IPCONFIG and IPCONFIG6 TCPSTACKSOURCEVIPA • • • ● Allows outbound connections and datagrams to use a static VIPA as source IP address Independence from physical adapter failure SOURCEVIPA is different for each stack Provides Sysplex source VIPA when used with Sysplex Distributor Supports DVIPAs Ephemeral Port assignment coordinated among stacks when SYSPLEXPORTS is specified SRCIP/ENDSRCIP • • • • • TCPSTACKSOURCEVIPA applies to all outbound TCP connections SRCIP allows each job to have its own IP address TCPSTACKSOURCEVIPA only works if no bind() is issued before connect() SRCIP works for applications that issue an explicit bind() to inaddr_any (unspecified address) Example SRCIP is the preferred method for SRCIP JOBNAME USER15 9.43.242.5 Source IP Address Specification. JOBNAME JOBNAME JOBNAME JOBNAME ENDSRCIP 04/13/14 USER* USER15 JOB* * 9.43.242.4 2EC0::092B:F203 ETHER1 9.43.242.3 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 29 Problem Statement: Sysplex as a Single System 1) TCPSTACKSOURCEVIPA applies to all outbound TCP connections Same address for all connections if enabled 2) TCPSTACKSOURCEVIPA only works if no bind() is issued before the connect() Even if the bind() is to inaddr_any 3) SHARE Requirement Single Sysplex IP address, inbound and outbound TCPSTACKSOURCEVIPA Single IP address for an application Job-Specific Source IP Address 29 Routing 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 30 30 Static Routing ● IPv6 BEGINROUTES ; BEGINRoutes Defines static routes to the IP route table BEGINRoutes ; Direct Routes ; Destination Subnet Mask First Hop Link/Int Packet Size ROUTE 130.50.75.0 255.255.255.0 = TR1 MTU 2000 ROUTE 193.5.2.0/24 = ETH1 MTU 1500 ROUTE 9.67.43.0 255.255.255.0 = FDDI1 MTU 4000 ROUTE 193.7.2.2 HOST = SNA1 MTU 2000 ROUTE 2001:0CD8:1/128 = OSAQDIO26 MTU 2000 ROUTE 2001:0CD8:1/128 = OSAQDIO28 MTU 2000 ; Indirect Routes ; Destination Subnet Mask First Hop Link/Int Packet Size ROUTE 193.12.2.0 255.255.255.0 130.50.75.10 TR1 MTU 2000 ROUTE 10.5.6.4 HOST 193.5.2.10 ETH1 MTU 1500 ; Default Route ; Destination First Hop Link/Int Packet Size ROUTE DEFAULT 9.67.43.99 FDDI1 MTU DEFAULTSIZE ROUTE DEFAULT6 2001:0CD8:1::5160 OSAQDIO26 MTU DEFAULTSIZE ROUTE DEFAULT6 2001:0CD8:1::5180 OSAQDIO28 MTU DEFAULTSIZE ENDRoutes 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 31 Use the BEGINROUTES statement to add static routes to the IP route table. The GATEWAY statement is not enhanced to support IPv6 routes. The IP address can be an IPv4 or IPv6 address and does not need to be a fully qualified address. The first hop gateway IP address can also support either IPv4 or IPv6 addresses, but must be a fully qualified address. dest_ipaddr/dest_ipv6addr - The destination IPv4 or IPv6 address. An IPv4 address must be fully qualified. prefixLength: Valid range 1-128. First hop portion of the ROUTE statement may contain either an IPv4 first hop address. It must be either a fully qualified address or an equal sign (=). link_name or interface name is the link or interface through which packets are sent to the specified destination. MTU mtu_size - The maximum transmission unit (MTU) in bytes for the destination. This value can be up to 65535. The keyword DEFAULTSIZE in this field requests that TCP/IP supply a default value of 576 for IPv4 routes and 1280 for IPv6 routes. You cannot specify an MTU smaller than the default MTU size. For IPv4 the default MTU is 576 and for IPv6 it is 1280. Opts - Options are unchanged: NOREPLaceable | REPLaceable, MAXImumretransmittime 120.00 | MAXImumretransmittime seconds, MINImumretransmittime 0.50 | MINImumretransmittime seconds, ROUNDTRIPGain 0.125 | ROUNDTRIPGain value, VARIANCEGain 0.25 | VARIANCEGain value, VARIANCEMultiplier 2.00 |VARIANCEMultiplier value, DELAYAcks | NODELAYAcks IPv6 Standards require a minimum of 2 default routers so when the last default route is deleted a default route is added back into the routing table. 31 Dynamic Routing ● IPv6 Learns some Routing • Some routes can be dynamically learned without OMPROUTE ➔ ➔ ➔ ● Default routes Direct prefix routes ICMP redirects OMPROUTE • IPv6 RIPng (RIP next generation) ➔ ➔ ➔ ➔ ➔ ➔ ➔ • Like IPv4 RIP Based upon the Distance Vector Algorithm Max metric is 15 Advertise full routing table every 30 seconds Routes time out if not refreshed in 3 minutes Extensive filters Changes primarily to accommodate IPv6 addressing - bigger addresses, address prefixes, and link local addresses. IPv6 OSPF (OSPFv3) ➔ ➔ ➔ ➔ ➔ Like IPv4 OSPF (OSPFv2) Default hello interval is 10, dead router is 40, database exchange is 40 Default interface cost is 1, designated router priority is 1 etc. Router ID defaults to IPv4 OSPF Router ID if running or it must be specified 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 32 Unlike IPv4, IPv6 dynamically learns some routing information without dynamic routing protocols OSPF or RIP. 32 Resolver 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 33 33 VTAM OMVS BPXPRMxx TCP/IP ● Global IPNODES IPv4 only Whether the common local host file search order is to be used for: ➔ ➔ • MVS and UNIX environments IPv4 and IPv6 queries COMMONSEARCH is the recommended setting ETC.IPNODES is a local host file with IPv4 and/or IPv6 addresses • • • ● Default IPNODES PROCLIB COMMONSEARCH/NOCOMMONSEARCH • ● Resolver Default TCPIPDATA Resolver Setup File COMMONSEARCH HOSTS.SITEINFO, HOSTS.ADDRINFO files and /etc/hosts file • ● Global TCPIPDATA Resolver z/OS Setup statements to identify the first and final search location for the ETC.IPNODES local host file. GLOBALIPNODES DEFAULTIPNODES Resolver retrieves IPv4 and/or IPv6 addresses from DNS • Resolver communication with DNS supports IPv6 DNS address starting z/OS V2R1 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 34 HOSTS.SITEINFO and .ADDRINFO files continue to be generated from HOSTS.LOCAL file via MAKESITE utility. ETC.IPNODES may contain both IPv4 and IPv6 addresses. IPv6 addresses can only be defined in ETC.IPNODES. For GLOBALIPNODES and DEFAULTIPNODES, the syntax and format of the specified file names is the following: Fully qualified MVS dataset name. The beginning and end quotes are required. The dataset name is not case sensitive. The dataset characteristics must be Fixed (F) or Fixed Block (FB), with LRECL between 56 and 256, inclusive. Sequential file or PDS member are both allowed. HFS file absolute pathname. Beginning slash is required. The HFS pathname is case sensitive. The maximum line length is 256 characters. IPv6 ETC.IPNODES search order: GLOBALIPNODES RESOLVER_IPNODES environment variable (Unix only) userid/jobname.ETC.IPNODES hlq.ETC.IPNODES DEFAULTIPNODES /etc/ipnodes IPv4 HOSTS.LOCAL search order: MVS Environment userid/jobname.HOSTS.xxxxINFO hlq.HOSTS.xxxxINFO Unix Environment X_SITE and X_ADDR environment variables /etc/hosts userid.HOSTS.xxxxINFO hlq.HOSTS.xxxxINFO Specifying the new Resolver COMMONSEARCH setup statement is recommended as the way to simplify the search order choices: IPv6 search order will be used for IPv4 searches as well MVS and UNIX environments would utilize the same search order for IPv4 searches as well as IPv6 searches All local resources can be defined in a single local host file (ETC.IPNODES) rather than spread across multiple files (ETC.IPNODES and HOSTS.LOCAL) Applicable to both new and old Resolver APIs 34 FTP 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 35 35 IPv4 FTP ● • • • ● FTP.DATA FWFRIENDLY FALSE (default) ftp ipv4_addr1 put file_name ipv4_addr2 port_num2 • • FTP.DATA FWFRIENDLY TRUE ftp ipv4_addr1 put file_name IPv4 FTP Client Proxy Mode • • • • Data Connection PORT ipv4_addr2 at port_num2 200 Port Request OK connect ipv4_addr2 at port_num2 STOR file_name ipv4_addr1 Control port_num1 Data port used to send connect Control Connection connect ipv4_addr1 port_num1 z/OS FTP Client FTP.DATA FWFRIENDLY TRUE ftp ipv4_addr1 proxy open ipv4_addr2 Control Connection proxy put file_name connect ipv4_addr1 port_num1 Connection z/OS connectControl ipv4_addr2 port_num2 FTP Data Connection PASV Client 227 Entering Passive Mode ipv4_addr1 port_num3 PORT ipv4_addr1 port_num3 200 PORT request OK Data Connection PASV 227 Entering Passive Mode ipv4_addr1 port_num2 connect ipv4_addr1 port_num2 STOR file_name z/OS FTP Server ipv4_addr1 Control port_num1 Data port_num3 These packets do not actually pass through the left FTP Server connect ipv4_addr1 port_num3 STOR file_name 04/13/14 z/OS FTP Server Control Connection connect ipv4_addr1 port_num1 IPv4 FTP Client Passive Mode • ● z/OS FTP Client IPv4 FTP Client Active Mode www.ibm.com/support/techdocs Document © 2014 IBM Corporation z/OS FTP Server ipv4_addr1 Control port_num1 Data port_num2 z/OS FTP Server ipv4_addr2 Control port_num2 Page 36 For the client you may specify an IPv4 address, a hostname, an IPv4-mapped IPv6 address, or an IPv6 address. userid.NETRC support: The NETRC data set provides you with an alternative to specifying the user_id and password as REXEC values or FTP batch client values. An IPv6 address may be specified in the NETRC data set. DNS names that resolve to IPv6 addresses can be specified. FTP.DATA statements supported for IPv4 Addresses / Connections Only: SECURE_MECHANISM GSSAPI (KERBEROS) SOCKSCONFIGFILE For IPv4 SOCKS Servers only. If SOCKS server defined as a DNS name, the FTP client resolves name to IPv4 addresses only. FWFRIENDLY Irrelevant / Ignored with IPv6 partner RFC 2428 specification: EPSV is used for data transfer to/from IPv6 FTP partner EPRT reserved for proxy transfer. There are no FTP.DATA statements for IPv6 enablement. GSSAPI authentication (KERBEROS) is supported only for IPv4 connections. The client will fail the negotiation when the connection is IPv6. Kerberos channel-bindings have not yet been defined for IPv6 connections SSL/TLS security is fully supported for IPv6 connections. GSSAPI authentication (KERBEROS) is supported only for IPv4 connections. The client will fail the negotiation when the connection is IPv6. The SOCKSCONFIGFILE is referenced only for IPv4 connections. in the SOCKSCONFIGFILE itself, only IPv4 addresses are supported. If you define a SOCKS server as a DNS name, the FTP client will resolve that name to IPv4 addresses only. The FWFRIENDLY FTP.DATA statement applies to IPv4 connections only. As specified by RFC 2428, when connected to an IPv6 FTP server, EPSV is used to start a data transfer. EPRT is reserved for proxy transfer. FWFRIENDLY statement applies to IPv4 connections only. 36 IPv6 FTP ● ● ● IPv6 FTP Server enabled automatically when stack is Dual-Mode All IPv6 FTP Client connections are in Passive Mode (no Active Mode Support) z/OS IPv6 FTP Client Control Connection FTP • • • connect ipv6_addr1 port_num1 IPFWFRIENDLY Ignored ftp ipv6_addr1 put file_name z/OS FTP Client Data Connection EPSV 229 Entering Extended Passive Mode port_num2 connect ipv6_addr1 port_num2 STOR file_name ● IPv6 FTP Client Proxy Mode • • • ftp ipv6_address1 proxy open ipv6_address2 proxy put file_name z/OS FTP Client Control Connection connect ipv6_addr1 port_num1 Control Connection connect ipv6_addr2 port_num2 Data Connection EPSV 229 Entering Passive Mode port_num3 EPRT ipv6_addr1 port_num3 200 EPRT request OK z/OS FTP Server ipv6_addr1 Control port_num1 Data port_num3 These packets do not actually pass through the left FTP Server connect ipv6_addr1 port_num3 STOR file_name 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Server ipv6_addr1 Control port_num1 Data port_num2 z/OS FTP Server ipv6_addr2 Control port_num2 Page 37 FTP client and daemon test the LPAR as soon as they are started to determine whether it is IPv4 only or dual-mode. It does this by opening an AF_INET6 socket. If the socket() call fails with errno EINVAL and errnoJr = EAFNOTSUPPORTED, FTP knows it must be executing on an IPv4-only LPAR (one or more IPv4-only stacks). FTP records the result to avoid issuing extended socket API calls (IPv6 socket calls) on the IPv4-only LPAR A sockaddr is an API programming structure that includes port number and IP address of the endpoint. FTP daemon (server) On the IPv4 only stack, the sockaddrs are always AF_INET. On the dual stack, the sockaddrs are always AF_INET6. FTP client On the IPv4 only stack, the sockaddrs are always AF_INET. On the dual-mode LPAR, the FTP Client opens an AF_INET socket to connect to servers with IPv4 addresses; it opens an AF_INET6 socket to connect to servers with IPv6 addresses. The server needs to know whether its session is IPv4 or IPv6 when it is establishing a data connection. The z/OS server has always used the same local interface (IP address) for the data connection that is used for the control connection. It ensures the stack will use the same interface by binding the data socket to the server's control connection local IP address. If the client logs in with an IPv4 address, that server local control connection IP address will be IPv4. On the dual stack, the control connection local sockaddr will be AF_INET6, but the IP address may be in the mapped format (::ffff:a.b.c.d). If the client logs in with an IPv6 address, the server's local control connection IP address will be IPv6. Once a socket is bound to an IP address, it can only be connected to IP addresses of the same protocol. The z/OS FTP server forces the data connection to be the same protocol as the control connection. This is more restrictive than the RFCs 959 and 2428 state. In theory, an OEM server could have one protocol for the control connection and the other for the data connection. But the z/OS server cannot allow mixing. z/OS FTP implements RFC 2428, which amounts to simply using other FTP commands in place of PORT and PASV commands when exchanging IP addresses. The z/OS FTP implements IPv6 via the commands EPRT (extended PORT) and EPSV (extended PASV) defined in this RFC. EPRT and EPSV can be used with either IPv4 addresses or IPv6 addresses. In theory, RFC 2428 allows any address family whose address family number is defined in RFC 1700, but the RFC is explicit (and therefore implementable) only for IPv4 and IPv6 addressing. There is an oddity surrounding EPRT in RFC 2428: EPRT is used only for proxy data transfers -- not for standard data transfers between client and server. For all data transfers, RFC 2428 specifies that EPSV will be used. 37 Enterprise Extender 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 38 38 Enterprise Extender (EE) x.com public DNS EBN hostx=1.1.1.2 EBNx=1.1.1.1 Hosty=2.2.2.2 EBNy=2.2.2.1 y.com public DNS EBN EBNx.x.com EBNy.y.com NNx NNy IPNodes IPNodes hostx=10.2.1.1 EBNx=10.1.1.1 ENx Hosty=192.168.2.1 EBNy=192.168.1.1 dest=2.2.2.2,src=10.2.1.1 dest=2.2.2.2,src=1.1.1.2 dest=192.168.2.1,src=1.1.1.2 dest=10.2.1.1,src=2.2.2.2 dest=1.1.1.2,src=2.2.2.2 dest=1.1.1.2,src=192.168.2.1 hostx.x.com Company x.com intranet ● ENy hosty.y.com FW intranet Public Public intranet 10.1.1.1 1.1.1.1 2.2.2.1 192.168.1.1 10.2.1.1 1.1.1.2 2.2.2.2 192.168.2.1 FW Company y.com intranet HOSTNAME and IPv6 address Support for IPv6 and Connection Network/NAT • • IPv4 non-Connection Network EE already worked with NAT HOSTNAME keyword (1R5) (start option, GROUP, path definition) or IPv6 addr (V2R1) (start option, path def in sw major node) to represent local and remote IPV6 VIPA ➔ ➔ • Recommended for IPv4 also since it provides solution for Connection Network/NAT HOSTNAME overrides IPADDR PORT IPRESOLV on PATH statement ➔ Specifies the number of seconds VTAM waits for IP address resolution 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 39 EE architecture has been updated to allow the EE connection network control vectors to carry the ip address and hostname corresponding to the EE VIPA. Administrative requirement of coordinating NAT tables and public DNS entries is a known administrative procedure to installations that use NAT. 39 inetd 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 40 40 inetd ● inetd (internet daemon server) • • • remote execution (orexec) client and remote execution (orexecd) server remote shell (orshd) server telnet server (otelnetd) /etc/inetd.conf file: #=============================================================================== # service | socket | proto-| wait/ | user | server | server program # name | type | col | nowait| | program | arguments ... shell stream tcp nowait OMVSKERN /usr/sbin/orshd orshd -k KRB5 exec stream tcp nowait OMVSKERN /usr/sbin/orexecd orexecd -dLV otelnet stream tcp6 nowait bpxroot /usr/sbin/otelnetd otelnetd Protocol Field: tcp, udp, tcp6, udp6 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 41 The inetd server applications have been updated with IPv6 support. 41 SMF 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 42 42 SMF ● SMF Record Types • • ● SMF118 - IPv4 addresses only. SMF119 - Records have room for IPv6 addresses. Three Different Places to Request SMF Records • PROFILE.TCPIP SMFCONFIG parameters ➔ ➔ ➔ ➔ ➔ ➔ ➔ ➔ • PROFILE.TCPIP TELNETPARMS parameters ➔ • TCP/IP Statistics records TCP Connection Initiation and Termination records FTP Client Transfer Complete records TN3270 Client Initiation and Termination records Interface Link Utilization Statistics records Reserved Port Utilization Statistics records TCP/IP Stack Start and Stop records UDP Socket Termination records TN3270 Server SNA Session Initiation and Termination records FTP.DATA statements for FTP Server records ➔ ➔ ➔ ➔ ➔ FTP Transfer Complete records APPEND DELETE JES Login Failure 04/13/14 ➔ ➔ ➔ ➔ ➔ RENAME RETRIEVE SQ STORE UNIQUE STORE www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 43 Type 118 FTP client and server transfer completion records are generated for IPv6 connections, but leave the IP address field empty. All other type 118 SMF records are not generated for IPv6 connections. SMF Recording must be enabled: SYS1.PARMLIB(SMFPRMxx) SYS(TYPE(119)) INTVAL(x) SYNCVAL(x) NETSTAT CONFIG/-f output shows SMF specifications in SMFCONFIG statement. IPCS Command TCPIPCS displays all PROFILE.TCPIP configuration settings. Display TCPIP,,Telnet,PROFile displays telnet initialization and termination settings. SNMP applications can communicate over an IPv6 connection: osnmp command SNMP agent (OSNMPD) Trap Forwarder daemon MVS TCPIP subagents DPI 2.0 enabled for AF_INET6 pwtokey and pwchange commands Accept IPv6 addresses 43 More Information 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 44 44 Web Sites and Documents ● ● ● IBM Technical Documents http://www.ibm.com/support/techdocs IBM Redbooks http://www.redbooks.ibm.com z/OS Home Page http://www.ibm.com/systems/z/os/zos/ ● IPv6 Information Pages http://www.ipv6forum.com http://arin.net http://www.internet2.edu http://www.ipv6.org ● z/OS Manuals • • • IP Configuration Guide, SC27­3650 IP Configuration Reference, SC27­3651 IPv6 Network and Application Design Guide, SC27­3663 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 45 45 The End 04/13/14 www.ibm.com/support/techdocs Document © 2014 IBM Corporation Page 46 46
