unisys ClearPath Enterprise Servers TCP/IP Implementation and Operations Guide ClearPath MCP 16.0 April

Transcription

1 unisys ClearPath Enterprise Servers TCP/IP Implementation and Operations Guide ClearPath MCP 16.0 April

2 NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages. You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used. The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions. Notice to U.S. Government End Users: This is commercial computer software or hardware documentation developed at private expense. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses. Unisys and ClearPath are registered trademarks of Unisys Corporation in the United States and other countries. All other brands and products referenced in this document are acknowledged to be the trademarks or registered trademarks of their respective holders.

3 Contents Section 1. Overview Documentation Updates What s New? Notation Conventions Terminology Conventions TCP/IP Architecture Internet Protocol Version 6 (IPv6) MCP Networking and IPv Summary of IPv6 Features Migrating to IPv Key Differences Between IPv4 and IPv IPv6 Internet Standards (IETF RFCs) TCP/IP Distributed Systems Services Section 2. Overview of TCP/IP Routing TCP/IP Routing Commands IPv4 Addressing Understanding IPv4 Address Classes Classful Addressing Limitations Subnetting IPv6 Addressing IPv6 Address Representation IPv6 Address Type Identification Unicast Addresses Global Unicast Addresses IPv6 Address Prefix Representation IPv6 Alternative Representations of Addresses Variable-Length Subnet Masking (VLSM) Classless Interdomain Routing (CIDR) CIDR in IPv4 Networks CIDR in IPv6 Networks TCP/IP IPv4 Network TCP/IP IPv6 Network Routing Information Protocol Version 2 (RIPv2) IPv6 Neighbor Discovery Support for Multiple Routes to a Destination MCP Route States Alternate Routes Dead Gateway Detection (IPv4 Networks) Discovering Unreachable Neighbors (IPv6 Networks) iii

4 Contents Parallel Routes Special Topologies Multiple Assigned Default Routes Multiple Local IP Addresses Section 3. Configuring a TCP/IP Network Using the NAU Overview of the Implementation Process Applying NAU TCP/IP Profiles Using Default Attribute Values Traversing the NAU Screens Configuring a Sample TCP/IP Network What the Sample Network Contains Adding TCP/IP to an Existing Network Starting the NAU Configuring TCP/IP on an Application Host Defining the Network Interface as a TCP/IP Connection Identifying IP Addresses, Subnet Mask, and Router Discovery Attributes for ICPs Defining TCP/IP Network Parameters Specifying the Enterprise Server TCP/IP Internet Host Name and ICMP Report Display Parameters Updating LAN Lines and Connections to Include TCP/IP Optional Enhancements to the TCP/IP Configuration Defining Known Routes to TCP/IP Hosts Not Directly Connected to the LAN Defining Unknown (Default) Routes to TCP/IP Hosts Not Directly Connected to the LAN Defining the TCP/IP ARP Address List Mapping a TCP/IP Host Name to IP Addresses Configuring Dynamic Initiation of Specified Port Numbers Configuring Port Filtering Using the FILTERFRAMES Command Configuring TCP and UDP Port Event Monitoring Configuring Default Policies for Selecting Source and Destination IPv6 Addresses Configuring TCP/IP Timer Values Configuration Procedure Configuring TCP/IP Options Configuration Procedure Configuring TCP/IP Neighbor Address Parameters Configuration Procedure Editing the ICP LAN Line Connection and Specifying a Multicast Address List Auto-Configuring BNA-over-IP (BIP) Connections Adding an IPv6 BNA-over-IP (BIP) Neighbor Configuring FC3-IOP Networking Specifying VLANID Attribute Values iv

5 Contents Specifying the VLANID Attribute in TCPIP Commands Checking Network Consistency Consistency Errors and Solutions Generating Initialization Files Printing the Network Description Reports Ending an NAU Session Initializing the TCP/IP Network Section 4. Operating TCP/IP Software Initializing the TCP/IP Network U. S. Export Regulations Concerning IPv6 and IPsec Dual Mode Initialization IPv6 Initialization Modifying the Autoconfiguration Setting IP Security (IPsec) Initialization Initialization File Names SNMP Agent Initialization Initializing TCP/IP Terminating TCP/IP on the Enterprise Server Host Inquiring on the Status of TCP/IP Software Inquiring on the Status of IPsec TCPIP Status Command Examples Setting Timer Values Setting the Routing Information Timer Value Setting the LAN Resiliency Timer Value Configuring Multiple Routes and Default Routes Configuring Multiple Routes to a Remote Destination Configuring Default IP Routes Inquiring About Routing Problems Clearing the Routing Table Specifying Selection Criteria for Route Inquiries Inquiring on the Routing Information Protocol (RIP) Setting the Routing Information Protocol Authentication Type IPv6 Default Address Selection TCPIP Address Selection Policy Inquiring on the Route Used to Reach a Remote Node Modifying TCP/IP Components Online Identifying a Local TCP/IP Host to the Network Assigning IP Addresses to a Network Interface Assigning Multiple Local IP Addresses and Mask Pairs to a Network Interface Detecting a Duplicate IP Address on Your Network Reporting on Autoconfigured Interfaces Creating a Mapping Between a TCP/IP Host and One or More IP Addresses v

6 Contents Inquiring on One or More Host Names Reaching a Remote Host or Other Network Interface on the Same Logical Host Verifying That Packets Are Received by a Remote Host Filtering TCP/IP Traffic Filtering Frames Based on Port Numbers Enabling Dynamic Port Filtering Enabling Static Port Filtering Filtering Broadcast Traffic IPv6 Protocol Filtering Filtering RIP Frames Deleting TCP/IP Components Online Deleting an IP Route to a TCP/IP Host Deleting Default IP Routes Deleting a User-Specified Mapping (TCP/IP Host to IP Address) Deleting All Learned Mappings Deleting an Enterprise Server IP Address from the Network Deleting Local IP Address and Mask Pairs Enabling a Host to Use the Address Mask Protocol Using Router Discovery Enabling a Host to Use the Router Discovery Protocol Using Neighbor Discovery Specifying Neighbor Discovery Options Setting the IPADDRESSLIST Attribute Controlling TCP/IP End System Security Differentiating Rules for Inbound/Outbound Dialogs and for TCP/UDP Protocols Initialized Security Environment Determining the Current TCP/IP End System Security State Enabling or Disabling TCP/IP End System Security Loading a Rules File Changing to Another Rules File Reviewing Security Rule Violations Authorizing the Use of Well-Known TCPIP Ports Using TCP/IP Options Enabling and Disabling IP Security (IPsec) Enabling and Disabling SSH Enabling and Disabling SSL Configuring LAN Resiliency Inquiring on the LAN Resiliency Timer TCPIP LAN Resiliency Report Disabling Mapping of Learned Host Names and IP Addresses Enabling Use of RFC 1122 MTU Enabling the Windows Server to Force the MTU to Acknowledge Every Two MTUs Protecting TCP/IP Dialogs Against ICMP Attacks vi

7 Contents Setting Path MTU Verification Interval Enabling and Disabling Session Warnings Specifying Autoconfiguration for a Network Interface Obtaining an Autoconfigured IP Address Using the MAC Address Specifying ICMPv6 Error Report Values Specifying the Default Maximum Hop Limit for a Router Closing Sockets by Job Number Specifying and Inquiring on IP Multicast Frames Updating an Initialization File to Use Multicast Addresses Deriving Ethernet Multicast Addresses from Multicast IP Addresses Enabling Multicast Address Handling for IPv4 Addresses Only Preventing a Done Report From Being Sent Specifying the Unsolicited Report Options for Multicast Listener Discovery Specifying the Window Scale Factor Specifying the TCP Selective Acknowledgement Option Disabling and Enabling the Dynamic Initiation of Specified Port Numbers Disabling the Dynamic Initiation of an Application Enabling the Dynamic Initiation of an Application Inquiring on the Dynamic Initiation Status of an Application Monitoring TCP and UDP Port Events Implementing Time-Wait for TCP/IP on MCP Systems Section 5. Troubleshooting TCP/IP Installation and Configuration Problems Verifying That TCP/IP End System Security Is Operable Verifying that IP Security (IPsec) Is Operable Inquiring About the TCP/IP Environment Displaying Enterprise Server TCP/IP Reports Monitoring TCP/IP System Activity with TCPIP DEBUG Using the Trace Option of the TCPIP DEBUG Command Using the Dump Option of the TCPIP DEBUG Command Using the TCPIP DISPLAY, TCPIP DISPLAY INTERVAL, and TCPIP DISPLAY OPTIONS Commands Using the TCPIP DISPLAY TABLE Command Understanding the TCP/IP CONNECTION RESET Report Diagnostic Codes vii

8 Contents Section 6. Running OSI Applications over a TCP/IP Network Functional Overview Overview of the Implementation Process Initializing the OSI Software on the TCP/IP Host Identifying OSI Application Endpoints Associating OSI and TCP/IP Addresses Defining an NSAP Address Which Contains an Embedded IP Address Configuring OSI-TCP/IP Address Pairs Using the NAU to Configure OSI-TCP/IP Address Pairs Using the Operations Interface (OI) to Configure OSI-TCP/IP Address Pairs Checking the OSI-TCP/IP Pairings Using Network Inquiries Sample OSI Initialization Files Configuring a More Complex Network Operating OSI Applications Appendix A. TCP/IP Commands and Inquiries Appendix B. Initialization File for the Sample Network CNS Initialization File...B 1 TCP/IP Initialization File...B 3 Appendix C. Using the NAU in a Web Browser Preparing the Web Enabler for ClearPath MCP HTML Page...C 1 Using a Sample Page...C 2 Creating a Page with the Web Enabler Wizard...C 2 Running the NAU in Web Enabler for ClearPath MCP...C 3 Appendix D. TCP/IP Capabilities TCP/IP Capabilities - Network Services... D 2 TCP/IP Capabilities - Host Services... D 7 Appendix E. TCP/IP Port Numbers Index... 1 viii

9 Figures 2 1. Two-Level Addressing Hierarchy Classful IP Addresses Subnet Address Extended-Network-Prefix Subnet Masking Subnetted Topology Unicast Address with no Internal Structure Unicast Address with Subnet Prefix General Format for Global Unicast Address VLSM Topology CIDR Routing Advertisements IPv6 CIDR Routing Advertisements Mixed Classful and Classless IPv4 Topology IPv6 Classless Topology Alternate Route Topology Parallel Route Topology Parallel Routes Through the Same Subnet Parallel Routes Through Alternate Networks Weak-Model Multihoming Topology (IPv4 Only) Resilient Weak-Model Multihoming Topology (IPv4 Only) Multiple Default Routes Topology Multiple Parallel Default Route Topology Multiple Logical Networks Topology Sample TCP/IP Network WELCOME Screen APPLICATION HOST LIST Screen APPLICATION HOST MENU Screen APPLICATION HOST ATTRIBUTES Screen ICP ASSIGNMENTS Screen SHARED ADAPTERS ICP CONFIGURATION Screen SHARED ADAPTERS CONFIGURATION Screen TCP/IP CONFIGURATION MENU Screen TCP/IP IDENTITY ADDRESS LIST Screen TCP/IP NETWORK ADDRESS PARAMETERS Screen TCP/IP MULTIPLE IDENTITY ADDRESS LIST Screen TCP/IP APPLICATION HOST PARAMETERS Screen TCP/IP ICMP REPORT DISPLAY Screen TCP/IP CONFIGURATION MENU Screen TCP/IP ROUTE LIST Screen TCP/IP ROUTE LIST Screen TCP/IP DEFAULT ROUTE LIST Screen ix

10 Figures TCP/IP ARP ADDRESS LIST Screen TCP/IP HOST MAPPING LIST Screen TCP/IP MAPPING IP ADDRESS LIST Screen TCP/IP DYNAMICINIT COMMANDS Screen TCP/IP DISABLE TCP PORT SPECIFICATION Screen TCP/IP DISABLE UDP PORT SPECIFICATION Screen TCP/IP FILTERFRAMES COMMANDS Screen TCP/IP FILTERFRAMES ENABLE TCP PORTS Screen TCP/IP MONITOREVENTS COMMANDS Screen TCP/IP MONITOREVENTS PORT SPECIFICATION Screen TCP/IP ADDRESS SELECTION POLICY Screen TCP/IP OPTION Screen TCP/IP OPTION (2/2) Screen TCP/IP CONFIGURATION MENU Screen TCP/IP NETWORK ADDRESS PARAMETERS Screen LAN DEVICE LIST Screen LAN TCP/IP DEVICE ATTRIBUTES Screen TCP/IP MULTICAST ADDRESS LIST Screen NEIGHBOR PAIRED IP ADDRESS LIST Screen ICP ASSIGNMENTS Screen DIRECT ATTACH ADAPTER CONFIGURATION Screen DIRECT ATTACH LINE CONFIGURATION Screen CONSISTENCY CHECK MENU Screen GENERATE MENU Screen Sample TCP/IP Information Summary Report for Enterprise Server PRINT GENERATED NETWORK DESCRIPTION MENU Screen PRINT SELECT INFORMATION Screen Specifying IPADDRESSLIST Values TCP/IP End System Security Phases Sample TCP/IP Network Running OSI Applications Hierarchy of NAU Screens to Enable TCP/IP Hosts to Run OSI Applications OSI MENU Screen SYSTEM LIST Screen OSI SYSTEM MENU Screen NSAPA ASSIGNMENT LIST Screen NSAPA/IP ADDRESS PAIRING Screen OSI DESTINATION NETWORK ADDRESS PAIRS Screen OSI DESTINATION NETWORK ADDRESS PAIRS Screen LOCAL IP ADDRESS ASSIGNMENT Screen Sample OSI Network Address Pairing Summary Report Initialization File for OSI in ES Initialization File for the OSI Endpoints in ES NSAPA/IP ADDRESS PAIRING Screen B 1. B 2. CNS Initialization File...B 2 TCP/IP Initialization File...B 4 x

11 Tables 1 1. Key Differences Between IPv4 and IPv IPv6 RFCs IPv4 CIDR Supernet/Subnet Table TCP/IP ICMP REPORT DISPLAY Screen Field Summary TCP/IP Options (OPTION Screen 1/2) TCP/IP Options (OPTION Screen 2/2) NAU TCP/IP Consistency Checker Error Messages IPSEC Summary Response IPMASKCONFIG Attribute Values Trace Options Dump Options ICMP Message Options Message and Table Options Diagnostic Codes for TCP/IP CONNECTION RESET Report Correcting Consistency Errors Found When Enabling TCP/IP Hosts to Use OSI Applications OSI-TCP/IP Address Pair Inquiries A 1. TCP/IP Commands and Inquiries... A 1 D 1. Network Services Capabilities... D 2 D 2. Host Services Capabilities... D 7 E 1. TCP/IP Well Known Ports... E 1 E 2. TCP/IP Registered Ports... E xi

12 Tables xii

13 Section 1 Overview This guide describes the required software and hardware components of a TCP/IP network and provides procedures for configuring, operating, and troubleshooting TCP/IP software on ClearPath MCP servers. This guide is intended for the network administrator who installs and configures TCP/IP and also for system operators. This guide assumes you are familiar with the following: System operations CNS concepts and operations Network Administrative Utility (NAU) operations Documentation Updates This document contains all the information that was available at the time of publication. Changes identified after release of this document are included in problem list entry (PLE) To obtain a copy of the PLE, contact your Unisys representative or access the current PLE from the Unisys Product Support website: Note: If you are not logged into the Product Support site, you will be asked to do so

14 Overview What s New? The following table identifies new and revised information for this release. New or Revised Information Modified the examples for network interfaces. Removed "Domain Name Services (DNS)" and replaced it with "Domain Name System (DNS)". Removed the "IEA-IOP" interface and replaced it with "FC3-IOP". Removed the "CNP" interface and replaced it with "VNP" and "MAICP4". Modified the CIDR Network example for IPv6. Modified the value entered in the Total LAN/ATM LANE Lines field. Modified the TCP Window Scale Factor range. Removed "ClearPath Network Appliance (CNA)" and replaced it with VNP and "Network Services". Added a new RFC to the Secure Shell (SSH) feature. Added a new Mac Algorithm to the NW TCPIP STATUS SSH enabled/running command response. Added a new Versions Supported to the NW TCPIP STATUS SSL enabled/running command response. Added two new Ciphers Supported to the NW TCPIP STATUS SSL enabled/running command response. Added a new response to the NW TCPIP STATUS SSL command. Modified information regarding Telnet Station Names and Incoming Telnet Sessions. Modified information regarding port filtering and filtering RIP frames. Location Section 1, "Overview" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 1, "Overview" Appendix D, "TCP/IP Capabilities" Section 1, "Overview" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 4, "Operating TCP/IP Software" Appendix A, "TCP/IP Commands and Inquiries" Section 2, "Overview of TCP/IP Routing" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 3, "Configuring a TCP/IP Network Using the NAU" Section 4, "Operating TCP/IP Software" Section 3, "Configuring a TCP/IP Network Using the NAU" Appendix D, "TCP/IP Capabilities" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software" Section 4, "Operating TCP/IP Software"

15 Overview New or Revised Information Added a new subsection to Section 4, describing how to implement the Time-Wait feature on an MCP System. Modified the description for the IPDESTADDR <IP address> command. Added a new RFC to the Secure Sockets Layer (SSL) feature. Added port number 22/tcp to the Secure Shell (SSH) service port. Modified the 137/tcp and 138/tcp port numbers and port name/descriptions. Modified the description for port number 139/tcp. Added port number 445/tcp and port name/description. Modified the port name/description for port number 56288/tcp. Added port number 56298/tcp to the Locum RealTime Config (SSL based port). Location Section 4, "Operating TCP/IP Software" Section 5, "Troubleshooting TCP/IP Installation and Configuration Problems" Appendix D, "TCP/IP Capabilities" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers" Appendix E, "TCP/IP Port Numbers"

16 Overview Notation Conventions The following conventions are used in this guide: In text, data that you enter at the keyboard appear in bold. In text, system responses appear indented. Optional data that you enter at the keyboard, or that might appear in a message, appears throughout this guide enclosed in square brackets; for example, [data]. For Operations Interface (OI) commands, this guide shows the full command name and often shows permitted command abbreviations in text or examples. For example, for the NW TCPIP [TCPIP]IDENTITY command, you can enter any of the following: NW TCPIP TCPIPIDENTITY NW TCPIP TCPIPID NW TCPIP ID Variables that you enter at the keyboard, and those that appear in messages or on NAU screens, appear throughout this guide enclosed in angle brackets; for example, <variable>. NAU screen names appear in uppercase letters. Terminology Conventions In this document, the term ClearPath MCP servers refers to ClearPath Libra Series, FS Series, CS Series, and LX7100 Enterprise Servers. Application host refers to a ClearPath MCP host. To simplify fully inclusive references, the term Windows is used throughout this guide to refer to supported versions of the Windows operating system. The term network interface means the interface that provides TCP/IP networking from an enterprise server to a local area network (LAN). Some examples of network interfaces include Network Services (Shared Adapters or MCP Adapters), and FC3- IOPs. The term EVLAN refers to an enhanced virtual LAN connection, a high performance network path for TCP/IP-based data transfers between the MCP and Windows servers of a ClearPath system. For more details on EVLAN, refer to the Network Services Implementation Guide

17 Overview TCP/IP Architecture Enterprise servers connected to a TCP/IP network provide a wide range of connectivity and interoperability. Using TCP/IP, you can link Unisys ClearPath MCP enterprise server systems with each other or with other vendors' systems. TCP/IP products provide the following: Support for dual IP layers, IPv4 and IPv6, enabling applications to operate over IPv4 and IPv6 simultaneously Flexible topologies over LANs and WANs LAN resiliency Integrated network management with the SNMP Agent Support of classless network topologies and route aggregation Support of multiple logical interfaces (local IP addresses) for a single network interface Multihoming of an enterprise server Network access control Support of sockets Secure sockets layer (SSL) implementation, which supports the SSL and TLS protocols Support for the RFC 1006 protocol standard (enables OSI communication over a TCP/IP network) TCP/IP distributed systems services (DSS), which are available to support your processing needs across a TCP/IP network Support for TCP/IP end system security, which enables the system administrator to monitor and control data traffic to and from networked MCP systems The system administrator can set up a security firewall by defining a set of Deny and Allow rules in an active rules file to specify which network traffic to allow or deny respectively. The TCP/IP security firewall has been enhanced to recognize IPv6 addresses. Support for IP Security (IPsec) which secures network data at the IP layer. IPsec over IPv6 networks is supported; IPsec over IPv4 is not supported. IPsec uses policies to define the security protection that is to be applied. Support for Secure Shell (SSH) for ClearPath MCP which secures data at the application layer. Secure File Transfer Protocol (SFTP) and a remote command utility (SSHCLIENT) are supported; SSH terminals are not supported

18 Overview Internet Protocol Version 6 (IPv6) IPv6 is supported by MCP networking. This section provides an overview of IPv6. IPv6 is the next generation of the Internet Protocol. It is intended to remedy the impending shortage of IP addresses caused by the rapid expansion of the Internet and the growth of devices that are "connected" such as cell phones, PDAs, and home appliances. IPv6 uses a 128-bit address field instead of the 32-bit addresses used by IPv4. As a result, IPv6 affects a large number of MCP products mainly those making use of IP addresses or facilitating the use of IP addresses for other products. The new IPv6 software architecture is based on the current MCP host-resident TCP/IP architecture implemented for IPv4. The IPv6 protocol stack coexists with the existing IPv4 host-resident TCP/IP protocol stack. This dual-stack IP architecture enables applications to operate over IPv4 and IPv6 simultaneously and provides the transition mechanism for migrating from IPv4 networks to IPv6 networks. This architecture also permits a ClearPath MCP host to participate in a mixed network topology of IPv4-only hosts, IPv6-only hosts, and hosts capable of supporting both IPv4 and IPv6. MCP Networking and IPv6 Many products, including Networking software and Network Administrative Utility (NAU), have been updated to support IPv6. Both these products require at least MCP 12.0 (53.1) irrespective of IPv4 or IPv6 functionality. Because IP Security (IPsec) is currently considered a mandatory component of IPv6, IPv6 is considered an encryption product and is restricted under U.S. federal export regulations. To use MCP IPv6 networking, you must order the IOE Encryption Option. The appropriate keys to enable IPv6 and IPsec are included as part of the Encryption Option package. MCP IPv4 networking remains available and orderable as in the past

19 Overview Summary of IPv6 Features This guide describes IPv6 features that affect TCP/IP in areas such as address configuration and resolution, route discovery, and security. Expanded Addressing Capabilities IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler autoconfiguration of addresses. The scalability of multicast routing is improved by adding a scope field to multicast addresses. A new type of address called anycast address is defined and used to send a packet to any one of a group of nodes. See Section 2, Overview of TCP/IP Routing," for a detailed description of IPv6 addressing conventions. Header Format Simplification Some IPv4 header fields have been dropped or moved to optional extension headers to reduce the common-case processing cost of packet handling and to limit the added bandwidth cost of the IPv6 header (beyond the long addresses). Fragmentation and reassembly are limited to the source and destination nodes. Improved Support for Extensions and Options Optional Internet-layer information is encoded in separate headers, called extension headers, which can be placed between the IPv6 header and the upper-layer header in the packet. An IPv6 packet can carry zero, one, or more extension headers. Changes in the way IP header options are encoded allow for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. These headers increase and enhance the current capability of IP. For example, IPv6 has the ability to support datagrams (packets) larger than bytes, referred to as Jumbograms. This is accomplished through the use of the Jumbo Payload Hop-by-Hop option. IPv6 also provides greater network security through the use of the Authentication Headers (AH) and Encapsulating Security Payload (ESP) headers. IP Security IPv6 uses IP Security (IPsec) to enable the TCP/IP network provider to secure network traffic and communicate with other endpoints. IPsec provides security services by enabling a host to select required security protocols, determine the algorithms used for the service, and put in place any cryptographic keys required to provide the requested service. IPsec supports encrypted and authenticated datagrams through the use of ESP headers for the encryption and AH for the authentication

20 Overview IPsec and its policies are administered by Security Center. Status information can be retrieved using the following Operations Interface (OI) commands: NW TCPIP OPTION IPSEC Enables and disables IPsec. NW TCPIP STATUS IPSEC Displays detailed IPsec information. NW TCPIP DEBUG The dump type option of this command dumps all entries in all IPsec tables. The trace type option of this command traces within the IPsec module. For more information on the TCPIP OPTION and TCPIP STATUS commands, see Section 4, Operating TCP/IP Software. For more information on the TCPIP DEBUG command, see Section 5, Troubleshooting TCP/IP Installation and Configuration Problems. ICMPv6 Messages The IPv6 version of ICMP (ICMPv6) is supported and implemented by every IPv6 node. ICMPv6 messages are one of two types: error messages or informational messages. All ICMPv6 messages have three fields that are common to all messages (type, code, and checksum), and a variable-length field that varies based on the message type. ICMPv6 supports the following error and information types: Destination Unreachable Packet Too Big Time Exceeded Parameter Problem ICMPv6 supports the following new Multicast Listener Discovery (MLD) message types: Multicast Listener Query Multicast Listener Report Multicast Listener Done ICMPv6 supports the following new Neighbor Discovery message types: Router Solicitation Router Advertisement Neighbor Solicitation Neighbor Advertisement Redirect

21 Overview Automatic Stateless Address Configuration and Duplicate Address Detection To simplify host configuration, IPv6 supports automatic stateless address configuration. This enables hosts on a link to automatically configure themselves with IPv6 addresses for the link and with addresses derived from prefixes advertised by local routers. Even in the absence of a router, hosts on the same link can automatically configure themselves with link-local addresses and communicate without manual configuration. This feature allows an IPv6-enabled node to be added to a network and, without any configuration, be able to communicate with other destinations in the network. Before an address is permanently assigned to an interface, it is verified to ensure that it is not already in use by another interface on the link using duplicate address detection. For information on specifying automatic stateless address configuration and duplicate address detection, see Assigning IPv6 Addresses and Specifying Autoconfiguration for a Network Interface in Section 4, Operating TCP/IP Software. IPv6 Neighbor Discovery IPv6 discovers and records information about neighbor nodes on the local link. This enables nodes to determine which neighbors are reachable and to find routers that are able to forward packets for them. It is the primary means of discovering IPv6 routing information. Neighbor Discovery provides the following as part of the base protocol set: Router Discovery Address Resolution Neighbor Unreachability Detection Redirection These features are described in more detail in IPv6 Neighbor Discovery in Section 2, Overview of TCP/IP Routing and in Using Neighbor Discovery in Section 4, Operating TCP/IP Software. For information on using Neighbor Discovery, see Specifying Neighbor Discovery Options in Section 4, Operating TCP/IP Software. Multicast Listener Discovery V1 Multicast listener discovery allows IPv6 routers to discover nodes on its link that want to receive multicast packets and to discover which multicast addresses are of interest to its neighboring nodes. This information is used by IPv6 routers to deliver multicast information to the links on which there are listening nodes. To receive multicast input, an application must specify the multicast IP address for which it intends to receive multicast input, and the TCP/IP initialization file must be configured with the link-layer multicast address. To specify multicast listener discovery report intervals and retry limits, see Specifying the Unsolicited Report Options for Multicast Listener Discovery in Section 4, Operating TCP/IP Software

22 Overview Migrating to IPv6 In most cases, migrating hosts and networks in an enterprise to IPv6 is expected to be a gradual process. Compatibility with the existing IPv4 applications and hosts needs to be maintained during this transition period. It is also expected that Most or all remote hosts that are IPv6-capable are dual-stack. Edge routers (if not the complete network) are dual-stack in most cases, at least in the initial transition period. ClearPath MCP applications will be modified or newly written to be IPv6-capable as needed. These applications must be capable of operating on both IPv4 and IPv6 networks. Given the preceding conditions IPv6-capable MCP applications communicate with remote IPv4 hosts using the IPv4 layer, with IPv6 hosts using the IPv6 layer, and with dual-stack hosts using either the IPv4 or IPv6 layer with preference given to IPv6 for active opens. All existing unchanged MCP applications communicate with remote IPv4 hosts using the IPv4 layer. Existing unchanged applications that are not IP address-aware communicate with IPv6 hosts using the IPv6 layer, and with dual-stack hosts using either the IPv4 or IPv6 layer with preference given to IPv6 for active opens. Existing unchanged applications that are IP address-aware communicate with dualstack hosts using the IPv4 layer. If the remote host is IPv6-only, a network-based translation device can be used to facilitate the conversion between IPv4 and IPv6, transparently to hosts; the protocol used is NAT-PT. All applications using the MCP Sockets API and those using the user datagram protocol (UDP) need to be modified for IPv6. Applications using the Logical I/O and Co-op APIs over TCP connections are affected if one of the following is true: The applications need to be capable of connecting to remote hosts using explicit IP addresses. The applications handle (store, parse, generate, or display) IP addresses

23 Overview Key Differences Between IPv4 and IPv6 Table 1 1 describes the key differences between IPv4 and IPv6. Table 1 1. Key Differences Between IPv4 and IPv6 IPv4 Source and destination addresses are 32 bits (4 bytes) in length. IPsec support is optional. No identification of packet flow for quality of service (QoS) handling by routers is present within the IPv4 header. Fragmentation is done by both routers and the sending host. Header includes a checksum. Header includes options. Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address. Internet Group Management Protocol (IGMP) is used to manage local subnet group memberships. ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional. Broadcast addresses are used to send traffic to all nodes on a subnet. Must be configured either manually or through DHCP. Uses host address (A) resource records in the Domain Name System (DNS) to map host names to IPv4 addresses. Uses pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names. Must support a 576-byte packet size (possibly fragmented). IPv6 Source and destination addresses are 128 bits (16 bytes) in length. IPsec support is required. Packet flow identification for QoS handling by routers is included in IPv6 header using the Flow Label field. Fragmentation is not done by routers, only by the sending host. Header does not include a checksum. All optional data is moved to IPv6 extension headers. ARP Request frames are replaced with Multicast Neighbor Solicitation messages. IGMP is replaced with Multicast Listener Discovery (MLD) messages. ICMP Router Discovery is replaced with ICMPv6 Router Solicitation and Router Advertisement messages and is required. There are no IPv6 broadcast addresses. Instead, a link-local scope-all-nodes multicast address is used. Does not require manual configuration or DHCP. Uses host address (AAAA) resource records in the Domain Name System (DNS) to map host names to IPv6 addresses. Uses pointer (PTR) resource records in the IP6.INT DNS domain to map IPv6 addresses to host names. Must support a 1280-byte packet size (without fragmentation)

24 Overview IPv6 Internet Standards (IETF RFCs) The following Request for Comments (RFC) identifies functions provided by IPv6 that are implemented for all supported levels of MCP Networking. Table 1 2. IPv6 RFCs RFC Number Title 2460 Internet Protocol Version 6 (IPv6) Specification 2461 Neighbor Discovery for IP Version 6 (IPv6) 2462 IPv6 Stateless Address Autoconfiguration 2464 Transmission of IPv6 Packets over Ethernet Networks 2710 Multicast Listener Discovery (MLD) for IPv Format for Literal IPv6 Addresses in URL s 3484 Default Address Selection for Internet Protocol Version 6 (IPv6) 3493 Basic Socket Interface Extensions for IPv DNS Extensions to Support IP Version Application Aspects of IPv6 Transition 4191 Default Router Preferences and More-Specific Routes 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers 4291 IP Version 6 Addressing Architecture 4294 IPv6 Node Requirements 4301 Security Architecture for the Internet Protocol 4302 IP Authentication Header (AH) 4303 IP Encapsulating Security Payload (ESP) 4308 Cryptographic Suites for IPsec 4429 Optimistic Duplicate Address Detection (DAD) for IPv Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 4835 Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

25 Overview TCP/IP Distributed Systems Services Unisys provides a variety of TCP/IP distributed systems services (DSS) for use on ClearPath MCP systems. TCP/IP DSS products include the following: FTP Services for ClearPath MCP This product provides file transfer capabilities with two client interfaces, one server interface, and an operator/administrator interface. The capability for securing the control and/or the data streams through the use of the SSL protocol (called FTPS) or the use of the SSH protocol (called SFTP) is available. Telnet Services This product provides station connection services from one remote host to another across a TCP/IP network. The capability for securing the Telnet session with SSL is available. TCP/IP Printing This product provides printing services between the Print System or the Remote Print System and remote hosts and network printers by means of a TCP/IP network. Domain Name System (DNS) This product provides addressing services on a TCP/IP network. Time Synchronization This product allows multiple computers in a network to perform transactions that are time sensitive. Different machines have the capability of operating on the same time reference. Remote SSH Command Utility This product allows commands to be executed at remote Unix systems via the SSH protocol. For more information on using TCP/IP DSS products, refer to the TCP/IP Distributed Systems Services Operations Guide

26 Overview

27 Section 2 Overview of TCP/IP Routing This section describes TCP/IP routing on ClearPath MCP servers. Beginning with MCP release 12.0, TCP/IP initializes in dual mode and can support both the IPv4 and IPv6 protocols running simultaneously on a ClearPath server. This section describes the basic routing concepts shared by IPv4 and IPv6 and explains the new features supported by IPv6 to enhance TCP/IP routing capabilities. This section provides the following: An overview of TCP/IP IPv4 and IPv6 routing commands IPv4 addressing and subnetting concepts IPv6 addressing concepts Conceptual material explaining variable-length subnet masking (VLSM) and classless interdomain routing (CIDR) and how these routing technologies are implemented by IPv4 and IPv6 Examples that illustrate various IPv4 and IPv6 routing topologies including the use of multiple routes to a common destination, multiple local IP addresses for a network interface, and multiple logical networks Notes: The IP addresses shown in the sample topologies in this section are for reference only. Do not use these addresses. If a routing feature is supported on both IPv4 and IPv6 networks, the sample topologies that illustrate the feature assume dual-mode operation and show support for both IPv4 and IPv6 running simultaneously. Therefore, both IPv4 addresses and IPv6 addresses are shown in the topologies, but these addresses cannot be intermixed. That is, a node with an IPv4 address cannot communicate with another node that has an IPv6 address

28 Overview of TCP/IP Routing TCP/IP Routing Commands The following commands support TCP/IP routing. See Section 4, Operating TCP/IP Software, for information on how to use these commands. NW TCPIP ROUTE command NW TCPIP [TCPIP]IDENTITY command NW TCPIP RIP command (IPv4 only) NW TCPIP RIP RIPAUTHENTICATION command (IPv4 only) NW TCPIP ROUTE Command The NW TCPIP ROUTE command configures networks reachable through known routers. It enables you to configure routes that are more flexible, support resilient network topologies, and support VLSM or CIDR addressing and routing. Specific routes to remote hosts, subnets, networks, and supernets can be manually configured using the ROUTE ADD form of this command by supplying a destination and a next-hop router through which the destination can be reached. For IPv4 networks, VLSM-addressed or CIDR-addressed routes can be configured by adding a destination with the optional mask or / (slash) notation followed by the networkprefix attribute. For IPv6 networks, the IPv6 address autoconfiguration feature defaults to disabled. You can use the NW TCPIP ROUTE command to configure an IPv6 address on an interface. This initializes the IPv6 networking stacks and appropriate data structures for that interface. IPv6 networks do not support the mask attribute and use the / notation followed by the network-prefix attribute. Destinations that are configured without the mask or / networkprefix attribute notation are treated as host-specific routes. The ROUTE ADD form of the command can also be used to configure default routes. A default route is a route that is taken in the absence of a specific route (dynamically learned or manually configured) to a destination. Default routes can be assigned to specific VLSM or CIDR address aggregations (subnet/network/supernet) using the optional mask attribute (supported by IPv4 only) or / network-prefix attribute (supported by IPv4 and IPv6), and are referred to as assigned default routes. Default routes that are configured without the mask or / route-prefix attribute are treated as system default routes. The ROUTE DELETE form of the ROUTE command enables you to manually delete specific static (manually configured) routes to remote hosts, subnets, networks, or supernets and default routes. Only inactive routes (those without open dialogs) can be deleted unless forced by using the optional "NOW" keyword

29 Overview of TCP/IP Routing NW TCPIP [TCPIP]IDENTITY Command The NW TCPIP [TCPIP]IDENTITY (TCPIP ID) command enables an IPv4 network administrator to configure and delete multiple local IP addresses or address and mask pairs for each network interface. This extends MCP TCP/IP multihoming capabilities to support multiple logical networks. With IPv4 networks, you can also use this command to set the RIP Authentication type for each network interface. For IPv6, the network administrator can use the NW TCPIP ID command to enable autoconfiguration and duplicate address detection. If autoconfiguration is enabled, IPv6 hosts are automatically configured when connected to a routed IPv6 network. This means that you can use the TCPIP ID command without specifying an IPv6 address. If autoconfiguration is not enabled, IPv6 addresses must be assigned manually for communication to occur within an IPv6 network. Both a link-local address and any routed unicast addresses in which the interface will participate must be manually specified. If a link-local address is missing on an interface that is configured for IPv6, then a waiting entry is generated. For example: 2422/ :03 TCPIP/WARNING/TASK/ACCEPT/211/1/0 ACCEPT:No IPv6 link local address for interface on Network processor 211 Line 1 VLAN 0. *** ENTER: 'AX OK', OR DS You can also specify the number of consecutive Neighbor Solicitation messages sent while performing duplicate address detection on a tentative address. This ensures that an address is not already in use by another interface before it is permanently assigned to an interface. NW TCPIP RIP and NW TCPIP RIP RIPAUTHENTICATION Commands The NW TCPIP RIP and NW TCPIP RIP RIPAUTHENTICATION (TCPIP RIP RIPAA) commands are supported only by IPv4. The NW TCPIP RIP command provides current Routing Information Protocol (RIP) status and configuration information. The NW TCPIP RIP RIPAA command sets the type of RIPv2 authentication that is in effect for a specified network processor and line. Network administrators can also inquire on the current authentication types set on each device and line configured on the system. IPv6 uses dynamic route discovery to perform the same functions as RIP in IPv4. Dynamic route discovery gathers information learned from router advertisements in order to build a list of routers to which packets can be sent. If autoconfiguration is enabled, local addresses are parsed and built from the prefixes in the router advertisements

30 Overview of TCP/IP Routing IPv4 Addressing An Internet Protocol (IP) address is assigned to every host that uses the TCP/IP IPv4 protocol. This address is 32 bits in length, consisting of four octets or bytes. In decimal form, it is commonly represented as four fields, separated by dots, where each field contains a value in the range of 0 to 255. For example: Each IP address consists of two parts as shown in Figure 2 1. The first part of the address is the network-number, which identifies the network on the Internet on which the host resides. The second part of the address is the host-number, which indicates a specific host within that network. Since the leading portion of an IP address provides the network-number, it is often referred to as the network-prefix. All hosts on any given network share the same network-prefix but must have a unique host-number. bit # 0 31 Network-Number/ Network-Prefix Host-Number 001 Figure 2 1. Two-Level Addressing Hierarchy Understanding IPv4 Address Classes In order to support networks of different sizes, address space is divided into different address classes, Class A, B, and C recognized as classful addressing. Addresses within each class are self-identifying because the boundary between the network-prefix and the host-number is fixed depending on the class to which they belong. Given any classful IP address, its class can be determined from a self-encoding key at the beginning of the network-prefix as shown in Figure

31 Overview of TCP/IP Routing Class A bit # Network-Prefix Host-Number Class B bit # Network-Prefix Host-Number Class C bit # Network-Prefix Host-Number 002 Figure 2 2. Classful IP Addresses Class A (addresses that start with 1 126; 8-bit network prefix) Class A is reserved for 126 large public networks and very large corporate networks. All of these network numbers have already been assigned. Each Class A network can contain almost 17 million (2 24-2) hosts. Example: (for host on network number ). Class B (addresses that start with ; 16-bit network prefix) Class B can support 16,384 networks and is used by government agencies and very large corporations. Most of the 16,382 possible Class B addresses have already been assigned. Each Class B network can contain up to 65,534 (2 16-2) hosts. Example: (host 5.1 on network number ). Class C (addresses that start with ; 24-bit network prefix) Class C is intended for most users around the world. There are several million possible Class C networks. Each Class C network can contain up to 254 (2 8-2) hosts. Example: (host 1 on network number ). Class D (addresses that start with ) Hosts can use Class D addresses to multicast messages to a specific group of nodes. Class E (addresses that start with ) Class E is reserved for future use