System Administration Guide: IP Services

Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A.Part No: 816455415 April 2008

Copyright 2008 Sun Microsystems, Inc.

4150 Network Circle, Santa Clara, CA 95054 U.S.A.

All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S. and in other countries. U.S. Government Rights Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements. This distribution may include materials developed by third parties. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, Sun Quad FastEthernet, Java, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and SunTM Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun's licensees who implement OPEN LOOK GUIs and otherwise comply with Sun's written license agreements. Products covered by and information contained in this publication are controlled by U.S. Export Control laws and may be subject to the export or import laws in other countries. Nuclear, missile, chemical or biological weapons or nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited. DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 2008 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. Tous droits rservs.

Sun Microsystems, Inc. dtient les droits de proprit intellectuelle relatifs la technologie incorpore dans le produit qui est dcrit dans ce document. En particulier, et ce sans limitation, ces droits de proprit intellectuelle peuvent inclure un ou plusieurs brevets amricains ou des applications de brevet en attente aux Etats-Unis et dans d'autres pays. Cette distribution peut comprendre des composants dvelopps par des tierces personnes. Certaines composants de ce produit peuvent tre drives du logiciel Berkeley BSD, licencis par l'Universit de Californie. UNIX est une marque dpose aux Etats-Unis et dans d'autres pays; elle est licencie exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, le logo Solaris, le logo Java Coffee Cup, docs.sun.com, Sun Quad FastEthernet, Java et Solaris sont des marques de fabrique ou des marques dposes de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays. Toutes les marques SPARC sont utilises sous licence et sont des marques de fabrique ou des marques dposes de SPARC International, Inc. aux Etats-Unis et dans d'autres pays. Les produits portant les marques SPARC sont bass sur une architecture dveloppe par Sun Microsystems, Inc. L'interface d'utilisation graphique OPEN LOOK et Sun a t dveloppe par Sun Microsystems, Inc. pour ses utilisateurs et licencis. Sun reconnat les efforts de pionniers de Xerox pour la recherche et le dveloppement du concept des interfaces d'utilisation visuelle ou graphique pour l'industrie de l'informatique. Sun dtient une licence non exclusive de Xerox sur l'interface d'utilisation graphique Xerox, cette licence couvrant galement les licencis de Sun qui mettent en place l'interface d'utilisation graphique OPEN LOOK et qui, en outre, se conforment aux licences crites de Sun. Les produits qui font l'objet de cette publication et les informations qu'il contient sont rgis par la legislation amricaine en matire de contrle des exportations et peuvent tre soumis au droit d'autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs finaux, pour des armes nuclaires, des missiles, des armes chimiques ou biologiques ou pour le nuclaire maritime, directement ou indirectement, sont strictement interdites. Les exportations ou rexportations vers des pays sous embargo des Etats-Unis, ou vers des entits figurant sur les listes d'exclusion d'exportation amricaines, y compris, mais de manire non exclusive, la liste de personnes qui font objet d'un ordre de ne pas participer, d'une faon directe ou indirecte, aux exportations des produits ou des services qui sont rgis par la legislation amricaine en matire de contrle des exportations et la liste de ressortissants spcifiquement designs, sont rigoureusement interdites. LA DOCUMENTATION EST FOURNIE "EN L'ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE UTILISATION PARTICULIERE OU A L'ABSENCE DE CONTREFACON.

080416@19860

Contents

Preface ...................................................................................................................................................29

Part I

Introducing System Administration: IP Services ........................................................................... 35

1

Solaris TCP/IP Protocol Suite (Overview) ......................................................................................... 37 Introducing the TCP/IP Protocol Suite ............................................................................................ 37 Protocol Layers and the Open Systems Interconnection Model ............................................ 38 TCP/IP Protocol Architecture Model ....................................................................................... 39 How the TCP/IP Protocols Handle Data Communications .......................................................... 44 Data Encapsulation and the TCP/IP Protocol Stack ................................................................ 44 TCP/IP Internal Trace Support .................................................................................................. 48 Finding Out More About TCP/IP and the Internet ......................................................................... 48 Computer Books About TCP/IP ................................................................................................ 48 TCP/IP and Networking Related Web Sites ............................................................................. 48 Requests for Comments and Internet Drafts ............................................................................ 49

Part II

TCP/IP Administration ........................................................................................................................ 51

2

Planning Your TCP/IP Network (Tasks) ............................................................................................. 53 Network Planning (Task Map) .......................................................................................................... 54 Determining the Network Hardware ................................................................................................ 55 Deciding on an IP Addressing Format for Your Network .............................................................. 55 IPv4 Addresses ............................................................................................................................. 56 IPv4 Addresses in CIDR Format ................................................................................................ 56 DHCP Addresses .......................................................................................................................... 56 IPv6 Addresses ............................................................................................................................. 57 Private Addresses and Documentation Prefixes ...................................................................... 573

Contents

Obtaining Your Network's IP Number ............................................................................................. 57 Designing an IPv4 Addressing Scheme ............................................................................................ 58 Designing Your IPv4 Addressing Scheme ................................................................................ 59 IPv4 Subnet Number ................................................................................................................... 60 Designing Your CIDR IPv4 Addressing Scheme ..................................................................... 61 Using Private IPv4 Addresses ..................................................................................................... 62 How IP Addresses Apply to Network Interfaces ...................................................................... 62 Naming Entities on Your Network .................................................................................................... 63 Administering Host Names ........................................................................................................ 63 Selecting a Name Service and Directory Service ...................................................................... 63 Planning for Routers on Your Network ............................................................................................ 65 Network Topology Overview ..................................................................................................... 66 How Routers Transfer Packets ................................................................................................... 67

3

Introducing IPv6 (Overview) .............................................................................................................69 Major Features of IPv6 ........................................................................................................................ 69 Expanded Addressing .................................................................................................................. 70 Address Autoconfiguration and Neighbor Discovery ............................................................. 70 Header Format Simplification .................................................................................................... 70 Improved Support for IP Header Options ................................................................................ 70 Application Support for IPv6 Addressing ................................................................................. 70 Additional IPv6 Resources .......................................................................................................... 71 IPv6 Network Overview ..................................................................................................................... 72 IPv6 Addressing Overview ................................................................................................................. 74 Parts of the IPv6 Address ............................................................................................................ 74 Abbreviating IPv6 Addresses ...................................................................................................... 75 Prefixes in IPv6 ............................................................................................................................. 75 Unicast Addresses ........................................................................................................................ 76 Multicast Addresses ..................................................................................................................... 79 Anycast Addresses and Groups .................................................................................................. 79 IPv6 Neighbor Discovery Protocol Overview .................................................................................. 79 IPv6 Address Autoconfiguration ....................................................................................................... 81 Stateless Autoconfiguration Overview ...................................................................................... 81 Overview of IPv6 Tunnels .................................................................................................................. 82

4

System Administration Guide: IP Services April 2008

Contents

4

Planning an IPv6 Network (Tasks) .................................................................................................... 83 IPv6 Planning (Task Maps) ................................................................................................................ 83 IPv6 Network Topology Scenario ..................................................................................................... 84 Preparing the Existing Network to Support IPv6 ............................................................................ 86 Preparing the Network Topology for IPv6 Support ................................................................ 86 Preparing Network Services for IPv6 Support .......................................................................... 87 Preparing Servers for IPv6 Support ........................................................................................... 87 How to Prepare Network Services for IPv6 Support ................................................................ 88 How to Prepare DNS for IPv6 Support ..................................................................................... 88 Planning for Tunnels in the Network Topology ...................................................................... 89 Security Considerations for the IPv6 Implementation ........................................................... 90 Preparing an IPv6 Addressing Plan ................................................................................................... 90 Obtaining a Site Prefix ................................................................................................................. 90 Creating the IPv6 Numbering Scheme ...................................................................................... 91

5

Configuring TCP/IP Network Services and IPv4 Addressing (Tasks) ........................................... 93 What's New in This Chapter .............................................................................................................. 94 Before You Configure an IPv4 Network (Task Map) ...................................................................... 94 Determining Host Configuration Modes ......................................................................................... 95 Systems That Should Run in Local Files Mode ......................................................................... 95 Systems That Are Network Clients ............................................................................................ 96 Mixed Configurations ................................................................................................................. 97 IPv4 Network Topology Scenario .............................................................................................. 97 Adding a Subnet to a Network (Task Map) ...................................................................................... 98 Network Configuration Task Map .................................................................................................... 98 Configuring Systems on the Local Network ..................................................................................... 99 How to Configure a Host for Local Files Mode ...................................................................... 100 How to Set Up a Network Configuration Server .................................................................... 102 Configuring Network Clients ................................................................................................... 104 How to Configure Hosts for Network Client Mode ............................................................... 104 How to Change the IPv4 Address and Other Network Configuration Parameters ........... 105 Packet Forwarding and Routing on IPv4 Networks ...................................................................... 109 Routing Protocols Supported by the Solaris OS ..................................................................... 110 IPv4 Autonomous System Topology ....................................................................................... 113 Configuring an IPv4 Router ..................................................................................................... 1155

Contents

How to Configure an IPv4 Router .................................................................................... 116 Routing Tables and Routing Types .......................................................................................... 121 Configuring Multihomed Hosts ............................................................................................... 124 How to Create a Multihomed Host ................................................................................... 125 Configuring Routing for Single-Interface Systems ................................................................ 127 How to Enable Static Routing on a Single-Interface Host ............................................. 128 How to Enable Dynamic Routing on a Single-Interface Host ....................................... 130 Monitoring and Modifying Transport Layer Services .................................................................. 132 How to Log the IP Addresses of All Incoming TCP Connections ....................................... 132 How to Add Services That Use the SCTP Protocol ................................................................ 133 How to Use TCP Wrappers to Control Access to TCP Services ........................................... 136 Administering Interfaces in Solaris 10 3/05 ................................................................................... 137 What's New in This Section ...................................................................................................... 137 Configuring Physical Interfaces in Solaris 10 3/05 ................................................................. 137 How to Add a Physical Interface After Installation in Solaris 10 3/05 ONLY .............. 138 How to Remove a Physical Interface in Solaris 10 3/05 ONLY ..................................... 140 Configuring VLANs in Solaris 10 3/05 ONLY ........................................................................ 141 How To Configure Static VLANs in Solaris 10 3/05 ONLY .......................................... 142

6

Administering Network Interfaces (Tasks) ...................................................................................145 What's New in Administering Network Interfaces ....................................................................... 145 Interface Administration (Task Map) ............................................................................................. 146 Basics for Administering Physical Interfaces ................................................................................. 146 Network Interface Names ......................................................................................................... 147 Plumbing an Interface ............................................................................................................... 147 Solaris OS Interface Types ........................................................................................................ 148 Administering Individual Network Interfaces ............................................................................... 148 How to Obtain Interface Status ................................................................................................ 148 How to Configure a Physical Interface After System Installation ........................................ 150 How to Remove a Physical Interface ........................................................................................ 153 SPARC: How to Ensure That the MAC Address of an Interface Is Unique ......................... 153 Administering Virtual Local Area Networks ................................................................................. 155 Overview of VLAN Topology .................................................................................................. 155 Planning for VLANs on a Network .......................................................................................... 158 How to Plan a VLAN Configuration ................................................................................ 158

6

System Administration Guide: IP Services April 2008

Contents

Configuring VLANs .................................................................................................................. 158 How to Configure a VLAN ................................................................................................ 159 Overview of Link Aggregations ....................................................................................................... 160 Link Aggregation Basics ............................................................................................................ 161 Back-to-Back Link Aggregations ............................................................................................. 163 Policies and Load Balancing ..................................................................................................... 163 Aggregation Mode and Switches .............................................................................................. 164 Requirements for Link Aggregations ...................................................................................... 164 How to Create a Link Aggregation ........................................................................................... 164 How to Modify an Aggregation ................................................................................................ 167 How to Remove an Interface From an Aggregation .............................................................. 168 How to Delete an Aggregation ................................................................................................. 169

7

Configuring an IPv6 Network (Tasks) ............................................................................................. 171 Configuring an IPv6 Interface ......................................................................................................... 171 Enabling IPv6 on an Interface (Task Map) ............................................................................. 172 How to Enable an IPv6 Interface for the Current Session ..................................................... 172 How to Enable Persistent IPv6 Interfaces ............................................................................... 174 How to Turn Off IPv6 Address Autoconfiguration ............................................................... 176 Configuring an IPv6 Router ............................................................................................................. 176 IPv6 Router Configuration (Task Map) .................................................................................. 176 How to Configure an IPv6-Enabled Router ............................................................................ 177 Modifying an IPv6 Interface Configuration for Hosts and Servers ............................................. 181 Modifying an IPv6 Interface Configuration (Task Map) ...................................................... 181 Using Temporary Addresses for an Interface ......................................................................... 181 How to Configure a Temporary Address ......................................................................... 182 Configuring an IPv6 Token ...................................................................................................... 185 How to Configure a User-Specified IPv6 Token ............................................................. 185 Administering IPv6-Enabled Interfaces on Servers ............................................................... 187 How to Enable IPv6 on a Server's Interfaces ................................................................... 187 Tasks for Configuring Tunnels for IPv6 Support (Task Map) ..................................................... 188 Configuring Tunnels for IPv6 Support ........................................................................................... 189 How to Manually Configure IPv6 Over IPv4 Tunnels .......................................................... 189 How to Manually Configure IPv6 Over IPv6 Tunnels .......................................................... 190 How to Configure IPv4 Over IPv6 Tunnels ............................................................................ 1917

Contents

How to Configure a 6to4 Tunnel .............................................................................................. 192 How to Configure a 6to4 Tunnel to a 6to4 Relay Router ....................................................... 195 Configuring Name Service Support for IPv6 ................................................................................. 197 How to Add IPv6 Addresses to DNS ........................................................................................ 197 Adding IPv6 Addresses to NIS ................................................................................................. 198 How to Display IPv6 Name Service Information ................................................................... 198 How to Verify That DNS IPv6 PTR Records Are Updated Correctly ................................. 199 How to Display IPv6 Information Through NIS ................................................................... 200 How to Display IPv6 Information Independent of the Name Service ................................. 200

8

Administering a TCP/IP Network (Tasks) ....................................................................................... 203 Major TCP/IP Administrative Tasks (Task Map) ......................................................................... 203 Monitoring the Interface Configuration With the ifconfig Command ................................... 204 How to Get Information About a Specific Interface .............................................................. 205 How to Display Interface Address Assignments .................................................................... 206 Monitoring Network Status With the netstat Command .......................................................... 208 How to Display Statistics by Protocol ...................................................................................... 209 How to Display the Status of Transport Protocols ................................................................. 210 How to Display Network Interface Status ............................................................................... 212 How to Display the Status of Sockets ....................................................................................... 212 How to Display the Status of Transmissions for Packets of a Specific Address Type ........ 214 How to Display the Status of Known Routes .......................................................................... 215 Probing Remote Hosts With the ping Command ......................................................................... 216 How to Determine if a Remote Host Is Running .................................................................... 216 How to Determine if a Host Is Dropping Packets .................................................................. 216 Administering and Logging Network Status Displays .................................................................. 217 How to Control the Display Output of IP-Related Commands ........................................... 217 How to Log Actions of the IPv4 Routing Daemon ................................................................. 219 How to Trace the Activities of the IPv6 Neighbor Discovery Daemon ............................... 219 Displaying Routing Information With the traceroute Command ........................................... 220 How to Find Out the Route to a Remote Host ........................................................................ 221 How to Trace All Routes ........................................................................................................... 221 Monitoring Packet Transfers With the snoop Command ............................................................ 222 How to Check Packets From All Interfaces ............................................................................. 222 How to Capture snoop Output Into a File ............................................................................... 223

8

System Administration Guide: IP Services April 2008

Contents

How to Check Packets Between an IPv4 Server and a Client ................................................ 224 How to Monitor IPv6 Network Traffic .................................................................................... 225 Administering Default Address Selection ...................................................................................... 225 How to Administer the IPv6 Address Selection Policy Table ............................................... 226 How to Modify the IPv6 Address Selection Table for the Current Session Only ............... 227

9

Troubleshooting Network Problems (Tasks) ................................................................................229 What's New in Troubleshooting Network Problems .................................................................... 229 General Network Troubleshooting Tips ........................................................................................ 229 Running Basic Diagnostic Checks ........................................................................................... 230 How to Perform Basic Network Software Checking .............................................................. 230 Common Problems When Deploying IPv6 ................................................................................... 231 IPv4 Router Cannot Be Upgraded to IPv6 .............................................................................. 231 Problems After Upgrading Services to IPv6 ........................................................................... 231 Current ISP Does Not Support IPv6 ........................................................................................ 231 Security Issues When Tunneling to a 6to4 Relay Router ....................................................... 232 Known Issues With a 6to4 Router ............................................................................................ 232

10

TCP/IP and IPv4 in Depth (Reference) ............................................................................................ 235 What's New in TCP/IP and IPv4 in Depth ..................................................................................... 235 TCP/IP Configuration Files ............................................................................................................. 235 /etc/hostname.interface File .................................................................................................. 236 /etc/nodename File ................................................................................................................... 236 /etc/defaultdomain File ......................................................................................................... 237 /etc/defaultrouter File ......................................................................................................... 237 hosts Database ........................................................................................................................... 237 ipnodes Database ...................................................................................................................... 240 netmasks Database .................................................................................................................... 241 inetd Internet Services Daemon ..................................................................................................... 244 Network Databases and the nsswitch.conf File .......................................................................... 245 How Name Services Affect Network Databases ..................................................................... 245 nsswitch.conf File ................................................................................................................... 247 bootparams Database ................................................................................................................ 249 ethers Database ........................................................................................................................ 250 Other Network Databases ......................................................................................................... 2519

Contents

protocols Database .................................................................................................................. 252 services Database .................................................................................................................... 253 Routing Protocols in the Solaris OS ................................................................................................ 253 Routing Information Protocol (RIP) ....................................................................................... 254 ICMP Router Discovery (RDISC) Protocol ............................................................................ 254 Network Classes ................................................................................................................................. 254 Class A Network Numbers ........................................................................................................ 254 Class B Network Numbers ........................................................................................................ 255 Class C Network Numbers ........................................................................................................ 255

11

IPv6 in Depth (Reference) ................................................................................................................257 What's New in IPv6 in Depth ........................................................................................................... 257 IPv6 Addressing Formats Beyond the Basics ................................................................................. 258 6to4-Derived Addresses ............................................................................................................ 258 IPv6 Multicast Addresses in Depth .......................................................................................... 260 IPv6 Packet Header Format .............................................................................................................. 261 IPv6 Extension Headers ............................................................................................................ 262 Dual-Stack Protocols ........................................................................................................................ 262 Solaris 10 IPv6 Implementation ...................................................................................................... 263 IPv6 Configuration Files ........................................................................................................... 263 IPv6-Related Commands .......................................................................................................... 268 IPv6-Related Daemons ............................................................................................................. 274 IPv6 Neighbor Discovery Protocol .................................................................................................. 278 ICMP Messages From Neighbor Discovery ............................................................................ 278 Autoconfiguration Process ....................................................................................................... 278 Neighbor Solicitation and Unreachability .............................................................................. 280 Duplicate Address Detection Algorithm ................................................................................ 281 Proxy Advertisements ............................................................................................................... 281 Inbound Load Balancing ........................................................................................................... 281 Link-Local Address Change ..................................................................................................... 282 Comparison of Neighbor Discovery to ARP and Related IPv4 Protocols .......................... 282 IPv6 Routing ...................................................................................................................................... 284 Router Advertisement ............................................................................................................... 284 IPv6 Tunnels ...................................................................................................................................... 285 Configured Tunnels ................................................................................................................... 287

10

System Administration Guide: IP Services April 2008

Contents

6to4 Automatic Tunnels ............................................................................................................ 289 IPv6 Extensions to Solaris Name Services ...................................................................................... 293 DNS Extensions for IPv6 ........................................................................................................... 293 Changes to the nsswitch.conf File ......................................................................................... 293 Changes to Name Service Commands .................................................................................... 294 NFS and RPC IPv6 Support ............................................................................................................. 295 IPv6 Over ATM Support .................................................................................................................. 295

Part III

DHCP ....................................................................................................................................................297

12

About Solaris DHCP (Overview) ......................................................................................................299 About the DHCP Protocol ................................................................................................................ 299 Advantages of Using Solaris DHCP ................................................................................................ 300 How DHCP Works ............................................................................................................................ 301 Solaris DHCP Server ......................................................................................................................... 304 DHCP Server Management ...................................................................................................... 305 DHCP Data Store ....................................................................................................................... 305 DHCP Manager .......................................................................................................................... 306 DHCP Command-Line Utilities .............................................................................................. 307 Role-Based Access Control for DHCP Commands ............................................................... 308 DHCP Server Configuration .................................................................................................... 308 IP Address Allocation ................................................................................................................ 309 Network Configuration Information ...................................................................................... 310 About DHCP Options ............................................................................................................... 310 About DHCP Macros ................................................................................................................ 311 Solaris DHCP Client ......................................................................................................................... 312

13

Planning for DHCP Service (Tasks) ................................................................................................. 315 Preparing Your Network for the DHCP Service (Task Map) ....................................................... 315 Mapping Your Network Topology .......................................................................................... 316 Determining the Number of DHCP Servers ........................................................................... 317 Updating System Files and Netmask Tables ........................................................................... 318 Making Decisions for Your DHCP Server Configuration (Task Map) ....................................... 319 Selecting a Host to Run the DHCP Service ............................................................................. 32011

Contents

Choosing the DHCP Data Store ............................................................................................... 320 Setting a Lease Policy ................................................................................................................. 321 Determining Routers for DHCP Clients ................................................................................. 322 Making Decisions for IP Address Management (Task Map) ....................................................... 322 Number and Ranges of IP Addresses ....................................................................................... 323 Client Host Name Generation .................................................................................................. 323 Default Client Configuration Macros ...................................................................................... 324 Dynamic and Permanent Lease Types .................................................................................... 325 Reserved IP Addresses and Lease Type ................................................................................... 325 Planning for Multiple DHCP Servers .............................................................................................. 326 Planning DHCP Configuration of Your Remote Networks ......................................................... 326 Selecting the Tool for Configuring DHCP ..................................................................................... 327 DHCP Manager Features .......................................................................................................... 327 dhcpconfig Features ................................................................................................................. 327 Comparison of DHCP Manager and dhcpconfig ................................................................. 328

14

Configuring the DHCP Service (Tasks) ........................................................................................... 329 Configuring and Unconfiguring a DHCP Server Using DHCP Manager .................................. 329 Configuring DHCP Servers ...................................................................................................... 330 How to Configure a DHCP Server (DHCP Manager) ........................................................... 332 Configuring BOOTP Relay Agents .......................................................................................... 333 How to Configure a BOOTP Relay Agent (DHCP Manager) ............................................... 333 Unconfiguring DHCP Servers and BOOTP Relay Agents .................................................... 334 DHCP Data on an Unconfigured Server ................................................................................. 334 How to Unconfigure a DHCP Server or a BOOTP Relay Agent (DHCP Manager) .......... 335 Configuring and Unconfiguring a DHCP Server Using dhcpconfig Commands .................... 336 How to Configure a DHCP Server (dhcpconfig -D) ............................................................ 336 How to Configure a BOOTP Relay Agent (dhcpconfig -R ) ............................................... 337 How to Unconfigure a DHCP Server or a BOOTP Relay Agent (dhcpconfig -U) ........... 337

15

Administering DHCP (Tasks) ............................................................................................................339 About DHCP Manager ..................................................................................................................... 340 DHCP Manager Window ......................................................................................................... 340 DHCP Manager Menus ............................................................................................................. 341 Starting and Stopping DHCP Manager ................................................................................... 342System Administration Guide: IP Services April 2008

12

Contents

How to Start and Stop DHCP Manager ................................................................................... 342 Setting Up User Access to DHCP Commands ............................................................................... 343 How to Grant Users Access to DHCP Commands ................................................................ 343 Starting and Stopping the DHCP Service ....................................................................................... 343 How to Start and Stop the DHCP Service (DHCP Manager) ............................................... 344 How to Enable and Disable the DHCP Service (DHCP Manager) ...................................... 345 How to Enable and Disable the DHCP Service (dhcpconfig -S) ........................................ 345 DHCP Service and the Service Management Facility .................................................................... 346 Modifying DHCP Service Options (Task Map) ............................................................................. 346 Changing DHCP Logging Options .......................................................................................... 348 How to Generate Verbose DHCP Log Messages (DHCP Manager) .................................... 349 How to Generate Verbose DHCP Log Messages (Command Line) .................................... 350 How to Enable and Disable DHCP Transaction Logging (DHCP Manager) ..................... 350 How to Enable and Disable DHCP Transaction Logging (Command Line) ...................... 351 How to Log DHCP Transactions to a Separate syslog File .................................................. 352 Enabling Dynamic DNS Updates by a DHCP Server ............................................................ 352 How to Enable Dynamic DNS Updating for DHCP Clients ................................................. 353 Client Host Name Registration ................................................................................................ 355 Customizing Performance Options for the DHCP Server .................................................... 356 How to Customize DHCP Performance Options (DHCP Manager) .................................. 356 How to Customize DHCP Performance Options (Command Line) ................................... 357 Adding, Modifying, and Removing DHCP Networks (Task Map) ............................................. 358 Specifying Network Interfaces for DHCP Monitoring .......................................................... 358 How to Specify Network Interfaces for DHCP Monitoring (DHCP Manager) .................. 359 How to Specify Network Interfaces for DHCP Monitoring (dhcpconfig) ......................... 360 Adding DHCP Networks .......................................................................................................... 360 How to Add a DHCP Network (DHCP Manager) ................................................................. 361 How to Add a DHCP Network (dhcpconfig) ........................................................................ 362 Modifying DHCP Network Configurations ........................................................................... 363 How to Modify the Configuration of a DHCP Network (DHCP Manager) ....................... 364 How to Modify the Configuration of a DHCP Network (dhtadm) ....................................... 365 Removing DHCP Networks ..................................................................................................... 365 How to Remove a DHCP Network (DHCP Manager) .......................................................... 366 How to Remove a DHCP Network (pntadm) .......................................................................... 367 Supporting BOOTP Clients With the DHCP Service (Task Map) .............................................. 367 How to Set Up Support of Any BOOTP Client (DHCP Manager) ...................................... 36813

Contents

How to Set Up Support of Registered BOOTP Clients (DHCP Manager) .......................... 369 Working With IP Addresses in the DHCP Service (Task Map) ................................................... 370 Adding IP Addresses to the DHCP Service ............................................................................. 374 How to Add a Single IP Address (DHCP Manager) ............................................................... 375 How to Duplicate an Existing IP Address (DHCP Manager) ............................................... 376 How to Add Multiple IP Addresses (DHCP Manager) .......................................................... 376 How to Add IP Addresses (pntadm) ......................................................................................... 377 Modifying IP Addresses in the DHCP Service ........................................................................ 377 How to Modify IP Address Properties (DHCP Manager) ..................................................... 379 How to Modify IP Address Properties (pntadm) .................................................................... 379 Removing IP Addresses From the DHCP Service .................................................................. 380 Marking IP Addresses as Unusable by the DHCP Service .................................................... 380 How to Mark IP Addresses as Unusable (DHCP Manager) ................................................. 380 How to Mark IP Addresses as Unusable (pntadm) ................................................................. 381 Deleting IP Addresses From the DHCP Service ..................................................................... 381 How to Delete IP Addresses From DHCP Service (DHCP Manager) ................................. 382 How to Delete IP Addresses From the DHCP Service (pntadm) .......................................... 383 Assigning a Reserved IP Address to a DHCP Client .............................................................. 383 How to Assign a Consistent IP Address to a DHCP Client (DHCP Manager) ................... 384 How to Assign a Consistent IP Address to a DHCP Client (pntadm) .................................. 385 Working With DHCP Macros (Task Map) .................................................................................... 385 How to View Macros Defined on a DHCP Server (DHCP Manager) .................................. 387 How to View Macros Defined on a DHCP Server (dhtadm) ................................................. 388 Modifying DHCP Macros ......................................................................................................... 388 How to Change Values for Options in a DHCP Macro (DHCP Manager) ......................... 389 How to Change Values for Options in a DHCP Macro (dhtadm) ........................................ 390 How to Add Options to a DHCP Macro (DHCP Manager) ................................................. 390 How to Add Options to a DHCP Macro (dhtadm) ................................................................. 391 How to Delete Options From a DHCP Macro (DHCP Manager) ........................................ 391 How to Delete Options From a DHCP Macro (dhtadm) ....................................................... 392 Creating DHCP Macros ............................................................................................................ 392 How to Create a DHCP Macro (DHCP Manager) ................................................................. 393 How to Create a DHCP Macro (dhtadm) ................................................................................. 394 Deleting DHCP Macros ............................................................................................................ 395 How to Delete a DHCP Macro (DHCP Manager) ................................................................. 395 How to Delete a DHCP Macro (dhtadm) ................................................................................. 39514 System Administration Guide: IP Services April 2008

Contents

Working With DHCP Options (Task Map) ................................................................................... 396 Creating DHCP Options ........................................................................................................... 399 How to Create DHCP Options (DHCP Manager) ................................................................. 400 How to Create DHCP Options (dhtadm) ................................................................................ 401 Modifying DHCP Options ........................................................................................................ 402 How to Modify DHCP Option Properties (DHCP Manager) .............................................. 402 How to Modify DHCP Option Properties (dhtadm) .............................................................. 403 Deleting DHCP Options ........................................................................................................... 404 How to Delete DHCP Options (DHCP Manager) ................................................................. 404 How to Delete DHCP Options (dhtadm) ................................................................................. 404 Modifying the Solaris DHCP Client's Option Information .................................................. 405 Supporting Solaris Network Installation With the DHCP Service .............................................. 405 Supporting Remote Boot and Diskless Boot Clients (Task Map) ................................................ 406 Setting Up DHCP Clients to Receive Information Only (Task Map) ......................................... 407 Converting to a New DHCP Data Store .......................................................................................... 408 How to Convert the DHCP Data Store (DHCP Manager) ................................................... 409 How to Convert the DHCP Data Store (dhcpconfig -C) .................................................... 410 Moving Configuration Data Between DHCP Servers (Task Map) .............................................. 410 How to Export Data From a DHCP Server (DHCP Manager) ............................................. 412 How to Export Data From a DHCP Server (dhcpconfig -X) .............................................. 413 How to Import Data on a DHCP Server (DHCP Manager) .................................................. 414 How to Import Data on a DHCP Server (dhcpconfig -I) ................................................... 414 How to Modify Imported DHCP Data (DHCP Manager) .................................................... 415 How to Modify Imported DHCP Data (pntadm, dhtadm) ..................................................... 416

16

Configuring and Administering the DHCP Client ......................................................................... 417 About the Solaris DHCP Client ....................................................................................................... 417 DHCPv6 Server .......................................................................................................................... 418 Differences Between DHCPv4 and DHCPv6 ......................................................................... 418 The Administrative Model ........................................................................................................ 418 Protocol Details .......................................................................................................................... 419 Logical Interfaces ....................................................................................................................... 420 Option Negotiation .................................................................................................................... 420 Configuration Syntax ................................................................................................................ 421 DHCP Client Startup ................................................................................................................. 42115

Contents

DHCPv6 Communication ........................................................................................................ 422 How DHCP Client Protocols Manage Network Configuration Information .................... 423 DHCP Client Shutdown ............................................................................................................ 424 Enabling and Disabling a Solaris DHCP Client ............................................................................. 425 How to Enable the Solaris DHCP Client ................................................................................. 425 How to Disable a Solaris DHCP Client .................................................................................... 425 DHCP Client Administration .......................................................................................................... 426 ifconfig Command Options Used With the DHCP Client ................................................ 426 Setting DHCP Client Configuration Parameters ................................................................... 428 DHCP Client Systems With Multiple Network Interfaces ........................................................... 429 DHCPv4 Client Host Names ............................................................................................................ 430 How to Enable a Solaris DHCPv4 Client to Request a Specific Host Name ........................ 430 DHCP Client Systems and Name Services ..................................................................................... 431 Setting Up DHCP Clients as NIS+ Clients .............................................................................. 433 How to Set Up Solaris DHCP Clients as NIS+ Clients ................................................... 433 DHCP Client Event Scripts .............................................................................................................. 436

17

Troubleshooting DHCP (Reference) ...............................................................................................441 Troubleshooting DHCP Server Problems ...................................................................................... 441 NIS+ Problems and the DHCP Data Store ............................................................................. 441 IP Address Allocation Errors in DHCP ................................................................................... 444 Troubleshooting DHCP Client Configuration Problems ............................................................ 447 Problems Communicating With the DHCP Server ............................................................... 447 How to Run the DHCP Client in Debugging Mode ....................................................... 448 How to Run the DHCP Server in Debugging Mode ....................................................... 448 How to Use snoop to Monitor DHCP Network Traffic .................................................. 449 Problems With Inaccurate DHCP Configuration Information ........................................... 456 Problems With the DHCP Client-Supplied Host Name ....................................................... 457

18

DHCP Commands and Files (Reference) ........................................................................................ 461 DHCP Commands ............................................................................................................................ 461 Running DHCP Commands in Scripts ................................................................................... 462 Files Used by the DHCP Service ...................................................................................................... 469 DHCP Option Information .............................................................................................................. 471 Determining if Your Site Is Affected ........................................................................................ 471System Administration Guide: IP Services April 2008

16

Contents

Differences Between dhcptags and inittab Files ................................................................. 472 Converting dhcptags Entries to inittab Entries .................................................................. 473

Part IV

IP Security ...........................................................................................................................................475

19

IP Security Architecture (Overview) ...............................................................................................477 What's New in IPsec? ........................................................................................................................ 477 Introduction to IPsec ........................................................................................................................ 478 IPsec RFCs .................................................................................................................................. 479 IPsec Terminology ..................................................................................................................... 480 IPsec Packet Flow .............................................................................................................................. 480 IPsec Security Associations .............................................................................................................. 482 Key Management in IPsec ......................................................................................................... 483 IPsec Protection Mechanisms .......................................................................................................... 484 Authentication Header .............................................................................................................. 484 Encapsulating Security Payload ............................................................................................... 484 Authentication and Encryption Algorithms in IPsec ............................................................ 485 IPsec Protection Policies ................................................................................................................... 487 Transport and Tunnel Modes in IPsec ............................................................................................ 487 Virtual Private Networks and IPsec ................................................................................................ 489 IPsec and NAT Traversal .................................................................................................................. 490 IPsec and SCTP .................................................................................................................................. 491 IPsec and Solaris Zones ..................................................................................................................... 491 IPsec Utilities and Files ..................................................................................................................... 491 Changes to IPsec for the Solaris 10 Release .................................................................................... 492

20

Configuring IPsec (Tasks) .................................................................................................................495 Protecting Traffic With IPsec (Task Map) ...................................................................................... 495 Protecting Traffic With IPsec ........................................................................................................... 496 How to Secure Traffic Between Two Systems With IPsec ..................................................... 496 How to Secure a Web Server With IPsec ................................................................................. 499 How to Display IPsec Policies ................................................................................................... 501 How to Generate Random Numbers on a Solaris System ..................................................... 502 How to Manually Create IPsec Security Associations ........................................................... 50317

Contents

How to Verify That Packets Are Protected With IPsec ......................................................... 507 How to Create a Role for Configuring Network Security ...................................................... 508 Protecting a VPN With IPsec ........................................................................................................... 509 Examples of Protecting a VPN With IPsec by Using Tunnels in Tunnel Mode ................. 509 Protecting a VPN With IPsec (Task Map) ...................................................................................... 511 Description of the Network Topology for the IPsec Tasks to Protect a VPN ..................... 512 How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4 ......................... 514 How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv6 ......................... 520 How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv4 .................... 524 How to Protect a VPN With an IPsec Tunnel in Transport Mode Over IPv6 .................... 530

21

IP Security Architecture (Reference) ..............................................................................................537 ipsecconf Command ....................................................................................................................... 537 ipsecinit.conf File ......................................................................................................................... 538 Sample ipsecinit.conf File .................................................................................................... 538 Security Considerations for ipsecinit.conf and ipsecconf ............................................ 539 ipsecalgs Command ....................................................................................................................... 540 Security Associations Database for IPsec ....................................................................................... 540 Utilities for Key Generation in IPsec ............................................................................................... 541 Security Considerations for ipseckey .................................................................................... 541 IPsec Extensions to Other Utilities .................................................................................................. 542 ifconfig Command and IPsec ................................................................................................ 542 snoop Command and IPsec ...................................................................................................... 544

22

Internet Key Exchange (Overview) .................................................................................................545 What's New in IKE? ........................................................................................................................... 545 Key Management With IKE ............................................................................................................. 546 IKE Key Negotiation ......................................................................................................................... 546 IKE Key Terminology ................................................................................................................ 546 IKE Phase 1 Exchange ............................................................................................................... 547 IKE Phase 2 Exchange ............................................................................................................... 548 IKE Configuration Choices .............................................................................................................. 548 IKE With Preshared Keys .......................................................................................................... 548 IKE With Public Key Certificates ............................................................................................. 548 IKE and Hardware Acceleration ...................................................................................................... 549System Administration Guide: IP Services April 2008

18

Contents

IKE and Hardware Storage ............................................................................................................... 549 IKE Utilities and Files ....................................................................................................................... 550 Changes to IKE for the Solaris 10 Release ....................................................................................... 551

23

Configuring IKE (Tasks) .....................................................................................................................553 Configuring IKE (Task Map) ........................................................................................................... 553 Configuring IKE With Preshared Keys (Task Map) ...................................................................... 554 Configuring IKE With Preshared Keys ........................................................................................... 554 How to Configure IKE With Preshared Keys ......................................................................... 555 How to Refresh IKE Preshared Keys ........................................................................................ 558 How to Add an IKE Preshared Key for a New Policy Entry in ipsecinit.conf ................ 559 How to Verify That IKE Preshared Keys Are Identical ......................................................... 563 Configuring IKE With Public Key Certificates (Task Map) ......................................................... 564 Configuring IKE With Public Key Certificates .............................................................................. 565 How to Configure IKE With Self-Signed Public Key Certificates ........................................ 565 How to Configure IKE With Certificates Signed by a CA ..................................................... 571 How to Generate and Store Public Key Certificates on Hardware ....................................... 577 How to Handle a Certificate Revocation List .......................................................................... 581 Configuring IKE for Mobile Systems (Task Map) ......................................................................... 583 Configuring IKE for Mobile Systems .............................................................................................. 583 How to Configure IKE for Off-Site Systems ........................................................................... 584 Configuring IKE to Find Attached Hardware (Task Map) ........................................................... 591 Configuring IKE to Find Attached Hardware ................................................................................ 592 How to Configure IKE to Find the Sun Crypto Accelerator 1000 Board ............................ 592 How to Configure IKE to Find the Sun Crypto Accelerator 4000 Board ............................ 593 Changing IKE Transmission Parameters (Task Map) .................................................................. 594 Changing IKE Transmission Parameters ....................................................................................... 594 How to Change the Duration of Phase 1 IKE Key Negotiation ............................................ 595

24

Internet Key Exchange (Reference) ................................................................................................597 IKE Daemon ...................................................................................................................................... 597 IKE Policy File .................................................................................................................................... 598 IKE Administration Command ....................................................................................................... 598 IKE Preshared Keys Files .................................................................................................................. 599 IKE Public Key Databases and Commands .................................................................................... 59919

Contents

ikecert tokens Command ..................................................................................................... 600 ikecert certlocal Command ............................................................................................... 600 ikecert certdb Command ..................................................................................................... 601 ikecert certrldb Command ................................................................................................. 601 /etc/inet/ike/publickeys Directory .................................................................................. 602 /etc/inet/secret/ike.privatekeys Directory ................................................................. 602 /etc/inet/ike/crls Directory .............................................................................................. 602

25

Solaris IP Filter (Overview) ...............................................................................................................603 What's New in Solaris IP Filter ......................................................................................................... 603 Packet Filter Hooks .................................................................................................................... 603 IPv6 Packet Filtering for Solaris IP Filter ................................................................................ 604 Introduction to Solaris IP Filter ....................................................................................................... 604 Information Sources for Open Source IP Filter ...................................................................... 604 Solaris IP Filter Packet Processing ................................................................................................... 605 Guidelines for Using Solaris IP Filter .............................................................................................. 608 Using Solaris IP Filter Configuration Files ..................................................................................... 608 Working With Solaris IP Filter Rule Sets ........................................................................................ 608 Using Solaris IP Filter's Packet Filtering Feature .................................................................... 609 Using Solaris IP Filter's NAT Feature ...................................................................................... 612 Using Solaris IP Filter's Address Pools Feature ...................................................................... 613 Packet Filter Hooks ........................................................................................................................... 614 Solaris IP Filter and the pfil STREAMS Module ......................................................................... 615 IPv6 for Solaris IP Filter .................................................................................................................... 615 Solaris IP Filter Man Pages ............................................................................................................... 616

26

Solaris IP Filter (Tasks) ......................................................................................................................619 Configuring Solaris IP Filter ............................................................................................................ 619 How to Enable Solaris IP Filter ................................................................................................. 620 How to Re-Enable Solaris IP Filter ........................................................................................... 621 How to Enable Loopback Filtering .......................................................................................... 622 Deactivating and Disabling Solaris IP Filter .................................................................................. 623 How to Deactivate Packet Filtering .......................................................................................... 623 How to Deactivate NAT ............................................................................................................ 624 How to Disable Packet Filtering ............................................................................................... 625System Administration Guide: IP Services April 2008

20

Contents

Working With the pfil Module ...................................................................................................... 625 How to Enable Solaris IP Filter in Previous Solaris 10 Releases ........................................... 626 How to Activate a NIC for Packet Filtering ............................................................................. 628 How to Deactivate Solaris IP Filter on a NIC .......................................................................... 630 How to View pfil Statistics for Solaris IP Filter .................................................................... 631 Working With Solaris IP Filter Rule Sets ........................................................................................ 632 Managing Packet Filtering Rule Sets for Solaris IP Filter ...................................................... 633 How to View the Active Packet Filtering Rule Set .......................................................... 633 How to View the Inactive Packet Filtering Rule Set ........................................................ 634 How to Activate a Different or Updated Packet Filtering Rule Set ............................... 634 How to Remove a Packet Filtering Rule Set ..................................................................... 636 How to Append Rules to the Active Packet Filtering Rule Set ....................................... 636 How to Append Rules to the Inactive Packet Filtering Rule Set .................................... 637 How to Switch Between Active and Inactive Packet Filtering Rule Sets ...................... 638 How to Remove an Inactive Packet Filtering Rule Set From the Kernel ...................... 639 Managing NAT Rules for Solaris IP Filter ............................................................................... 640 How to View Active NAT Rules ........................................................................................ 640 How to Remove NAT Rules ............................................................................................... 640 How to Append Rules to the NAT Rules .......................................................................... 641 Managing Address Pools for Solaris IP Filter ......................................................................... 642 How to View Active Address Pools .................................................................................. 642 How to Remove an Address Pool ...................................................................................... 642 How to Append Rules to an Address Pool ....................................................................... 643 Displaying Statistics and Information for Solaris IP Filter ........................................................... 644 How to View State Tables for Solaris IP Filter ........................................................................ 644 How to View State Statistics for Solaris IP Filter .................................................................... 645 How to View NAT Statistics for Solaris IP Filter .................................................................... 646 How to View Address Pool Statistics for Solaris IP Filter ...................................................... 646 Working With Log Files for Solaris IP Filter .................................................................................. 647 How to Set Up a Log File for Solaris IP Filter .......................................................................... 647 How to View Solaris IP Filter Log Files ................................................................................... 648 How to Flush the Packet Log File ............................................................................................. 649 How to Save Logged Packets to a File ...................................................................................... 650 Creating and Editing Solaris IP Filter Configuration Files ........................................................... 651 How to Create a Configuration File for Solaris IP Filter ........................................................ 651 Solaris IP Filter Configuration File Examples ........................................................................ 65221

Contents

Part V

Mobile IP .............................................................................................................................................659

27

Mobile IP (Overview) .........................................................................................................................661 What's New in Mobile IP .................................................................................................................. 661 Introduction to Mobile IP ................................................................................................................ 662 Mobile IP Functional Entities .......................................................................................................... 663 How Mobile IP Works ...................................................................................................................... 664 Agent Discovery ................................................................................................................................ 666 Agent Advertisement ................................................................................................................. 666 Agent Solicitation ....................................................................................................................... 667 Care-of Addresses ............................................................................................................................. 667 Mobile IP With Reverse Tunneling ................................................................................................. 668 Limited Private Addresses Support ......................................................................................... 668 Mobile IP Registration ...................................................................................................................... 670 Network Access Identifier (NAI) .............................................................................................. 672 Mobile IP Message Authentication .......................................................................................... 672 Mobile Node Registration Request .......................................................................................... 672 Registration Reply Message ...................................................................................................... 673 Foreign Agent Considerations ................................................................................................. 673 Home Agent Considerations .................................................................................................... 673 Dynamic Home Agent Discovery ............................................................................................ 674 Routing Datagrams to and From Mobile Nodes ............................................................................ 674 Encapsulation Methods ............................................................................................................. 674 Unicast Datagram Routing ....................................................................................................... 674 Broadcast Datagrams ................................................................................................................. 675 Multicast Datagram Routing .................................................................................................... 675 Security Considerations for Mobile IP ............................................................................................ 676 Use of IPsec With Mobile IP ..................................................................................................... 677

28

Administering Mobile IP (Tasks) .....................................................................................................679 Creating the Mobile IP Configuration File (Task Map) ................................................................ 679 Creati