Product Overview
TCP/IP Interprocess Communications Services is an MCP-based implementation that enables the enterprise server system to connect and participate as a TCP node in multivendor network environments.
TCP/IP provides the following features:
-
Unlimited TCP/IP LAN connectivity
-
Host-based TCP/IP protocols
-
Dynamic discovery of other TCP/IP hosts and interconnected networks
-
Advanced protocols and addressing options
-
SNMP data formats and interface support (an optional, separate product)
-
Domain name resolver capability and IP address specifications
-
LAN Resiliency reporting in a standard log message
General Features
Broadcast Filtering
The TCPIP broadcast filtering feature enables MCP administrators to detect and filter broadcast storms on the following attached network devices:
-
Network Services (NNS)
-
Intelligent Ethernet Adapter input/output processor (IEA-IOP)
-
Fibre Channel and Gigabit Ethernet input/output processor (FC3-IOP)
-
Serial attached SCSI and Gigabit Ethernet input/output processor (SAS-IOP).
This feature helps administrators prevent the denial of service condition that can be imposed on the MCP host as a result of a broadcast storm.
You can use the TCPIP BROADCASTFILTER command to enable, disable, and inquire about the configuration of the broadcast filtering feature. When the feature is enabled, the administrator can set the following values:
-
High threshold value, which determines how many broadcast packets per second can be received from the network before the system begins filtering the packets.
-
Low threshold value, which determines the rate at which the broadcast packets per second received from the network must decrease before the system resumes processing packets.
The Broadcast Filtering Report indicates when the high threshold and low threshold values have been reached or exceeded and provides other statistics about the broadcast traffic that has been filtered, including the source address, destination address, and protocol.
Dynamic Port Filtering
Dynamic port filtering enables you to configure IEA-IOP, FC3-IOP, SAS-IOP, and Network Services devices to prevent unwanted TCP and user datagram protocol (UDP) traffic from reaching the MCP host. This filtering helps prevent a denial of service attack on the MCP host by ensuring that port scans do not cause excess overhead.
To discard (filter) unwanted traffic, the MCP tells IEA-IOP, FC3-IOP, SAS-IOP, and CNA devices which ports are accepting connections and data. The data on these ports is the only data forwarded to the MCP host. All other data is filtered and logged.
You can enable or disable dynamic port filtering by using the DYNAMICPORTFILTERING option of the NW TCPIP OPTION command. This feature operates only on IEA-IOP, FC3-IOP, SAS-IOP, and Network Services Shared Adapter devices, including CNA. Legacy ICP devices do not support dynamic port filtering.
When you enable dynamic port filtering, a port filtering report is created that indicates when TCP and UDP messages have been discarded and provides statistics for traffic that has been filtered. These statistics provide information including the source address, destination address, protocol, port number, and count of messages. For TCP messages, the report also includes the TCP control flags of the traffic that has been filtered.
You can filter incoming frames (packets) based on TCP and UDP port numbers either dynamically, using dynamic port filtering, or statically, using the TCPIP FILTERFRAMES command. If the FILTERFRAMES command is enabled for a port or range of ports, then those ports will always be closed and no traffic can reach the MCP Environment. If the FILTERFRAMES command is disabled for a port or range of ports (the default), then dynamic port filtering can be used.
Support for Core Network Services (CNS)
TCP/IP supports the core network services (CNS) software that provides the underlying set of services needed to execute the TCP/IP network on enterprise server hosts.
CNS comprises the set of services needed to execute the networks. Combining these services in the CNS software eliminates the need for network providers to handle them. The CNS software is provided with TCP/IP at no additional cost.
TCP/IP End-System Security
TCP/IP end-system security is a library-based function that enables a system administrator to monitor and control TCP/IP traffic to and from the host system. This function is especially important in an Internet environment. Access can be restricted based on
-
IP addresses (network, subnetwork, and host)
-
Local and remote port numbers
-
Local applications
-
Local “TCP Authorized” applications
-
Local usercodes
-
Message characteristics (ICMP, trace route, or source route)
-
Time and date ranges
When TCP/IP end system security is enabled, TCP/IP traffic is restricted as defined by user-defined rules maintained in a host-based file. Whenever a TCP/IP dialog establishment is not allowed, it is rejected and a TCP/IP security report is logged. The security report provides details about the rejected TCP/IP dialog request and about the rule that caused the rejection.
Network commands, responses, and reports that are deemed to be security relevant or are to log a security violation are marked as RELEVANT or VIOLATION in the Sumlog so that LOGANALYZER can retrieve them appropriately.
TCP Window Scale Option
This option is an extension to the TCP protocol that improves performance over large bandwidth paths by allowing larger blocks of data to be sent and received. The TCP window scale option is based on RFC 1323.
The window scale factor is carried in this TCP Window Scale option. This option is sent only in a SYN segment, so the window scale is fixed in each direction when a connection is opened. Both sides must send window scale options in their SYN segments to enable window scaling in either direction.
You can enable or disable the window scale factor using the TCPWINDOWSCALEFACTOR option of the TCPIP OPTION command.
ICMP Reset Option
The TCP OPTION command includes the ISSUEICMPRESET option. This option enables you to enable and disable TCP Dialog resets caused by Internet Control Message Protocol (ICMP) messages. The enabled state, which is the default value, activates the RFC 1122 features. The disabled state activates new security.
Internet Protocol Version 6 (IPv6)
| Note: | IPv6 and IPsec are subject to U.S. Government export regulations. Both features are included in the separately orderable Operating Environment Encryption Option. Refer to “Operating Environment Encryption Option” in Section 3 for ordering information. |
ClearPath MCP supports Internet Protocol Version 6 (IPv6), the next generation of the Internet Protocol. IPv6 is intended to remedy the impending shortage of IP addresses caused by the rapid expansion of the Internet and the growth of devices that are “connected” such as cell phones, PDAs, and home appliances. IPv6 uses a 128-bit address field.
The IPv6 software architecture is based on the current MCP host-resident TCP/IP architecture implemented for IPv4. The IPv6 protocol stack coexists with the existing IPv4 host-resident TCP/IP protocol stack. This dual-stack IP architecture enables applications to operate over IPv4 and IPv6 simultaneously and provides the transition mechanism for migrating from IPv4 networks to IPv6 networks. It also enables a ClearPath MCP host to participate in a mixed network topology of IPv4-only hosts, IPv6-only hosts, and hosts capable of performing with both IPv4 and IPv6.
The IPv6 software offers the following features:
-
Expanded addressing capabilities
IPv6 increases the IP address size from 32 bits to 128 bits to support a greatly increased number of IP addresses and more levels of addressing hierarchy.
-
Improved support for extensions and options
Optional Internet-layer IPv6 information is encoded in separate headers, called extension headers, which can be placed between the IPv6 header and the upper-layer header in the packet. An IPv6 packet can carry zero, one, or more extension headers.
This capability provides more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options.
-
IP security (IPsec)
IPv6 uses IP Security (IPsec) to enable the TCP/IP network provider to secure network traffic and communicate with other endpoints. IPsec provides security services by enabling a host to select required security protocols, determine the algorithms used for the service, and put in place any cryptographic keys required to provide the requested service.
Refer to the MCP Security Overview and Implementation Guide for more details.
-
ICMPv6 messages
The IPv6 version of Internet Control Message Protocol (ICMPv6) is supported and implemented by every IPv6 node. ICMPv6 messages are one of two types: error messages or informational messages. All ICMPv6 messages have three fields that are common to all messages (type, code, and checksum), and a variable-length field that varies based on the message type.
-
Automatic stateless address configuration and duplicate address detection
To simplify host configuration, IPv6 supports automatic stateless address configuration. This configuration enables hosts on a link to automatically configure themselves with IPv6 addresses for the link and with addresses derived from prefixes advertised by local routers.
Even in the absence of a router, hosts on the same link can automatically configure themselves with link-local addresses and communicate without manual configuration. Consequently, an IPv6-enabled node can be added to a network and, without any configuration, be able to communicate with other destinations in the network.
-
IPv6 neighbor discovery
IPv6 discovers and records information about neighbor nodes on the local link. Nodes can determine which neighbors are reachable and find routers that are able to forward packets for them. This capability is the primary means of discovering IPv6 routing information.
-
Multicast listener discovery
Multicast listener discovery allows IPv6 routers to discover nodes on its link that can receive multicast packets and to discover which multicast addresses are of interest to its neighboring nodes. This information is used by IPv6 routers to deliver multicast information to the links on which there are listening nodes.
Refer to the compatibility matrixes on the Unisys Product Support Web site for a list of Unisys products that have been updated to provide IPv6 capability.
Indirect Route for a Local Network
This feature enables you to dynamically define a resilient configuration for the MCP. Prior to this feature implementation, this type of resilient configuration could be defined only through the TCP/IP Initialization file. The following example illustrates this feature:
Host A has addresses in two different networks: NET1 and NET2. For resiliency purposes, the TCP/IP Initialization file includes a route to NET2 through a router in NET1. This route is not used unless the connection to NET2 fails. When the MCP detects the direct connection failure to NET2, the MCP uses the indirect route to NET2 through the router in NET1.
NW TCPIP MONITOREVENTS command
The NW TCPIP MONITOREVENTS command enables the system administrator to monitor and log network (TCP and UDP) events on a port-by-port basis.
The TCP events that can be monitored are CLOSE, LISTEN, OPEN, and RESET.
The data transmission UDP event (send and receive) is also available.
Ordering Information
|
Platform |
Style |
|
ClearPath |
TCP/IP Interprocess Communications Services is included as part of the operating environment. Source code is available for this product. It is included as part of the operating environment source product, which you can license separately. |
Product Information
Refer to the following documents for more information:
-
TCP/IP Implementation and Operations Guide (3787 7693)
-
MCP Sockets Service Programming Guide (4310 5330)
-
Networking Commands and Inquiries Help (4310 3506)
-
TCP/IP for MCP v3 Networks Implementation and Operations Guide (8205 0386)
