Networking Enhancements

This section describes all networking enhancements in the Solaris 10 3/05 release that are new or have been enhanced since the Solaris 9 OS was originally distributed in May 2002.

Virtual IP Source Address Selection

This feature is new in the Solaris 10 3/05 release.

Virtual IP source address selection enables a system administrator to specify an IP source address to be used for packets that are routed through a particular network interface. This source address can be hosted on the just-introduced virtual network interface (vni), which is immune to hardware failures. Alternatively, the source address can be hosted on the loopback interface.

You can use virtual IP source address selection in conjunction with IP routing protocols to provide multipathing (that is, redundancy) at the network layer, beyond the first router. Currently, this form of multipathing works in conjunction with the RIPv2 routing protocol that is available in the in.routed daemon.

For more information about the virtual IP source address selection feature, see the ifconfig(1M) and vni(7d) man pages.

Stream Control Transmission Protocol

This feature is new in the Solaris Express 8/04 release.

Stream Control Transmission Protocol (SCTP) is a reliable transport protocol that is now included in the Solaris Operating System's TCP/IP protocol stack. SCTP provides services that are similar to TCP. However, SCTP supports connections between endpoints that are multihomed, that is, with more than one IP address. The support for multihoming makes SCTP a popular transport protocol for telephony applications. SCTP also supports multistreaming and partial reliability.

The SCTP protocol does not require additional configuration after the Solaris 10 OS is installed. However, you might need to add service definitions, so that particular applications can run over SCTP.

For information about configuring SCTP, refer to the System Administration Guide: IP Services.

Zebra Multiprotocol Routing Suite

This feature is new in the Solaris Express 8/04 release.

The Solaris 10 OS now includes the Zebra multiprotocol routing suite. This suite includes Open Source Zebra 0.92a routing software with bug fixes for Sun platforms. Now system administrators can use the well-known open-source routing protocols RIP, BGP, and OSPF for administering their Solaris based networks. Moreover, the OSPF daemon can be used for high network availability on multihomed servers. The Zebra packages contain these protocols and the zebraadm administration tool.

Refer to the /etc/sfw/zebra/README.Solaris file for configuration information and other details.

IPsec and NAT Traversal

This feature is new in the Solaris Express 8/04 release.

IKE can now initiate IPsec security associations from behind a Network Address Translation (NAT) box. Only the ESP protocol over an IPv4 network is allowed. Additionally, IPsec security associations for traffic that traverses a NAT cannot be accelerated with the Solaris Crypto Accelerator 4000 board. IKE acceleration is unaffected.

For more information, see the ipseckey(1M) man page.

Enhancement to the nfsmapid Daemon

This feature is new in the Solaris Express 8/04 release and updated in the Solaris 10 3/05 release.

In NFS version 4, the nfsmapid daemon provides a mapping from a numeric user identification (UID) or a numeric group identification (GID) to a string representation, as well as the reverse. The string representation is used by the NFS version 4 protocol to represent owner or owner_group.

For example, the UID 123456 for the user, known_user, that is operating on a client that is named system.anydomain.com, would be mapped to known_user@anydomain.com. The NFS client sends the string representation, known_user@anydomain.com, to the NFS server. The NFS server maps the string representation, known_user@anydomain.com, to the unique UID 123456. nfsmapid uses the passwd and group entries in the /etc/nsswitch.conf file to determine which database will be consulted to perform the mappings.

For nfsmapid to work properly, clients and servers on NFS version 4 must have the same domain. To ensure that clients and servers have the same domain, nfsmapid configures the domain by following these strict precedence rules:

• The daemon first checks the /etc/default/nfs file for a value that has been assigned to the NFSMAPID_DOMAIN keyword. If a value is found, the assigned value takes precedence over any other settings. The assigned value is appended to the outbound attribute strings and is compared against inbound attribute strings.

• If no value has been assigned to NFSMAPID_DOMAIN, then the daemon checks for a domain name from a DNS TXT record on a DNS name server. To find a specific DNS record, nfsmapid relies on the resolv.conf(4) configuration file.

• If no DNS TXT record provides a domain name, then by default the nfsmapid daemon uses the local DNS domain.

The use of DNS TXT records is preferred. Configure the _nfsv4idmapdomain TXT record on DNS servers that provide domains for NFS version 4 clients and servers. TXT records provide better support for scaling issues and provide a single point of control.

If your network includes multiple DNS domains, but has only a single UID and GID namespace, all clients must use one value for NFSMAPID_DOMAIN. For sites that use DNS, nfsmapid resolves this issue by obtaining the domain name from the value that you assigned to _nfsv4idmapdomain. If your network is not configured to use DNS, during the first system boot the Solaris OS uses the sysidconfig(1M) utility to provide prompts for an NFS version 4 domain name.

For more information, see the nfsmapid(1M) and sysidtool(1M) man pages. See also the System Administration Guide: Network Services.

sendmail Version 8.13

Introduced in the Solaris Express 8/04 release, sendmail version 8.13 is the default in the Solaris 10 OS. Although this new version of sendmail provides many new features, the FallBackSmartHost option is the most significant addition.

Because of the FallBackSmartHost option you no longer need to use main.cf and subsidiary.cf. The main.cf file was used in environments that supported MX records. The subsidiary.cf file was used in environments without a fully operative DNS. In such environments a smart host was used instead of MX records.

The FallBackSmartHost option provides unified configuration. This option operates like an MX record of last possible preference for all environments. To ensure that mail gets delivered to clients, this option, if enabled, provides a well-connected, or “smart,” host that serves as a backup or failover for MX records that fail.

sendmail Version 8.13 also provides the following:

• Additional command-line options

• Additional and revised configuration file options

• Additional and revised FEATURE declarations

For more information, see the System Administration Guide: Network Services.

sendmail Version 8.12 Uses TCP Wrappers

This feature is new in the Solaris Express 9/03 release.

In the Solaris Express 8/04 release, sendmail version 8.13 is the default. See sendmail Version 8.13.

TCP wrappers provide a way of implementing access controls by checking the address of a host that is requesting a particular network service against an access control list. Requests are granted or denied, accordingly. Besides providing this access control mechanism, TCP wrappers also log host requests for network services, which is a useful monitoring function. Examples of network services that might be placed under access control include rlogind, telnetd, and ftpd.

In this Solaris release, version 8.12 of sendmail now enables the use of TCP wrappers. This check does not bypass other security measures. By enabling TCP wrappers in sendmail, a check has been added to validate the source of a network request before the request is granted. See the hosts_access(4) man page.

The Solaris 9 release added support for TCP wrappers in inetd(1M) and sshd(1M).

Sun Java System Message Queue

The Solaris Express 6/04 release introduced Sun Java System Message Queue 3.5 SP1 Platform Edition. This feature is included in the Solaris 10 3/05 release. This version replaces Sun Java System Message Queue (MQ) 3.0.1, which was previously introduced in the Software Express pilot program.

For Solaris 9 users, the Message Queue 3.0.1 is new for the SPARC platform in the Solaris 9 12/02 release. In the Solaris 9 8/03 release, this feature was available for the x86 platform.

Sun Java System Message Queue 3.5 SP1 Platform Edition is an affordable, standards-based, high-performance Messaging System that integrates disparate IT systems. This Message Queue (MQ) is Java Messaging Services (JMS) 1.1 compliant and supports web services messaging through JAXM (SOAP 1.1 with Attachments).

The new 3.5 release, as compared to the previous 3.0.1 release, includes the following new features:

• C Messaging API – Native-to-the-wire C-API for connectivity to legacy C/C++ applications. TCP and SSL transports are supported.

• Client Connection Failover – On loss of connection, client automatically reconnects to a different broker in the cluster.

• Advanced Remote Monitoring Capabilities – JMS-based API enables monitoring of broker statistics, destination statistics, and VM statistics.

• Support for Sun Cluster in Java Enterprise System – Sun Cluster Agent for MQ, available in the Java Enterprise System, uses a file-based datastore with high availability (HA) to provide HA functionality to MQ.

• J2EE 1.4 compatibility – J2EE Connector Architecture 1.5 support enables MQ 3.5 to be connected to any J2EE 1.4 compliant Application Server through the MQ Resource Adapter.

• Dynamic Message Flow Control – Flow control enables management of throughput and load in the System. Control options include Reject Oldest, Reject Newest, Reject Low Priority, and Flow Control.

• Local Destinations and Cluster Delivery Policies – Policy configuration enables throughput optimization for message delivery to brokers in a cluster.

For new feature details, refer to the Sun Java System Message Queue Release Notes at http://docs.sun.com.

Sun Java System Application Server

Sun Java System Application Server Platform Edition 8 is new in the Solaris Express 6/04 release. This feature is included in the Solaris 10 3/05 release.

Previously, Sun Java System Application Server 7 is new in the Software Express pilot program for SPARC platforms, and in the Solaris Express 9/03 release for x86 platforms. Sun Java System Application Server Platform Edition 8 replaces Edition 7 in the Solaris Express 6/04 release.

For Solaris 9 users, version 7 of the Application Server is new for SPARC platforms in the Solaris 9 12/02 release, and for x86 platforms in the Solaris 9 12/03 release.

Sun Java System Application Server Platform Edition 8 is the J2EE 1.4 compatible application container from Sun Microsystems that is designed for developers and departmental deployments.

This edition provides the following features:

• J2EE 1.4 compatible – Supports the latest J2EE technology standards and ensures application portability.

• Integrated support for JavaServer Faces – Enables developers to use the latest presentation layer technology, JavaServer^TM Faces.

• Administration GUI and Log Viewer – Provides improved display and search mechanism for the Log Viewer, thus enhancing administrator productivity.

• Deploytool – A GUI-based tool supplements text editors, enabling developers to assemble J2EE components and deploy J2EE applications.

• Improves Developer productivity – Improvements made specifically to increase developer productivity include a reduced process count, a reduced memory footprint, an increased server startup speed, and an increased deployment speed.

For important information about this product, see the Sun Java System Application Server product information at http://www.sun.com/software/. For new feature details, refer to the Sun Java System Application Server Platform Edition 8 Release Notes at http://docs.sun.com/.

Using CacheFS With NFS Version 4

This feature is new in the Solaris Express 6/04 release.

The cache file system, CacheFS^TM, is a generic, nonvolatile caching mechanism. CacheFS improves the performance of certain file systems by utilizing a small, fast local disk. You can improve the performance of the NFS environment by using CacheFS.

CacheFS works differently with different versions of NFS. For example, if both the client and the back file system are running NFS version 2 or version 3, the files are cached in the front file system for access by the client. However, if both the client and the server are running NFS version 4, the functionality is as follows. When the client makes the initial request to access a file from a CacheFS file system, the request bypasses the front (or cached) file system and goes directly to the back file system. With NFS version 4, files are no longer cached in a front file system. All file access is provided by the back file system. Also, because no files are being cached in the front file system, CacheFS-specific mount options, which are meant to affect the front file system, are ignored. CacheFS-specific mount options do not apply to the back file system.

The first time you configure your system for NFS version 4, a warning appears on the console to indicate that caching is no longer performed.

For further information about NFS version 4, see System Administration Guide: Network Services.

Enhancement for vacation Utility

This feature is new in the Solaris Express 5/04 release.

The vacation utility has been enhanced to enable a user to specify which incoming messages receive autogenerated replies. With this enhancement, the user can avoid sharing confidential or contact information with unknown people. Messages from “spammers” or unknown people would not receive a reply.

This enhancement works by matching an incoming sender's email address to a list of domains or email addresses in a .vacation.filter file. This file is created by the user and is located in the user's home directory. If a domain or address match is found, a reply is sent. If no match is found, no reply is sent.

For more details, see the vacation(1) man page.

MILTER, sendmail's New Mail Filter API

The feature is new in the Solaris Express 4/04 release.

MILTER, sendmail's new mail filter API, permits third-party programs to access mail messages as they are being processed in order to filter meta-information and content. This functionality, introduced in the Solaris 10 3/05 release, requires the following:

• sendmail binary must be compiled with -DMILTER, which has been available since the Solaris 9 release.

• The file /usr/lib/libmilter.so, which is in the Solaris 10 OS, must be available.

• These files, /usr/include/libmilter/mfapi.h and /usr/include/libmilter/mfdef.h, must be available.

  Both these files are included in the Solaris 10 OS.

Thus, with the Solaris 10 3/05 release, the user can build the filter and configure sendmail to use it.

For further information about sendmail, see System Administration Guide: Network Services.

IPv6 Advanced Sockets API

This feature is new in the Solaris Express 1/04 release.

The IPv6 Advanced Sockets API updates the Solaris Sockets API to meet the current version of RFC 2292. The advanced API provides the functionality needed to manipulate ICMP packets, obtain interface information, and manipulate IPv6 headers.

For further information, see the Programming Interfaces Guide.

Contents of /usr/lib/mail Have Moved to /etc/mail/cf

This feature is new in the Solaris Express 1/04 release.

The contents of the /usr/lib/mail directory, which might be in a read-only file system, are now in the /etc/mail/cf directory, which is writable. This change better supports m4 configuration. Note, however, these exceptions. The shell scripts /usr/lib/mail/sh/check-hostname and /usr/lib/mail/sh/check-permissions are now in the /usr/sbin directory. For backward compatibility, symbolic links point to each file's new location.

For further information, see the System Administration Guide: Network Services.

Added IPv6 Functionality During Solaris Installation

This feature is new in the Solaris Express 11/03 release.

Several new IPv6 functions are started when you select Enable IPv6 during Solaris installation.

• The /etc/nsswitch.conf file policies for the hosts database and ipnodes repositories are synchronized so that the same naming repositories are searched for ipnodes and hosts. Now, hosts can resolve any IPv6 addresses that might be in any of the ipnodes repositories.

• Destination address selection has been modified to avoid using an IPv6 address for a remote host if no IPv6 routes serve that host. Instead, an IPv4 address is used, to avoid any delays when connecting to remote hosts.

  For example, consider the case of an IPv6-enabled host on a network with no IPv6 router. Without the presence of a router, a host has no knowledge of IPv6 routes beyond the local link. Previously, the host experienced timeouts when trying to connect to a preferred IPv6 address. With the new feature for destination address selection, the host prefers an IPv4 destination address. This feature eliminates time-out problems.

For further information, see the System Administration Guide: IP Services.

IPv6 Temporary Addresses

The feature is new in the Solaris Express 11/03 release.

By default, the interface ID of an IPv6 address is autoconfigured with the interface's hardware-specific address. For example, if the interface is an Ethernet card, its interface ID is autoconfigured from the interface's MAC address. However, some system administrators might need to keep private the hardware-specific addresses of one or more interfaces on a node.

The IPv6 Temporary Addresses feature implements the privacy extensions standard that is defined in RFC 3041, “Privacy Extensions for Stateless Autoconfiguration in IPv6.” The temporary address feature enables administrators to assign randomly generated, modified EUI-64 format interface IDs to interfaces of an IPv6 node. In addition, the administrators can specify a time limit for the lifetime of a temporary address. After configuration, the IPv6 daemon in.ndpd automatically generates the temporary interface ID for the interface, in addition to the automatically generated, MAC address-based interface ID.

For further information, see the System Administration Guide: IP Services.

routeadm Command

This feature is new in the Solaris Express 9/03 release.

The new routeadm command enables system administrators to configure IP forwarding and routing on all interfaces of a system. Any settings that are established through routeadm override system defaults that are read from configuration files at boot time.

The routeadm command provides options for enabling or disabling the global packet-forwarding function on all IPv4 or IPv6 interfaces of a system. routeadm can also be used to set up a system as a router, by turning on routing daemons for all system interfaces. In an IPv6 environment, routeadm can also be used to enable or disable dynamic routing for a host.

For further information, see the routeadm(1M) man page and the System Administration Guide: IP Services.

TCP Multidata Transmit

Multidata transmit (MDT) is available only for systems that run a 64-bit kernel. This feature is new in the Software Express pilot program and in Solaris 9 8/03 release. This feature is included in the Solaris 10 3/05 release.

Multidata transmit enables the network stack to send more than one packet at one time to the network device driver during transmission. Use of this feature reduces the per-packet processing costs by improving the host CPU utilization or network throughput.

The MDT feature is only effective for device drivers that support this feature.

MDT is enabled by default. MDT can be disabled by including the following line in the /etc/system file:

# ndd -set /dev/ip ip_multidata_outbound 0

For further information, see the ip(7P) and the ndd(1M) man pages.

See also the STREAMS Programming Guide.

ifconfig router Option

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The new router option of ifconfig allows you to configure IP packet forwarding on individual interfaces. ifconfig router and ifconfig -router enable or disable IP packet forwarding, respectively, for both IPv4 and IPv6 interfaces. The router option sets the IFF_ROUTER interface flag.

These new options replace the ndd variables interface-name:ip_forwarding and interface-name:ip6_forwarding for configuring IP packet forwarding on individual interfaces. Though now obsolete, the ndd variables remain in this Solaris release for backward compatibility. You can still use ip_forwarding and ip6_forwarding without the interface-name prefix to configure IP forwarding for all interfaces on a system.

For detailed information, refer to the ifconfig(1M), ip(7P), and ip6(7P) man pages.

Internet Protocol Version 6 (IPv6) Default Address Selection

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The Solaris 10 Operating System provides a documented and deterministic algorithm for doing IPv6 default source and destination address selection. This feature gives system administrators the limited ability to change address selection precedence through use of a policy table.

The IPv6 default address selection feature is a standardized method for IPv6 source and destination address selection.

The selection mechanisms can be configured by using a policy table. For example, you can edit the policy table to give higher precedence to a particular address prefix. Thereafter, addresses that are within the prefix are sorted before other addresses by name look-up APIs. You can also assign labels to source and destination prefixes in the policy table. This assignment makes sure that particular source addresses are only used with particular destination addresses.

To implement IPv6 default address selection, the Solaris Operating System now includes the /etc/inet/ipaddrsel.conf file and the /usr/sbin/ipaddrsel command. You use ipaddrsel.conf to edit the IPv6 default address policy table. Then you use ipaddrsel to commit the changes to the policy table.

Additionally, the ifconfig command now includes the “preferred” option. This option lets you designate a particular address to be used as the source address for all IPv6 communication.

For detailed information, refer to the ipaddrsel.conf(4), ipaddrsel(1M), and the ifconfig(1M) man pages.

For further information, see the System Administration Guide: IP Services.

Disable NFS and automount Services

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The following NFS daemons are typically started by default at boot time by the rc scripts: nfsd, mountd, statd, lockd, and the automount daemon, automountd. Now, if a machine does not require NFS and automount services, the scripts do not start the NFS daemons and the automount daemon.

The following describes the new behavior:

• The automount utility, which is called by /etc/init.d/autofs, now starts automountd at boot time only if the automount maps have a valid entry.

• /etc/init.d/nfs.server starts mountd, nfsd, statd, and lockd at boot time only if the machine has any NFS exports.

• /etc/init.d/nfs.client starts statd and lockd only if /etc/vfstab includes NFS file systems.

NFS and automount services might not be started at boot time. The following commands can start these services when required by a machine:

• The automount utility can start the automountd daemon.

• The mount command with the -F nfs option can start the lockd and statd daemons. The automountd daemon also can start lockd and statd.

• The share command with the -F nfs option can start the nfsd, mountd, lockd, and statd daemons.

This mechanism for disabling NFS and automount services provides the following benefits:

• Extra security that comes from not running unnecessary daemons on a machine.

• A simplified process for exporting file systems. The nfsd and mountd daemons, and, if necessary, lockd and statd, are started by the share command with the -nfs option. So, you no longer have to edit the /etc/dfs/dfstab file and then invoke the /etc/init.d/nfs.server program. This new behavior permits an NFS export to be configured with a single command, without editing any configuration files. However, if the system reboots, such exports are not resumed automatically, unless the exports are included in the /etc/dfs/dfstab file.

For more information, refer to the man pages for mountd(1M), lockd(1M), statd(1M), and nfsd(1M).

For further information, see also the System Administration Guide: Network Services.

Internet Protocol Version 6 (IPv6) 6to4 Router

This feature is new in the Software Express pilot program and in the Solaris 9 4/03 release. This feature is included in the Solaris 10 3/05 release.

IPv6 networks can now transfer packets over Internet Protocol Version 4 (IPv4) networks by configuring one or more routers to support a 6to4 tunnel. System administrators can use 6to4 tunnels as a transitional method for migrating their networks from IPv4 to IPv6. This feature implements RFCs 3056 and 3068.

For further information on IPv6, see the System Administration Guide: IP Services.

Packet Tunneling Over IPv6

This feature is new in the Software Express pilot program and in the Solaris 9 9/02 release. This feature is included in the Solaris 10 3/05 release.

This feature enables tunneling over IPv6 for both IPv4 over IPv6 tunnels and IPv6 over IPv6 tunnels. IPv4 packets or IPv6 packets can be encapsulated in IPv6 packets.

For further information, see the System Administration Guide: IP Services.

Hosting Multiple Web Sites on a Single Solaris Machine

This feature is new in the Software Express pilot program and in the Solaris 9 12/02 release. This feature is included in the Solaris 10 3/05 release.

The Solaris Network Cache and Accelerator (NCA) kernel module now supports multiple instances of a web server. This support enables you to use a Solaris machine to perform Internet protocol (IP) address-based virtual web hosting. The Solaris software uses a single configuration file, /etc/nca/ncaport.conf, to map NCA sockets to IP addresses.

For further information, see the ncaport.conf(4) man page.

IP Quality of Service

This feature is new in the Software Express pilot program and in the Solaris 9 9/02 release. This feature is included in the Solaris 10 3/05 release.

IP Quality of Service (IPQoS) is a new feature in the Solaris Operating System. IPQoS enables system administrators to provide different levels of network service to customers and to critical applications. By using IPQoS, the administrator can set up service-level agreements. These agreements provide an Internet service provider's (ISP) clients with varying levels of service that are based on a price structure. A company could also use IPQoS to prioritize among applications so that critical applications get a higher quality of service than less critical applications.

For further information, see the System Administration Guide: IP Services.

User Selector for Internet Protocol Quality of Service (IPQoS)

This feature is new in the Software Express pilot program and in the Solaris 9 8/03 release. This feature is included in the Solaris 10 3/05 release.

The Solaris IPQoS feature now includes the user selector, which supplements the existing uid selector. The user selector enables you to specify a user name or userID as criteria in a filter clause in the ipqosconf file. Previously, the uid selector only accepted a userID as a value. The following filter clause from an ipqosconf file shows the user selector:

filter {
        name myhost;
        user root;
}

For information about filters and selectors, refer to the ipqosconf(1M) man page.

See also the System Administration Guide: IP Services.

Routing Information Protocol version 2 (RIPv2)

This feature is new in the Software Express pilot program and in the Solaris 9 9/02 release. This feature is included in the Solaris 10 3/05 release.

Solaris system software now supports Routing Information Protocol version 2 (RIPv2).

RIPv2 adds Classless Inter-Domain Routing (CIDR) and Variable-Length Subnet Mask (VLSM) extensions to the RIPv1 protocol. Message Digest 5 (MD5) extensions protect routers against intentional misdirection by malicious users. The new in.routed implementation also includes a built-in Internet Control Message Protocol (ICMP) Router Discovery (RFC 1256) mechanism.

RIPv2 supports multicast if the point-to-point links are enabled with multicast. RIPv2 also supports unicast. If you configure a broadcast address by using the /etc/gateways file, then RIPv2 supports broadcast.

For information on how to configure RIPv2, see the in.rdisc(1M), in.routed(1M), and gateways(4) man pages.