Professional Documents
Culture Documents
DOC-0817-00
Product names mentioned in the LynxOS Networking Guide are trademarks of their respective manufacturers and are
used here for identification purposes only.
All rights reserved. No part of the LynxOS Networking Guide may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photographic, magnetic, or otherwise, without the
prior written permission of LynuxWorks, Inc.
LynuxWorks, Inc. makes no representations, express or implied, with respect to this documentation or the software it
describes, including (with no limitation) any implied warranties of utility or fitness for any particular purpose; all such
warranties are expressly disclaimed. Neither LynuxWorks, Inc., nor its distributors, nor its dealers shall be liable for any
indirect, incidental, or consequential damages under any circumstances.
(The exclusion of implied warranties may not apply in all cases under some statutes, and thus the above exclusion may
not apply. This warranty provides the purchaser with specific legal rights. There may be other purchaser rights which
vary from state to state within the United States of America.)
Contents
• Online information
The complete LynxOS documentation set is available on the
Documentation CD-ROM. Books are provided in both HTML and PDF
formats.
Updates to these documents are available online at the LynuxWorks
website: http://www.lynuxworks.com.
Additional information about commands and utilities is provided online
with the man command. For example, to find information about the GNU
gcc compiler, use the following syntax:
man gcc
Typographical Conventions
The typefaces used in this manual, summarized below, emphasize important
concepts. All references to filenames and commands are case-sensitive and should
be typed accurately.
Body text; italicized for emphasis, new Refer to the LynxOS User’s Guide.
terms, and book titles
Special Notes
The following notations highlight any key points and cautionary notes that may
appear in this manual.
CAUTION! Used for situations that present minor hazards that may interfere with
or threaten equipment/performance.
Technical Support
LynuxWorks Support handles support requests from current support subscribers.
For questions regarding LynuxWorks products or evaluation CDs, or to become a
support subscriber, our knowledgeable sales staff will be pleased to help you
(http://www.lynuxworks.com/corporate/contact/sales.php3).
By E-mail:
By Phone:
By Fax:
rc.network
To configure a network interface, remove the comment character at the beginning
of the corresponing ifconfig entry or add a new entry for a network interface.
Then supply the appropriate hostname and IP address.
To use a network interface driver not supplied with LynxOS, insert an ifconfig
entry into rc.config to specify the device driver filename, hostname, and IP
address.
Use rc.network also to enable or disable network services, such as NFS.
Component Definition
Component Definition
For more information on these components, see the appropriate man pages.
The next sections provide an overview of some of the most common TCP/IP
utilities. These sections introduce basics of common TCP/IP utilities such as the
ping command, remote computer access (telnet, rlogin), and file transfer
between computers (ftp).
$ ping 192.168.1.102
PING 192.168.1.102: 56 data bytes
64 bytes from 192.168.1.102: icmp_seq=0.time=10. ms
64 bytes from 192.168.1.102: icmp_seq=1.time=0. ms
64 bytes from 192.168.1.102: icmp_seq=2.time=0. ms
64 bytes from 192.168.1.102: icmp_seq=3.time=0. ms
^C
---- 192.168.1.102 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/2/10
$
The following figure shows the ping command testing TCP/IP configuration by
sending data packets to the hostname of a system.
$ ping shark
PING shark (192.168.1.101): 56 data bytes
64 bytes from 192.168.1.101: icmp_seq=0.time=10. ms
64 bytes from 192.168.1.101: icmp_seq=1.time=0. ms
64 bytes from 192.168.1.101: icmp_seq=2.time=0. ms
64 bytes from 192.168.1.101: icmp_seq=3.time=0. ms
^C
----shark PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/2/10
$
Once the correct host setup is verified, every host on the network can use the ping
command on other members of the network as shown in the following figure.
$ ping orca
PING orca (192.168.1.102): 56 data bytes
64 bytes from 192.168.1.102: icmp_seq=0.time=10. ms
64 bytes from 192.168.1.102: icmp_seq=1.time=0. ms
64 bytes from 192.168.1.102: icmp_seq=2.time=0. ms
64 bytes from 192.168.1.102: icmp_seq=3.time=0. ms
^C
----orca PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/2/10
$
Troubleshooting ping
Problems related to testing TCP/IP configurations with ping sometimes occur
due to host lookup failures or problems in connectivity between the systems, not
necessarily with the TCP/IP configuration on the local system.
fish in the /etc/hosts file is not defined, the ping command fails as shown
in the following figure.
Because the hostname fish is not defined on the local system, ping returns a
hostname lookup failure. The /etc/hosts file provides a means of mapping IP
addresses to hostnames. In larger networks, however, a Domain Name Service
(DNS) server is typically used. The DNS server maintains a database of hostnames
and IP addresses. If a user pings a system that is not defined in a local
/etc/hosts file, the system then sends a request to a DNS server to translate the
hostname to the IP address.
A preferred method to test TCP/IP functionality is to first ping the IP address of a
system, then attempt to ping the hostname of a system. If the IP address of a host is
found, but the hostname lookup fails, TCP/IP is correctly configured, but the
hostname resolution needs to be corrected. To resolve the hostname lookup failure,
the correct IP address and hostname must be added to the /etc/hosts file.
The following table shows an example /etc/hosts configuration file:
#loopback address
127.0.0.1 localhost
#localhost address
192.168.1.103 stingray
In this example, the localhost entry is called a “loopback” address and is used to
point to the local system. An entry also exists for the IP address and hostname of
the local system. Any other IP address and hostname definitions point to other
systems on the network.
domain domain1.com
search domain1.com
search domain2.com
nameserver 192.168.1.254
nameserver 192.168.1.253
In this example, the domain definition provides the domain of the local system. If
the hostname is stingray, for example, the fully qualified hostname would be
stingray.domain1.com.
The search definitions provide a means to resolve the fully qualified domain
name for hosts. For example, a system searching for the host fish first attempts
to resolve the fully qualified domain name to the first search entry or
fish.domain1.com by sending a request to the local DNS server. If no entry
exists in the DNS table for the system fish.domain1.com, the local system
resolves the fully qualified domain name to the second search entry in
resolv.conf, or fish.domain2.com. A second request is sent to the DNS
server for the IP address of fish.domain2.com. This process continues until a
valid host and domain is found or there are no more search paths. There is no limit
to the number of search paths that can be used in /etc/resolv.conf.
Using traceroute
To follow the route an IP packet takes to reach its destination, use the
traceroute utility. By sending simple UDP probe packets, traceroute
displays the names and response times of the different gateways a packet traverses
before reaching its destination. The traceroute syntax is as follows:
# traceroute <host>
where <host> is the hostname or IP address of the destination system. Additional
usage information is available in the traceroute man page.
telnet
The telnet utility allows users to log on to any type of computer that supports
TCP/IP. The computer can run any operating system, UNIX-compatible or not.
This utility allows a LynxOS user to access a system from anywhere on the
network.
telnet is invoked with the hostname of a remote computer, as shown in the
following figure.
LynxOS (shark)
jones@shark$
To access the system, users must supply a user name and password.
To terminate a telnet session, log out of the system with the exit command,
as shown in the following figure.
jones@shark$ exit
Connection closed by foreign host.
jones@orca$
rlogin
Users can use rlogin to remotely log on another computer similar to telnet.
Unlike telnet, rlogin requires the host computer to have a UNIX-compatible
operating system.
rlogin is invoked with the hostname of the remote computer, as shown in the
figure below:
jones@shark$
In the previous example, no user name is passed to rlogin. In this case, the user
name on the local machine is used to log on the remote machine (for example, user
jones on host shark logged on remote host orca as user jones).
If the user wants to log on to a system that does not have an identical user account,
the login argument -l followed by the desired user account must be added, as
shown in the following figure.
doc@shark$
Unlike telnet, the rlogin utility lets users take advantage of the information
in /etc/hosts.equiv and.rhosts files. Users on machines that are set up to
be considered local are not prompted for a password.
ssh
ssh is a secure program for logging on to a remote computer and for executing
commands on a remote computer. It is intended to replace rlogin and rsh, and
provides secure encrypted communications between two untrusted hosts over an
insecure network. ssh allows users to log on to any type of computer that
supports ssh.
Unlike telnet, rlogin, and ftp, which present passwords “in the clear” over a
nonsecure network, ssh encrypts userid and password interchange between two
computers and then encrypts the network traffic between the two computers. Both
the password exchange and the data passing between the two computers is
encrypted with strong encryption.
The user can log in as a different user by using the -l option. For example,
The user can use ssh to execute a command on a remote computer and display
the results on the local host. For example,
davis@shark$
Starting ftp
In its simplest invocation, ftp is called with the hostname of the remote machine.
ftp prompts for a user login and password. A password must be provided to
access user accounts.
In the following figure user davis on host orca connects to host shark and
logs on as user jones.
NOTE: By default, the ftp transfer program operates in an ASCII text mode. Set
the transfer mode to binary by entering binary at the ftp prompt.
Command Description
tftp does not require client authentication, which may pose a security risk for
some systems. LynxOS supports two tftp transfer methods: Simple and Secure.
• Simple: The client can access the entire file system. This is a simpler
configuration, but it presents a larger security hole (anyone can access the
password file). In Simple mode, only files open to the public can be read.
For the tftp secure mode, update the above line as follows:
tftp dgram udp wait root /net/tftpd tftpd -s /tftpboot
Like rcp, scp can be used to copy files to or from a host, or transfer files
between two remote hosts.
In the following example, file /etc/hosts is copied from host orca to host
shark:
jones@shark$ scp orca:/etc/hosts /tmp
The user will be prompted for his or her password. Upon successful completion of
the login process, an encrypted session will be set up between the local machine
and remote machine and the file will be copied to host shark.
• /etc/hosts
• /etc/resolv.conf
/etc/host.conf is the first file that is read, and it describes which services to
use and in what order.
The following figure shows an example of the /etc/host.conf file. It specifies
that /etc/hosts should be consulted first and then bind, if necessary. Refer to
the host.conf (5) man page for more information.
The /etc/hosts file lists the known hosts on the network. At a minimum, this
file should list the local system and the IP address and hostname of the local host.
For further details and examples of this file, see “The /etc/hosts File” on page 5.
The /etc/resolv.conf file provides the domain name for the local system,
domain search paths used when looking up hosts, and IP addresses for DNS
servers. For further details and examples of this file, refer to “The /etc/resolv.conf
file” on page 7.
NTP
Network Time Protocol (NTP) is a protocol built on top of TCP/IP that is used to
synchronize system clocks across a network and maintain the system time of day in
synchronization with Internet standard time servers.
NTP operates by exchanging messages with one or more time servers at designated
poll intervals. It compares timestamp information and calculates how much to
adjust the system clock to bring it into synchronization. It can provide an accuracy
of time down to a few milliseconds, although the real accuracy will also depend on
the operating system and network performance.
NTP servers are organized in a hierarchical client-server model with the top-level
hierarchy consisting of a few systems known as reference clocks. A reference
clock is known as stratum 0 and is typically a cesium clock or a Global
Positioning System (GPS) that receives time from satellites. Attached to these
machines are the next level of stratum 1 servers (that is, stratum 0 clients),
which are the top level time servers available to the Internet. Below these are the
servers in hierarchy levels stratum 2 down to stratum 16.
Every system gets synchronized with a server at the next higher stratum and finally
to the reference clocks with use UTC (Universal Time Coordinated, Temps
Universel Coordonné) as the reference time.
NPTD is a utility that sets the system clock and keeps it synchronized with a
network time server or works as the time server itself. There are two NTPD
daemons in LynxOS 5.0: openntpd (the OpenNTPD daemon) and xntpd.
openntpd has the lower requirements to the system memory and is more secure.
It also has a smaller choice of the features and rarely-needed capabilities than the
xntpd daemon. xntpd may be needed, if a program that is large, but powerful
and loaded with many features is required. Otherwise, it is better to use the
openntpd daemon.
Both daemons can slowly reduce the time difference between the client and the
NTP time server.
Also, the xntdp and openntpd daemons both try to adjust the clock in small
steps and will continue until the client gets the accurate time. In the case of too
large a time difference (more than a few seconds usually), however, xntpd prints
an error and exits, and the openntpd daemon just writes an error to a log file and
continues working without adjusting the time.
xntpd
When the xntpd daemon is started, it reads the configuration file
/etc/ntp.conf to determine synchronization sources and operating modes. It
also checks the drift file /etc/ntpd.drift that contains the latest estimate of
clock frequency error.
Once xntpd is up and running, it operates by exchanging packets that contain
time information as well as sanity checks with its time servers at poll intervals.
When a time server receives the packet, it will in turn store its own timestamp and
a transmit timestamp into the packet and send it back to the client (the system on
which ntpd is running). The client will in turn log its receipt time and estimate
the travelling time of the packet.
The packet exchange takes place until a NTP server is accepted as a
synchronization source, which takes about five minutes. If the delay between both
the server and client is big enough, the daemon will terminate and you will need to
adjust the time manually and start the daemon again.
ntpd is usually invoked without any options:
# xntpd
What follows is an example of the /etc/ntp.conf configuration file:
# Get the time from a remote server
server time.lnxw.com
# default drift file location
driftfile /etc/ntpd.drift
For more detailed information, see the ntpd and ntp.conf man pages.
openntpd
At start up, openntpd reads the configuration file /etc/ntpd.conf to
determine its synchronization sources and operating modes. It also reads the latest
estimate of clock frequency error from the drift file /var/db/ntpd.drift.
Once openntpd is up and running, it operates by exchanging packets that contain
time information as well as sanity checks with its time servers at poll intervals.
First, the client sends a request to the time server and also logs the request time.
When a time server receives the packet, it will in turn store its own receive
timestamp, reply timestamp into the packet and send it back to the client. The
client will in turn log its receipt time and estimate the local clock offset and
travelling time of the packet using the four time values.
OpenNTPD is usually invoked without any options:
# ntpd
What follows in an example of the $ENV_PREFIX/etc/ntpd.conf
configuration file:
# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
# sample ntpd configuration file, see ntpd.conf(5)
For more detailed information, see the openntpd and openntpd.conf man
pages.
SNTP
Simple Network Time Protocol (SNTP) is a simplified version of the NTP
protocol. It uses the same structure as NTP, but due to simpler algorithms, it
provides a lower level of accuracy. It is often used on systems with limited
capacity.
Divert Sockets
divert provides a kernel packet diversion mechanism. Divert sockets are similar
to raw IP sockets except that they can be bound to a specific divert port with the
bind system call. A divert socket bound to a divert port receives all packets
diverted to that port.
Divert sockets are normally used in conjunction with packet filtering. By reading
from and writing to a divert port, matching packets can be passed through a filter as
they travel through host machine.
Then use the standard socket read / write calls to send / receive data.
Driver Defaults
The following table shows the default values within the driver information files.
These files are located in either $ENV_PREFIX/sys/devices or
$ENV_PREFIX/sys/devices<bsp_name>.
To change the defaults, edit the file, compile it, and install TCP/IP support again.
For more information, see “Enabling/Disabling TCP/IP Support” on page 1.
Table 1-3: Default Values within Driver Information Files
Additional Device Drivers may be included with the LynxOS ODE or BSP
packages. Refer to the driver file or man page for additional tunable information.
NOTE: On the x86, if RAMBase is changed, make sure that the selected RAM area
lies within the supported address range by the Ethernet card (ideally, within a
0xC0000 to 0xDFFFF range). Also, be sure to use BIOS-SETUP (where
applicable) to disable the “Adaptor ROM shadow” for the RAM address range
used by the Ethernet card.
NOTE: In the hbtcpip_info.c file, the checksum calculation for UDP packets
can be enabled/disabled by setting the udpcksum filed to 1 (enable) or 0
(disable). Disabling the checksum increases the throughput for UDP packets.
For specific information on adding device drivers to a LynxOS system, please refer
to the LynxOS User’s Guide.
Additional information on creating device drivers is available in Writing Device
Drivers for LynxOS.
IPFW
IPFW is a legacy kernel-based utility that provides an alternative way to manage
packet filtering and counting. Using a set of user-defined rules, IPFW controls
whether or not network packets are forwarded or blocked. These user-defined
rules, also called a firewall chain (or rule chain), can block or allow specific
requests from specific hosts.
The user utility ipfw(8) is used as an interface to the IPFW kernel component.
ipfw can be set up to monitor both incoming and outgoing connections.
Enabling IPFW
IPFW is enabled with sysctl:
# sysctl -w net.inet.ip.fw.enable=1
<address> Defines the IP address, mask, and (if required, port. Both From and To addresses can be
specified, as well as the interface used (eth0, for example):
from <address/mask>[<port>] to <address/mask>[<port>] \
[via <interface>]
setup—Matches if the packet is attempting to setup a TCP connection (syn bit set, ack
not set).
For example, to set up a rule to deny all incoming packets from the address
192.168.1.1 to the address 192.168.2.2 over TCP/IP, enter the following:
# ipfw add deny tcp from 192.168.1.1 to 192.168.2.2 in
To deny packets from the Ethernet port 1 to the telnet port (port 23) of 192.168.1.1,
the command is:
# ipfw add deny tcp from 192.168.1.1 to 192.168.2.2 23 \
via eth1
IPsec
IPsec is a security protocol in the IP layer that provides a secure means of
communications between two hosts. IPsec can create a tunnel between subnets
(tunnel mode) or provide security between two hosts directly (transport mode).
Hosts resolve the encryption keys and certification allowing for encrypted packets
to be exchanged. Security information can be exchanged manually or automated
with the racoon daemon. Only IPv4 is supported. IPv6 is not supported in this
version of LynxOS.
NOTE: The IPsec protocol for LynxOS is not included with the standard LynxOS
package. This components is available for purchase separately. For information on
this product, please contact your LynuxWorks sales representative.
IPsec policies are configured with the setkey(8) utility. See “Using setkey” on
page 29 for additional information.
Using setkey
The setkey utility, invoked with the -c option, reads commands from standard
input. Invoked with the -f option, setkey reads commands from a filename.
The syntax used with setkey is as follows:
# setkey -f <filename>
or:
# setkey -c
... <rules>
<Ctrl-C>
NOTE: If using IPsec behind a firewall, be sure to open any required ports required
by ESP. For UDP, for example:
# ipfw add pass esp from any to any
ipcomp—IP COMP.
<spi> Security Parameter Index (SPI) for the SAD and SPD. A decimal or hexadecimal number.
[<extension>] -m <mode>—Specifies a security protocol mode for use. <mode> is one of following:
transport, tunnel, or any. The default value is any.
The following commands and files provide an example of using setkey for
updating the SAD and SPD kernel tables. The following instructions must be
completed for both systems using IPsec.
1. Flush the current SAD and SPD:
# setkey -F
2. Create a file that contains the policies for SAD. In the example file below,
two hosts (192.168.0.1 and 192.168.0.2) are enabled to use the 3des-cbc
encryption algorithm using ESP. The first two lines enable the source and
destination addresses; the last line updates the SPD table
For Host A, use the following:
# IPv4 ESP
# local system: 192.168.0.1
# remote system: 192.168.0.2
# IPv4 ESP
# local system: 192.168.0.1
# remote system: 192.168.0.2
OpenSSH
OpenSSH (Open Secure Shell) is a set of computer programs that provide
encrypted communications over a computer network. It is an open version of the
SSH protocol suite of network connectivity tools and includes ssh, scp, sftp,
and sshd.
OpenSSH has two different sets of configuration files: one for client programs
(ssh, scp, and sftp) and one for the server daemon (sshd).
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile.ssh/authorized_keys
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
Some of the options for the sshd_config configuration file are described below:
• AllowUsers
This option allows you to restrict login to specified users. By default,
login is allowed for all users.
• Port
Specifies the port number that sshd listens on. The default is 22.
• PasswordAuthentication
Specifies whether password authentication is allowed. The default is
yes.
• HostKey
Specifies a file containing a private host key used by SSH. The default is
/etc/ssh/ssh_host_key for protocol version 1 and
/etc/ssh/ssh_host_dsa_key for protocol version 2.
• X11Forwarding
Specifies whether X11 forwarding is permitted. The argument must be
yes or no. The default is yes.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128cbc,
# arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Some of the options for the ssh_config configuration file are described below:
• Host *
The option Host restricts all forwarded declarations and options in the
configuration file to be only for those hosts that match one of the patterns
given after the keyword. The pattern * means for all hosts up to the next
Host keyword. With this option, you can set different declarations for
different hosts in the same ssh_config file.
• ForwardAgent no
The option ForwardAgent specifies which connection authentication
agent, if any, should be forwarded to the remote machine.
• UseRsh no
The option UseRsh specifies that rlogin/rsh services should be
used on this host. It must always be set to no because the rsh service
is insecure.
• IdentityFile ~/.ssh/identity
The recommended setting is to deny anything that is not explicitly allowed. This is
done by adding the following line to /etc/hosts.deny:
ALL:ALL
Then, explicitly list in the /etc/hosts.allow file all the hosts and domains that
are allowed access. For example:
ALL: send mail
ALL: lnxw.com, LOCAL.
This allows everyone to connect to sendmail, all hosts in the lnxw domain, as well
as all local traffic.
Introduction
DHCP enables individual clients on an IP network to receive network
configurations from a DHCP server. The DHCP server provides predefined
network configuration information dynamically, including client IP addresses,
name servers, and routers. DHCP reduces the amount of overhead in administering
a large IP network by freeing the system administrator from having to reconfigure
each system individually.
DHCP also enables the storage and distribution of network parameters for clients
and groups. Additionally, DHCP allows for recovery and reallocation of these
network addresses through a leasing mechanism. Client network configurations
expire after a designated period of time, after which the client system’s network
configuration is either renewed or reissued from the DHCP server. Another feature
of this protocol is that it can be routed. DHCP support consists of a server daemon,
client utility, a relay daemon, and a diagnostic utility and a set of configuration
database files. DHCP support requires TCP/IP.
Component Definition
Online Resources
Additional information on DHCP is available at the ISC web page:
http://www.isc.org
Installing DHCP
DHCP is included with the LynxOS base product and is installed by default.
Configuring DHCP is explained in the following sections.
dhcpd
The DHCP server daemon (dhcpd) serves DHCP client requests based on the
configuration file dhcpd.conf. The server also monitors the lease details of the
client IP addresses, facilitating the recovery and reallocation of IP addresses
through predefined lease agreements. Additionally, the server also services BOOTP
clients. The DHCP server maintains all current client configurations in the
dhcpd.leases file. For more information on dhcpd.leases, see
“dhcpd.leases” on page 43.
By default, dhcpd uses UDP port 67 to receive and UDP port 68 to send DHCP
information.
dhcpd.conf
The DHCP configuration file, dhcpd.conf, must be created by hand. This
configuration file sets specific network topologies and parameters the DHCP
server uses to assign IP addresses, name servers, and routers to clients. In addition
to a range of available IP addresses, dhcp.conf must provide the IP address
subnet mask and at least one router and name server on the network.
Network topology declarations include the shared-network and subnet
declarations. Dynamically assigned addresses must include the range declaration
with a subnet declaration. DHCP options are declared per subnet. lease
durations are expressed in seconds.
The following is an example of a dhcpd.conf file:
# shared-network
subnet 192.168.11.0 netmask 255.255.255.0 {
range 192.168.11.1 192.168.11.251;
option routers 192.168.11.254;
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.11.253;
# default lease time=30 Days
default-lease-time 2592000;
# max lease time=45 Days
max-lease-time 3888000;
}
NOTE: x86 systems that netboot LynxOS use RARP and TFTP. PXE-compatible
devices, however, must use DHCP.
NOTE: PPP server and client IP address allocation are not integrated with DHCP
and continue to work independently.
dhcpd.leases
dhcpd.leases is a generated file that contains lease expirations for client
network configurations. The DHCP server maintains up-to-date information on
client leases in this file. In the event of a system reboot, the DHCP server can
resume all current connections without having to reconfigure each client on the
network. This file should not be edited.
Relay Agents
Relay agents allow a DHCP server to configure systems on more than one network
segment. Relay agents forward DHCP requests from clients to the DHCP server,
allowing a single DHCP server to serve multiple clients in multiple network
segments. Using relay agents provides flexibility in configuring a DHCP network.
dhclient
The DHCP client (dhclient) sends requests to a DHCP server for network
configuration information. The primary information sought from the server is the
client IP address. The IP address is issued for a specific “lease” period, varying
Starting dhclient
Start the dhclient script by entering:
# dhclient
Overview
NFS is a suite of user programs and kernel functionality that allow access to a
remote host’s file systems as if they were local. All or part of a remote host’s file
system is mounted into the local host’s file system, allowing transparent access to
remote files by local users. Once mounted, any file on the remote file system is
accessible. Such files can be operated on by most utilities, functioning no
differently than a file located on the local disk.
When attempting to access a file in an NFS-mounted directory, the NFS client
sends a request to the NFS server on the remote system. The NFS server accepts
and manages these requests from the remote NFS client for access to the local disk.
The server enforces permissions and performs the actual manipulations to the local
disk.
LynxOS supports the NFSv2 protocol. NFS software is divided into two parts
• NFS server
• NFS client
When attempting to access a file in an NFS-mounted directory, the NFS client
sends a request to the NFS server on the remote system. The NFS server accepts
and manages these requests from the remote NFS client for access to the local disk.
The server performs the actual manipulations to the local disk.
To disable NFS server support, make sure that the line for NFS in config.tbl
reads as follows:
#I:nfssvc.cfg
To disable NFS support, make sure that the lines for NFS in the config.tbl file
read as follows:
I:nullnfs.cfg
#I:nfs.cfg
NFS Server
The first field is the directory that is to be exported. If no options are given, any
host may mount this directory and access the files for reading and writing.
Access to the directory may be given only to specific hosts. In the following
example, the directory /mydata is exported for access by hosts shark and
orca.
/mydata access=shark:orca
Permission to access an NFS-mounted directory as root must be explicitly
declared. An attempt by a remote system to write to an NFS-mounted directory as
root fails, even if the directory is mounted read/write. To allow the remote
system orca to have root access to the directory /mydata, the following line
should be added to /etc/exports:
/mydata root=orca
All directories are exported as read/write unless otherwise specified. The -ro flag
is used to export a directory as read-only to everyone. The -rw flag is used to
export a directory as read/write to specific users; all other users have read-only
access. In the following example, /mydata is exported read-only.
/mydata ro
To restrict the read/write access of /mydata to only the hosts shark and orca,
but allow read-only access to everyone else, the following entry would be added to
/etc/exports:
/mydata rw=shark:orca
Any of the previous examples may be grouped, giving multiple accesses:
/mydata access=shark:orca:fish,root=shark,rw=shark:orca
In the above example, access of the exported directory is limited to hosts shark,
orca, and fish. Only users with root access on shark have root access to the
exported directory, and only users on shark and orca have read/write
capabilities. Users on fish can access the files only in a read-only state.
Please note that no space is allowed in the option string. The portion after the space
is ignored should a space be present in an option string. In the example above, no
space is expected between the comma and "root".
NOTE: The /etc/exports file specifies the directories to be exported and the
corresponding access list.
Exporting/Unexporting Directories
To export or unexport directories, use the exportfs utility. exportfs -a is
used to export directories, and exportfs -ua is used to unexport directories.
Overview
Multicasting typically refers to IP Multicasting, which is a protocol for delivering
the same data to large numbers of clients on a TCP/IP network while minimizing
network traffic and bandwidth. It is different from unicasting which requires
sending a copy of the data from the sender to each recipient, as shown in the
following diagram.
In multicasting, the sender transmits the data only once, regardless of the number
of recipients. Whenever this stream of data traverses a multicast-enabled switch or
router, it is simply copied, but only to branches of the network where clients who
have requested the data are located. This dramatically reduces overall bandwidth
consumption, as illustrated in the following diagram.
Addressing
When a sender (host) initiates an IP multicast, it assigns to it an IP address in the
range 224.0.0.0 to 239.255.255.255. The assigned address will define a multicast
host group, and end users (other hosts) can tune in or out of the group at any time.
The receiving host translates the IP multicast address to its hardware Ethernet
(MAC) address in order to identify and receive a multicast. The following figure
shows the mapping between an IPv4 multicast address and an Ethernet multicast
address.
23 bits
copied
Address Description
Registration
Registration is a method for letting the network know that any given host wants to
be a part of a multicast group. Registration is accomplished using the Internet
Group Management Protocol (IGMP), which is described in the next section.
IGMP
IGMP allows an IPv4 host to report its multicast group membership to a
multicasting router. The following sections describe the host behavior of IGMP.
IGMP version 3
The new feature added to IGMPv3 is the support for source filtering, a feature that
allows a host to receive from a list of specific source nodes, or from all but specific
addresses, after joining a multicast group.
Socket options
All the behaviors are controllable through calls to setsockopt(). The following
table describes socket options.
Version
Option Name Datatypes Available Description
In
IP_ADD_MEMBERSHIP struct ip_mreq All Allows calling thread to join a
multicast group.
IP_DROP_MEMBERSHIP struct All Allows calling thread to leave a
ip_mgreq
multicast group.
IP_BLOCK_SOURCE struct New in IG Specifies an address from which
ip_mreq_source
MPV3 multicast group will not receive
(blacklist).
IP_UNBLOCK_SOURCE struct New in Reverses the effect of
ip_mreq_source
IGMPV3 IP_BLOCK_SOURCE.
IP_ADD_SOURCE_MEMBERSHIP struct New in Specifies an address from which
ip_mreq_source
IGMPV3 multicast group will receive
(whitelist).
IP_DROP_SOURCE_MEMBERSHIP struct New in Reverses the effect of
ip_mreq_source
IGMPV3 IP_DROP_SOURCE_MEMBERSHIP.
struct ip_mreq_source {
struct in_addr imr_multiaddr; /* IP address of group */
struct in_addr imr_sourceaddr; /* IP address of source */
struct in_addr imr_interface; /* IP address of interface */
};
Socket options that are prefixed with MCAST_ rather than IP_ serve the same
purpose, but they take different data structures as arguments:
Version
Option Name Datatypes Available Description
In
MCAST_JOIN_GROUP struct group_req New in Same as IP_ADD_MEMBERSHIP
IGMPV3
MCAST_DROP_GROUP struct group_req New in Same as
IGMPV3 IP_DROP_MEMBERSHIP
MCAST_BLOCK_SOURCE struct New in Same as IP_BLOCK_SOURCE
group_source_req
IGMPV3
MCAST_UNBLOCK_SOURCE struct New in Same as IP_UNBLOCK_SOURCE
group_source_req
IGMPV3
struct group_req {
uint32_t gr_interface; /* interface index */
struct sockaddr_storage gr_group; /* group address */
};
struct group_source_req {
uint32_t gsr_interface; /* interface index */
struct sockaddr_storage gsr_group; /* group address */
struct sockaddr_storage gsr_source; /* source address */
};
sysctl() variables
The following table shows the sysctl variables that control the behavior of IGMP
on the system.
Recommend to set to 0 if
connected to multicast router
that supports older version of
IGMP.
net.inet.igmp.somaxsrc Default is 64. No hard upper limit. Specifies the maximum
number of source addresses
per multicast group allowed
per opened socket.
net.inet.igmp.maxsrcfilter Default is 128. Must be larger than Specifies the maximum
net.inet.igmp.maxsrcfilter. number of source addresses
No hard upper limit. per multicast group the
kernel can keep.
netstat output
Users can use the network utility netstat to get a glimpse of the number of
IGMP packets received and sent on the system, as shown in the following figure.
The networking stack has a face-lift in the latest version of LynxOS: based on the
latest FreeBSD 4.11, which is known for its performance and stability, and the
KAME patch, which has a long history of providing extended network capabilities,
the new stack offers the latest networking technology without sacrificing the real-
time responsiveness.
Layer 2 (Ethernet)
This section describes the Traffic Management concepts at the Ethernet layer.
Bridging
A bridge is a Layer 2 device that connects two or more networks. Two bridged
network segments would appear to be one segment to the network nodes on either
segment.
An interface that has been bridged may or may not possess an IP address.
802.1 Standards
This version of LynxOS supports the following IEEE standards:
• 802.1D – MAC bridges.
• 802.1Q – VLAN support
Spanning Tree
With the spanning tree algorithm, bridges can discover dynamically a loop-free
topology so that any pair of connected LANs can reach each other. The spanning
tree protocol is supported in LynxOS, and the user can configure it using the utility
brconfig.
#
# adds 3 interfaces to bridge0
brconfig bridge0 add em0 add em1 add em2
#
# enable STP on each bridged interface
brconfig bridge0 stp em0 stp em1 stp 3m2
#
# bring up the bridge
brconfig bridge0 up
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
em0 flags=7<LEARNING,DISCOVER, STP>
port 6 priority 128 path cost 55 disabled
em1 flags=7<LEARNING,DISCOVER, STP>
port 7 priority 128 path cost 55 disabled
em0 flags=7<LEARNING,DISCOVER, STP>
port 8 priority 128 path cost 55 disabled
Address cache (max cache: 100, timeout: 300):
<time_to_live> is the number of seconds remaining until the entry expires (and
gets purged). If the entry is static (permanent), <time_to_live> is irrelevant.
If flag is 0, the entry is dynamic and will expire; if its value is 1, the entry is static
and permanent
• <flag> : 0x00—Dynamic address
• <flag> : 0x01—Static address
By default, learning is enabled on any bridged interface. To enable MAC-learning
on an interface explicitly, enter the following command:
> brconfig bridge0 learn em1
To disable MAC-learning on an interface, enter the following command:
> brconfig bridge0 –learn em1
To add a static entry 00:00:00:0a:0b:0c to the interface em0 of the bridge,
enter the following command:
> brconfig bridge0 static em0 0:0:0:a:b:c
To clean out all dynamically learned addresses of a bridge, enter the following
command:
> brconfig bridge0 flush
To clean out the forwarding cache of a bridge (dynamic and static), enter the
following command:
> brconfig bridge0 flushall
VLAN
Virtual Local Area Network (VLAN) is a way to segregate a network into
segments.
The following figure shows the layout of the 16-bit VLAN identifier.
Each VLAN device must be associated with a VLAN ID and a physical network
device (most probably an Ethernet interface) to be operational. By default the
number of virtual VLAN interfaces is 3 (tcpip/include/vlan.h)
For example:
fconfig vlan0 vlan 100 vlandev fxp0
ifconfig vlan1 vlan 200 vlandev fxp0
ifconfig vlan2 vlan 300 vlandev fxp0
fxp0 will be able to recieve traffic belonging to VLAN ID 100, 200 and 300. In
order to do this the following command should be performed:
$ ifconfig fxp0 172.17.0.19
$ ifconfig vlan0 vlan 100 vlandev fxp0
$ ifconfig vlan1 vlan 200 vlandev fxp0
$ ifconfig vlan2 vlan 300 vlandev fxp0
$ ifconfig vlan0 172.18.0.1
$ ifconfig vlan1 172.19.0.1
$ ifconfig vlan2 172.20.0.1
Optionally, the user may specify the priority bit and the CFI bit for a given VLAN.
$ ifconfig vlan0 vlan 100 vlandev fxp0 vlanpri 6 vlancfi 0
The following example shows how to disassociate a network interface from a
VLAN.
$ ifconfig vlan0 vlan 100 –vlandev fxp0
Layer 3 (IP)
One of the major features offered by the new stack is the support for Differentiated
Service Code Point (DSCP) of the Quality of Service (QoS) infrastructure.
Multiple queues are introduced to the network interface module of the network
stack to form a basis of QoS. A new utility daemon called altqd is introduced to
configure the queuing disciplines and associated parameters of the network
interfaces. Class-based queuing and random early drop, among other disciplines,
can be configured through altqd. altqd also gathers queuing-related statistics.
Users can classify packets into different priorities by source IP addresses and ports,
by destination IP addresses and ports, and by protocols.
The other aspect of QoS is the capability to shape traffic by the use of a rate-
limiter. The token bucket algorithm is used to realize a rate-limiter for any QoS-
enabled network interface. Parameters such as bucket size and token-refilling rate
can be tuned for various scenarios.
The QoS infrastructure is constructed with network driver compatibility in mind.
The existing network driver written for previous LynxOS release can be ported to
LynxOS 5.0 with minimal changes, attributed to the highly compatible set of
function interfaces to the kernel.
0 1 2 3 4 5 6 7
source address
destination address
IP QoS
LynxOS makes use of the ALTQ mechanism to implement IP QoS. The following
sections describe the theory of operations and details of configuration.
[The following is an adaptation of documentation accompanied by the KAME
project and FreeBSD.]
QoS concepts
Queuing Disciplines
A queuing discipline controls outgoing traffic by packet scheduling and/or queue
buffer management. CBQ is the most well engineered among the implemented
disciplines.
Token-bucket Regulator
A token-bucket regulator is used to control the behavior of a network device driver.
Most ALTQ users do not need to tune the token-bucket regulator, but if you want to
rate-limit the interface or minimize the delay, here is how to tune the token-bucket
regulator.
In order to separate the effect of a token-bucket regulator from that of a queuing
discipline, it is recommended to tune the token-bucket regulator first with FIFOQ
and then to use the resulting setting for other queuing disciplines.
The utility to tune token-bucket regulator is called tbrconfig.
The purpose of a token-bucket regulator is to limit the amount of packets that a
driver can dequeue. A token bucket has token rate and bucket size. Tokens
accumulate in a bucket at the average token rate up to the bucket size. A driver can
dequeue a packet as long as there are positive tokens, and after a packet is
dequeued, the size of the packet is subtracted from the tokens. Note that this
implementation allows the token to be negative as a deficit in order to make a
decision without prior knowledge of the packet size. It differs from a typical token
bucket that compares the packet size with the remaining tokens beforehand.
The bucket size controls the amount of burst that can be dequeued at a time and
controls a greedy device trying dequeue packets as much as possible. This is the
primary purpose of the token-bucket regulator, and, thus, the token rate should be
set to the actual maximum transmission rate of the interface.
On the other hand, if the rate is set to a smaller value than the actual transmission
rate, the token bucket regulator becomes a shaper that limits the long-term output
rate. Another important point is that, when the rate is set to the actual transmission
rate or higher, transmission complete interrupts can trigger the next dequeue.
However, if the token rate is smaller than the actual transmission rate, the rate limit
would be still in effect at the time of transmission complete interrupt, and the rate
limiting falls back to the kernel timer to trigger the next dequeue. In order to
achieve the target rate under timer-driven rate limiting, the bucket size should be
increased to fill the timer interval.
Interface Rate-Limiting
The auto keyword is used to automatically calculate the required bucket size. In
the above example, 36.62 KB is selected. The following formula is used to
compute the bucket size:
bucket_size = desired_rate(in bps) / 8 /
kernel_timer_frequency;
The computed bucket size is conservative in the sense that it is large enough to be
able to satisfy the specified rate only by the kernel timer events. In many cases, one
half of the computed size is still able to achieve the rate.
To remove the installed token-bucket regulator, enter the following:
# tbrconfig -d em0
deleted token bucket regulator on fxp0
CBQ
Command class cbq if_name class_name parent [borrow] [pbandwidth percent] [red]
[default|control]
The interface command sets up the interface; one can specify the interface
bandwidth in bits per second.
The class command creates a class. Set the bandwidth of the class with 81
pbandwidth as the percent of the interface bandwidth.
Set borrow when the class can borrow bandwidth from its parent class. Set red
if you use random early detection (RED) dropper (good for TCP).
The filter command sets a packet filter to a class. A basic filter has the
following syntax (all fields are numeric):
NOTE: dst comes first. Use the value 0 if you don't care about the field.
Filter-Matching Rule
The CBQ (and HFSC/PRIQ) classifier performs filter matching for every packet.
The classifier goes through the filters starting from the last entry in the
configuration file, which means you have to list a more generic filter first in the
configuration file.
For example, two filters, one for all TCP and the other for HTTP, should be listed
in the following order:
If the order is reversed, all HTTP packets match TCP_class first. In other words,
the HTTP filter is a “subset” of the TCP filter. All packets matched by the HTTP
filter are matched by the TCP filter.
On the other hand, if two filters have different values in the same field, there’s no
packet to match both filters. Such two filters are “disjointed.” For example, a
packet has a single source port number and never matches both of the following
filters:
• One specifies src port, and the other specifies dst port.
The well-known ports are used by the system processes, and there must be no
packet with well known port numbers in both src and dst ports. As a consequence,
this special “intersection” must be handled differently. For example:
(95%)
def_class
1 #
2 # sample configuration file for 1Mbps link
3 #
4 interface sr0 bandwidth 1M cbq
5 class cbq sr0 root NULL pbandwidth 100
6 #
7 # meta classes
8 #
9 class cbq sr0 ctl_class root pbandwidth 4 control
10 class cbq sr0 def_class root borrow pbandwidth 95 default
11 #
12 class cbq sr0 bulk def_class borrow pbandwidth 30
13 class cbq sr0 misc def_class borrow pbandwidth 30
14 class cbq sr0 intr def_class borrow pbandwidth 30
15
16 #
17 # leaf classes
18 #
19
20 #
21 # bulk data classes
22 #
23 class cbq sr0 tcp bulk borrow pbandwidth 10 red
24 filter sr0 tcp 0 0 0 0 6# other tcp
25 class cbq sr0 ftp bulk borrow pbandwidth 10 red
26 filter sr0 ftp 0 0 0 20 6# ftp-data
27 filter sr0 ftp 0 20 0 0 6# ftp-data
28 class cbq sr0 http bulk borrow pbandwidth 10 red
29 filter sr0 http 0 0 0 80 6# http
30 filter sr0 http 0 80 0 0 6# http
31 #
32 # misc (udp) classes
33 #
34 class cbq sr0 udp misc borrow pbandwidth 10 red
35 filter sr0 udp 0 0 0 0 17# other udp
36 #
37 # interactive classes
38 #
39 class cbq sr0 dns intr borrow pbandwidth 10 red
40 filter sr0 dns 0 0 0 53 17
41 filter sr0 dns 0 0 0 53 6
42 class cbq sr0 telnet intr borrow pbandwidth 10 red
43 filter sr0 telnet 0 0 0 23 6# telnet
44 filter sr0 telnet 0 23 0 0 6# telnet
45 filter sr0 telnet 0 0 0 513 6# rlogin
46 filter sr0 telnet 0 513 0 0 6# rlogin
• Line 9: Create control class using keyword control. The system uses
the control class to send control packets (RSVP, ICMP, IGMP). This rule
is built-in and provided for backward compatibility. This feature will be
removed in the future.
If a control class is not defined by the time the default class is created, the
system will automatically create one with 2 percent bandwidth. The
bandwidth is taken out of the default class.
• Line 10: Create default class. If a packet doesn’t match the filters, the
packet is put into the default class.
• Line 12-14: Create 3 metaclasses as children of the default class. They
can borrow bandwidth from the default class.
• Line 23: Create a class for TCP as a child class of the bulk class.
Bandwidth can be borrowed from the parent. Also, this class uses RED
dropper.
• Line 24: Add a filter to the TCP class. This filter will match all TCP
packets (proto=6) and, thus, should be listed earlier than other filters for
packets using TCP.
Here are some TIPS for CBQ setting:
• Don't try to borrow too much.
For example, parent: 90 percent, child: 2 percent. The child should be
able to use up to 90 percent, but it may not work as you expect depending
other conditions involved.
• Keep the depth of the leaf classes equal from the root class.
• Setting high priority for a class won't help much, and high priority has
some side effect to borrowing mechanism. Don’t use priority unless
the link is less than 1 Mbps.
• CBQ has error margins of several percent against the REAL interface
speed.
• Use the altqstat tool to see the various statistics of a class.
Also, assigning more than 10 percent of the link bandwidth to each class is
recommended.
Setting high priority to an interactive class could improve the response time.
See also “Token-bucket Regulator” on page 66.
Limitations:
- Real traffic becomes bursty (try maxburst 2 or maxburst 1).
- Borrowing may not work very well.
See also “Token-bucket Regulator” on page 66.
CBQ Monitoring
The altqstat program reports the statistics and the internal state of the classes.
The following table shows a sample output for a class.
The following table describes the contents of the sample output file.
File Output priority: 1 depth: 0 offtime: 8664 [us] wrr_allot: 1016 bytes
Description Priority is 1, depth is 0 (it’s a leaf node), offtime is 8664 usec, and allotment
of weighted round robin is 1016B.
File Output nsPerByte: 2666 (3.00 Mbps), Measured: 8.22 [Mbps]
Description The bandwidth of the class is 3.00 Mbps; currently 8.22 Mbps is used.
File Output pkts: 9735, bytes: 13381264
Description Exceeded the assigned bandwidth 9662 times; overlimit actions were called
520 times
File Output borrows: 9142, delays: 520
Description Borrowed bandwidth from its ancestor 9142 times; suspended for rate-
control 520 times.
File Output drops: 2, drop_bytes: 3008
File Output AvgIdle: -125 [us], (maxidle: 1843 minidle: -125 [us])
Limitations of Borrowing
The borrowing mechanism is useful, but it has limitations:
1. A small class cannot borrow the entire bandwidth of its parent.
A class gets suspended when it is over limit. A smaller class has a longer
suspension period (off time). When borrowing is enabled, a child also
borrows the off time of the parent, but when the parent also gets over
limit, the child has to use its own off time to avoid overloading the
system. (Otherwise, all the classes use the minimum off time even under
a heavy load.)
As a result, a small class is not able to make full use of the bandwidth of
the parent.
2. Competing TCPs equally share the bandwidth even when their bandwidth
allocations are not equal.
When borrowing is enabled, the bandwidth allocation is enforced only
when the queues have enough backlog, but TCPs can reach the
equilibrium without creating backlog in the queues. In this case, the
bandwidth share is made by the TCP mechanism, not by CBQ.
If there are many TCP flows, TCP will not be able to reach the
equilibrium and the allocation will be done by CBQ.
3. UDP beats TCP when both are set to borrow from the same parent.
The situation is similar to Case 2. TCP backs off before the allocation is
enforced by CBQ. Again, if there are many flows, the situation will be
improved.
4. UDP is very bursty when borrowing is enabled.
As explained in Case 1, a child has to be suspended longer when the
parent gets over limit. This leads to the bursty behavior of UDP. On the
other hand, TCP adapts better to avoid overloading the parent.
m2
m2
m1
m1 = 0
d d
concave convex
A concave service curve provides a bounded burst similar to a token bucket. The
triangular area made by the first segment roughly corresponds to the depth of a
token bucket, and the slope bounds the peak rate. The difference is that the peak
rate of a token bucket is an upper bound of the sending rate and is often set to the
wire speed. On the other hand, HFSC guarantees the rate defined by the first
segment, and, thus, it cannot be the wire speed.
bytes
next
packet service curve
length
total
bytes
already time
sent vt for next packet
vt for previous packet
A service curve is updated every time a class becomes backlogged. The update
operation takes the minimum of:
1. The service curve used in the previous backlogged period
2. The original service curve starting at (current_time, total_bytes)
When a class has been idle long enough, the updated curve is equal to (2). On the
other hand, when the class has been using bandwidth much more than its share, the
updated curve is equal to (1). (1) and (2) can intersect when the class has been
using bandwidth a little less than its share. In this case, the updated curve could
have a different value of d. The operation is illustrated in the following two figures.
It might be easier to see it as a half-filled token bucket.
service curve
of +
previous period current time
+
current time
HFSC Scheduling
HFSC has two independent scheduling mechanisms.
• Real-time scheduling is used to guarantee the delay and the bandwidth
allocation at the same time.
• Hierarchical link-sharing is used to distribute the excess bandwidth
available.
When dequeuing a packet, HFSC always tries real-time scheduling first. If no
packet is eligible for real-time scheduling, link-sharing scheduling is performed.
HFSC does not use class hierarchy for real-time scheduling.
Hierarchical Link-sharing
In HFSC, only leaf classes have real packets, but vt of an intermediate class is also
maintained by summing up the total byte count used by its descendants. When
dequeuing a packet, HFSC’s hierarchical scheduler walks through the class
hierarchy from the root to a leaf class. At each level of the class hierarchy, the
scheduler selects a class with the smallest vt among its child classes. When the
scheduler reaches a leaf class, this leaf class is scheduled.
Note that the scheduler looks at only direct children at each level. Thus, the
bandwidth allocation is proportional to the service curve slopes among the sibling
classes, but is not proportional among classes with different parents. For example,
four leaf classes in the following figure will have the same bandwidth allocation,
although A, B and C, D have different slopes. In other words, the ratio among
siblings controls the bandwidth allocation, and absolute slope values do not matter.
(Similarly, vt values should be consistent only among sibling classes.)
A B C D
(10Mbps) (10Mbps) (1 Mbps) (1 Mbps)
Real-time scheduling
As opposed to link-sharing scheduling, single consistent time is used for real-time
scheduling. Each class keeps the cumulative byte count that is similar to the total
byte count, but only for packets scheduled by the real-time scheduling.
HFSC computes the eligible time and deadline for each class. The eligible time and
deadline are the x-projections of the head and tail of the next packet. A class
becomes eligible for real-time scheduling when the current time becomes greater
than the eligible time of the class. The real-time scheduler selects a class with the
smallest deadline among eligible classes.
bytes
service curve
next
packet
length
cumulative
bytes
already sent
time
eligible time deadline
In the original HFSC paper, a single service curve is used for both real-time
scheduling and link-sharing scheduling. LynuxWorks has extended HFSC to have
independent service curves for real-time and link-sharing.
Decoupling service curves allows the user to independently control the guaranteed
rate and the distribution of excess bandwidth. For example, it is possible to
guarantee the minimum bandwidth of 2 Mbps to two classes, but the excess
bandwidth is distributed with a different ratio.
It is also possible to set either of the service curves to be 0. When the real-time
service curve is 0, a class receives only excess bandwidth. When the link-sharing
service curve is 0, a class cannot receive excess bandwidth. Note that 0 link-
sharing makes the class nonwork-conserving.
Note that the link-sharing scheduling alone can guarantee the assigned bandwidth
as long as the real-time service curve is equal to or smaller than the link-sharing
service curve for all classes. But if the link-sharing service curve is smaller,
assigned link-sharing bandwidth may not be provided.
Notes on HFSC
Root class
The root class is automatically created by the interface command. Both service
curves are initialized with a linear curve of the interface speed.
Default class
One default (leaf) class is required for an interface.
Only leaf classes can have filters. Because of the hierarchical link-sharing
algorithm, only a leaf class can have packets. Thus, you will need to explicitly
create a leaf class to represent an intermediate class.
For example, in order to distribute the bandwidth of CMU to its departments,
create a leaf class other and attach a filter for CMU to this leaf class as shown in
the following figure.
CMU
CS EE other
Admission Control
The sum of the service curves of the children should be less than the service curve
of the parent. In particular, you have to be careful when assigning concave service
curves since the sum of the peak rates could be large.
Reserved Real-time Bandwidth
Many network cards are not able to saturate the wire, and if one allocates real-time
traffic more than the actual maximum transmission rate, all classes become eligible
and HFSC is no longer able to meet the delay bound requirements. Thus, 20
percent of the real-time bandwidth is reserved for safety. Link-sharing does not
have reserved bandwidth.
Specifying Service Curves in altq.conf
To specify the same service curve to both real-time and link-sharing, use:
[sc <m1> <d> <m2>]
To specify only the real-time service curve, use:
[rt <m1> <d> <m2>]
Sample configuration
#
# hfsc configuration for hierarchical sharing
#
interface pvc0 bandwidth 45M hfsc
#
# (10% of the bandwidth share goes to the default class)
class hfsc pvc0 def_class root pshare 10 default
#
# bandwidth share guaranteed rate
# CMU: 45% 15Mbps
# PITT: 45% 15Mbps
#
class hfsc pvc0 cmu root pshare 45 grate 15M
class hfsc pvc0 pitt root pshare 45 grate 15M
#
# CMU bandwidth share guaranteed rate
# CS: 20% 10Mbps
# other: 20% 5Mbps
#
class hfsc pvc0 cmu_other cmu pshare 20 grate 10M
filter pvc0 cmu_other 0 0 128.2.0.0 netmask 0xffff0000 0 0
class hfsc pvc0 cmu_cs cmu pshare 20 grate 5M
filter pvc0 cmu_cs 0 0 128.2.242.0 netmask 0xffffff00 0 0
#
# PITT bandwidth share guaranteed rate
# CS: 20% 10Mbps
# other: 20% 5Mbps
#
class hfsc pvc0 pitt_other pitt pshare 20 grate 10M
filter pvc0 pitt_other 0 0 136.142.0.0 netmask 0xffff0000 0 0
class hfsc pvc0 pitt_cs pitt pshare 20 grate 5M
filter pvc0 pitt_cs 0 0 136.142.79.0 netmask 0xffffff00 0 0
Diffserv
ALTQ supports the following:
• Traffic conditioning at ingress interfaces
CDNR (conditioner) supports
- Token-bucket meter
- 2-rate three-color marker
- Time-sliding window three-color marker
• Preferential scheduling at egress interface
Extension of RIO to support three drop precedence values
Combination of RIO and CBQ/HFSC/PRIQ to support multiple classes
You can build Assured Forwarding (AF) and Expedited Forwarding (EF) services
using ALTQ.
The following figure shows what ALTQ can do for diffserv.
diffserve network
Note that the performance of the AF and EF services depends on the method to
provide those services and the configuration of the network. ALTQ just provides
mechanisms in order to build services.
References
• RFC-2474, Definition of the Differentiated Services Field (DS Field) in
the IPv4 and IPv6 Headers
• RFC-2475, An Architecture for Differentiated Services
• RFC-2597, Assured Forwarding PHB Group
• RFC-2598, An Expedited Forwarding PHB
• RFC-2697, A Single Rate Three Color Marker
• RFC-2698, A Two Rate Three Color Marker
#
# null interface command
#
interface pvc1
#
# simple dropper
#
conditioner pvc1 dropper <drop>
filter pvc1 dropper 0 0 172.16.4.173 0 0
#
# simple marker to clear dscp
#
conditioner pvc1 clear_marker <mark 0x0>
filter pvc1 clear_marker 0 0 172.16.4.174 0 0
#
# EF style conditioner (a simple token bucket)
#
conditioner pvc1 ef_cdnr <tbmeter 6M 64K <pass><drop>>
filter pvc1 ef_cdnr 0 0 172.16.4.176 0 0
#
# AF style conditioners (trTCM)
#
conditioner pvc1 af1x_cdnr \
<trtcm 3M 32K 10M 64K <mark 0x28><mark 0x30><mark 0x38> colorblind>
filter pvc1 af1x_cdnr 0 0 172.16.4.177 0 0
#
# color-blind trTCM is equivalent to a dual tokenbucket meter
#
conditioner pvc1 dual_tb \
<tbmeter 10M 64K \
<tbmeter 3M 32K <mark 0x28><mark 0x30>><mark 0x38>>
filter pvc1 dual_tb 0 0 172.16.4.178 0 0
#
# output interface
#
interface pvc0 bandwidth 45M hfsc
class hfsc pvc0 def_class root pshare 10 default
#
# EF class
# real-time: 6Mbps
# link-sharing: 0%
#
class hfsc pvc0 ef_class root grate 6M
filter pvc0 ef_class 0 0 0 0 0 tos 0xb8 tosmask 0xfc
#
# AF classes
# real-time: 3Mbps
# link-sharing: 10% (4.5Mbps)
#
# rio threshold values
rio 40 50 10 20 30 10 5 15 10
#
class hfsc pvc0 af1x_class root grate 3M pshare 10 rio
class hfsc pvc0 af2x_class root grate 3M pshare 10 rio
class hfsc pvc0 af3x_class root grate 3M pshare 10 rio cleardscp
class hfsc pvc0 af4x_class root grate 3M pshare 10 rio
#
# output interface
#
interface pvc0 bandwidth 45M cbq
class cbq pvc0 root_class NULL pbandwidth 100
class cbq pvc0 def_class root_class borrow pbandwidth 86 default
#
# EF class
#
class cbq pvc0 ef_class root_class pbandwidth 14 priority 5
filter pvc0 ef_class 0 0 0 0 0 tos 0xb8 tosmask 0xfc
#
# AF classes
#
# rio threshold values
rio 40 50 10 20 30 10 5 15 10
#
class cbq pvc0 af1x_class def_class borrow pbandwidth 20 rio
class cbq pvc0 af2x_class def_class borrow pbandwidth 20 rio
class cbq pvc0 af3x_class def_class borrow pbandwidth 20 rio cleardscp
class cbq pvc0 af4x_class def_class borrow pbandwidth 20 rio
WFQ
Weighted Fair Queuing (WFQ) is implemented as a sample implementation.
WFQ is easy to use since it requires no configuration. By default, WFQ allocates
256 queues, and packets are mapped into one of the queues by hashing the
destination address. So, packets for the same host will be put in the same queue.
To enable WFQ on interface vx0 and vx1, add the following lines to
altq.conf:
% altqstat -i vx1
FIFOQ
First-In First-out Queuing (FIFOQ) is implemented as a template for those who
want to write their own queuing schemes on the ALTQ framework.
So, there would be no reason to use FIFOQ unless you want to modify the FIFOQ
implementation.
Using FIFOQ
To enable FIFOQ on interface vx0, add the following line to altq.conf:
Introduction
net-SNMP (previously known as UCD-SNMP) is an implementation of the Simple
Network Management Protocol (SNMP).
NOTE: Although the UCD-SNMP project has been renamed to net-SNMP, the
current distribution of net-SNMP files is still called UCD-SNMP.
LynxOS includes net-SNMP version 4.1.1, which supports SNMPv2 and SNMPv3
(see following note), and MIBI and MIBII.
net-SNMP sends and receives information through UDP ports 161 (SNMP) and
162 (SNMP Traps).
SNMP Overview
SNMP architecture is made up of three elements: managed devices, agents, and
network management stations (NMSs).
Managed devices can be any device node on a network, including PCs, hubs,
routers, and printers. Agents are software modules that are responsible for
maintaining information on a specific device node. Agents collect and store
information about a particular device in a local management database for use by an
NMSs. The NMSs provide a user interface to applications and network
information. NMSs collect information from agents for the MIB and can set the
types of data the agents report. The MIB is a hierarchical database of all managed
devices on a network managed by SNMP.
The following figure shows the communication between managed devices, agents,
and the network management station.
Managment
Information
Base (MIB)
Ethernet
In this example, agents act as an interface between the NMS and the managed
devices on the network. Each agent resides on the device as a software module and
provides information to the NMS. The NMS maintains the MIB, the hierarchical
table of all entities on the network.
net-SNMP Documentation
Included with the net-SNMP distribution for LynxOS are several documents,
including:
• FAQ
• README
• PORTING
• EXAMPLE.conf
• AGENT.txt
• man pages for individual tools, files, and the API
net-SNMP Components
The following tables describe the net-SNMP daemons and applications included
with the LynxOS distribution. Each of the following components is described in its
respective man page.
Component Description
Component Description
Component Description
This chapter provides information on the OpenSSL feature for the LynxOS
operating system.
Overview
OpenSSL is a toolkit implementing the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength general
purpose cryptography library.
OpenSSL Components
OpenSSL contains the following components:
• The OpenSSL library used to export cryptographic-related functions for
applications
• The OpenSSL tool used to provide cryptographic functionalities for users
OpenSSL Library
OpenSSL Tool
openssl
Application
OpenSSL Documentation
Included with the OpenSSL distribution for LynxOS are several documents,
including:
• FAQ
• README
• man pages for individual tools, files, and the API
Additional resources and documentation are also available online at:
• http://www.openssl.org
Installing OpenSSL
Cross-Development Installation
OpenSSL includes two types of components:
• Cross-development components included in the cross-development kit
(CDK)
• Native components included in the LynxOS distribution
To install cross-development OpenSSL components, perform installation of the
cross-development kit. Refer to Chapter 3, “Installing LynxOS” of the
LynxOS Installation Guide for the instructions on how to install the CDK on a
cross-development host.
Native Installation
To install native OpenSSL components on the cross-development host, refer to the
LynxOS Installation Guide.
The user is asked to enter information that will be included into the
certificate:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Oregon
Locality Name (eg, city) [Newbury]:Portland
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)
[]:www.madboa.com
Email Address []:
Lm1hZGJvYS5jb20wHhcNMDYwMjA3MTI1MzM3WhcNMDcwMjA3MTI1MzM3WjBKMQsw
CQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEX
MBUGA1UEAxMOd3d3Lm1hZGJvYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAONagFq3W3MTx5Y1ivYkECS+UysWNYF5RT7uzHFuwv0Gnjsgt+lkVj1x1upe
FHfZqDNkhMrPJdJxUrJz/cBBEubHmsc7jgCyMJqO2G+OJYQNB+NFB8ljrhrBOkAo
sOIWr1tptGrFCj97jwFlX2sv6Dinz87O6t/kROaOAPsKi5kjAgMBAAGjgaQwgaEw
HQYDVR0OBBYEFNKMnkQ09H4GxtD5wAzu8dePdzFWMHIGA1UdIwRrMGmAFNKMnkQ0
9H4GxtD5wAzu8dePdzFWoU6kTDBKMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3Jl
Z29uMREwDwYDVQQHEwhQb3J0bGFuZDEXMBUGA1UEAxMOd3d3Lm1hZGJvYS5jb22C
AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBhBaFlR16n+xfXrkrT
b2fqwMiJnQ9X35w29AOiCStDL6fvvb7t4icUWm6vTWT2ZRACJCNwLTZaGPFZAbwr
JZOHvIdGZzPPQef0KQX5DFfcHmIA0bL+qNNsrE6YK8Ic4rTNjljualSdNOyvdsPW
xGFV7udl2YXLrr0kmSD+4AMfLA==
-----END CERTIFICATE-----
subject=/C=US/ST=Oregon/L=Portland/CN=www.madboa.com
issuer=/C=US/ST=Oregon/L=Portland/CN=www.madboa.com
---
No client certificate CA names sent
---
SSL handshake has read 1127 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
9913374A448061858BDEDA865CBC15B09B14D9EDC067A84A04841430AB3A3856
Session-ID-ctx:
Master-Key:
ECE1C3E97969AF40432C1F2D492645C2A7C73C742080B3FC73E4B7420A560A91
64F9743F7590E6D3F09BBB793BC3923F
Key-Arg : None
Krb5 Principal: None
Start Time: 1139317822
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
MHUCAQECAgMBBAIAOQQgmRM3SkSAYYWL3tqGXLwVsJsU2e3AZ6hKBIQUMKs6OFYE
MOzhw+l5aa9AQywfLUkmRcKnxzx0IICz/HPkt0IKVgqRZPl0P3WQ5tPwm7t5O8OS
P6EGAgRD6Jw+ogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-
DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-
DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-
DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-
SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-
SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-
DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
net-SNMP
net-SNMP is the is an implementation of SNMP. net-SNMP uses the OpenSSL
library for SNMPv3 authentication, encryption, and some other tasks.
Refer to Chapter 7, “net-SNMP” for more information about net-SNMP.
bind
bind is the DNS (Domain Name System) server. bind uses the OpenSSL library
to support the DNSSEC (signed zones) feature.
racoon
racoon is the IKE (Internet Key Exchange) daemon. It is a part of KAME
(http://www.kame.net) IPSec implementation. racoon uses the OpenSSL
library to implement cryptography-related functionality required by IPSec.
The following table describes the supported RFCs for this release of LynxOS.The
RFCs Title
RFCs Title
RFCs Title
RFCs Title
RFCs Title
2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2
2003 IP Encapsulation within IP
2001 TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery
Algorithms
1996 A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
1995 Incremental Zone Transfer in DNS
1982 Serial Number Arithmetic
1950 ZLIB Compressed Data Format Specification version 3.3
1918 Address Allocation for Private Internets
1908 Coexistence between Version 1 and Version 2 of the Internet-standard Network
Management Framework
1907 Management Information Base for Version 2 of the Simple Network Management
Protocol (SNMPv2)
1906 Transport Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)
1905 Protocol Operations for Version 2 of the Simple Network Management Protocol
(SNMPv2)
1904 Conformance Statements for Version 2 of the Simple Network Management Protocol
(SNMPv2)
1903 Textual Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2)
1902 Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2)
1901 Introduction to Community-based SNMPv2
1893 Enhanced Mail System Status Codes
1876 A Means for Expressing Location Information in the Domain Name System
1858 Security Considerations for IP Fragment Filtering
1853 IP in IP Tunneling
1829 The ESP DES-CBC Transform
1828 IP Authentication using Keyed MD5
RFCs Title
RFCs Title
RFCs Title
1445 Administrative Model for version 2 of the Simple Network Management Protocol
(SNMPv2)
1444 Conformance Statements for version 2 of the Simple Network Management Protocol
(SNMPv2)
1443 Textual Conventions for version 2 of the Simple Network Management Protocol
(SNMPv2)
1442 Structure of Management Information for version 2 of the Simple Network
Management Protocol (SNMPv2)
1441 Introduction to version 2 of the Internet-standard Network Management Framework
1424 Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and
Related Services
1423 Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and
Identifiers
1422 Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key
Management
1421 Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and
Authentication Procedures
1389 RIP Version 2 MIB Extensions
1388 RIP Version 2 Carrying Additional Information
1387 RIP Version 2 Protocol Analysis
1382 SNMP MIB Extension for the X.25 Packet Layer
1381 SNMP MIB Extension for X.25 LAPB
1354 IP Forwarding Table MIB
1350 The TFTP Protocol (Revision 2)
1348 DNS NSAP RRs
1340 Assigned Numbers
1337 TIME-WAIT Assassination Hazards in TCP
1327 Mapping between X.400(1988) / ISO 10021 and RFC 822
1323 TCP Extensions for High Performance
1321 The MD5 Message-Digest Algorithm
RFCs Title
RFCs Title
RFCs Title
Following table describes the supported IEEE standards for this release of
LynxOS.
IEEE
Title
Standards
Overview
The IPv6 protocol addresses technical limitations of IPv4. Most notably is the
increase in IP address space, which has changed from 32 to 128 bits per address.
IPv4 32-bit addresses are represented in dotted-decimal format divided along 8-bit
boundaries. IPv6 IP addresses are 128-bit address divided along 16-bit boundaries,
and each 16-bit block is converted to a 4-digit hexadecimal number and separated
by colons. For example:
200A:00A3:2C5B:0000:02FF:FF00:FE38:934A
The IPv6 address representation can be further simplified with features such as
leading zero suppression and zero compression. Detailed information on these
features as well as other information regarding the IPv6 addressing architecture are
described in RFC 2373.
Other notable improvements is the inclusion of the following services that were
optional under IPv4:
• Auto configuration--IPv6 specifies a stateless host auto configuration
mechanism which is an improvement on the optional DHCP mechanism
used with IPv4.
• Security--IPv6 mandates support for IPsec. This guarantees that a secure
IP connection can be established when communicating with IPv6
devices.
• Multicast--Muliticast is now mandatory under IPv6.
In addition, IPv6 has simpler packet header structures and also introduces a
protocol header chain that allow for more flexible protocol extensions
Enabling IPv6
To enable the IPV6 in the Lynxos kernel, user must uncomment (by removing #
sign) the line n:hbtcpipv6:@hbtcpip0:: in the
$ENV_PREFIX/sys/bsp.<bsp_name>/config.tbl file.
2. Assign an interface an IPv6 address with ifconfig. Note that for IPv6
addresses, the switch inet6 must be used:
# ifconfig <if> inet6 <address>
3. Use ping6 to ping additional IPv6 networks:
# ping6 otherhost
To ping an IPv6 host with a Link-Layer address (prefixed with fe80), the host
Ethernet interface must be specified. The following example uses the pro100
interface:
# ping6 fe80::230:65ff:fef2:7868%pro0
nameserver 3ffe:0501:1111:ffff::
nameserver 192.168.99.1
Additionally, other routing demons that support IPv6 can be used; zebra, for
example. For additional information, see the GNU Zebra User’s Guide.
1. Use sysctl to allow for route advertising, IP6 forwarding, and faith:
# sysctl -w net.inet6.ip6.accept_rtadv=0
# sysctl -w net.inet6.ip6.forwarding=1
# sysctl -w net.inet6.ip6.keepfaith=1
brconfig utility 60
bridging 59
Symbols
??–25
C
calculating message digest for data 101
Numerics CBQ 68
CBQ classifier 69
802.1 standards 59
CBQ configuration file 68
CBQ monitoring 74
CBQ setting for slow interface 72
class command 68
A commands
access control rules 37 ftp 15
addressing 52 ping 2
administration files rlogin 2
/etc/exports 46 rsh 3
admission control 81 telnet 3
aggregated traffic 73 concave service curve 76
aggregated traffic limitations 73 connecting to the secure server using SSL 102
altq.conf 81 contacting LynuxWorks x
altq.conf configuration file 71 Contents iii
altqd 63 creating a self-signed certificate 101
altqd config file 70 creating the SSL server from the command
altqd utility daemon 63 line 103
altqstat program 74 cryptography library 97
B D
basic CBQ commands 68 database
bind 104 hosts 2
borrow 68 default class 80
borrowing dhclient 43
limitations 75 DHCP 39
about 39 firewalls
client 43 ipfw 25
dhclient 43 forwarding cache management 61
dhcpd 41 ftp
dhcpd.conf 42 commands
leases 43 getting a list of 15
LynxOS files 40 putting files on a remote host 14
man pages 40 transferring binary files 14
server 41 transferring files with 13
storage of parameters 39
using DHCP and bootp 44
dhcpd 41
dhcpd.conf 42 H
Differentiated Service Code Point 63
diffserv 85 HFSC 76
DNS client configuration 20 HFSC hierarchical link-sharing 78
documents HFSC real-time scheduling 78
online viii HFSC scheduling 78
DSCP 63 HFSC service curve 76
Dynamic Host Configuration Protocol 39 Hierarchical Fair Service Curve 76
hierarchical link-sharing 79
hostname databases
.rhosts 3, 16
E /etc/hosts.equiv 10
Hosts
ECN 64, 84 remote, executing commands 3
ECN-capable TCP 64 hosts
encrypted communications 33 database 2
encrypting and decrypting data with setting up for remote access 3
OpenSSL 100 hosts.allow and hosts.deny files 37
Ethernet interface
configuring 1
Explicit Congestion Notification 64, 84
I
ifconfig 1
F IGMP 53
IGMPv1 54
FIFOQ (First-In First-Out Queuing) 90 IGMPv2 54
FIFOQ, using 90 installing OpenSSL 99
files interface command 68
binary, transferring 14 interface rate-limiting 67
getting from a remote host 14 interface rate-limiting with a queuing
host database 2 discipline 67
host, setting up 3 Internet Group Management Protocol 53
resolv.conf 7 IP Multicasting 51
resolv.conf, setting up 3 IP QoS 65
transferring with ftp 13 IPsec 28
filter command 68 AH, ESP security protocols 28
filter-matching rule 69 SAD (Security Association Database) 29
O
M
online help viii
MAC address 52 Open Secure Shell 33
man pages viii openntpd 19
multicast address 52 OpenSSH 33
multicasting 51 OpenSSH configuration files 33
OpenSSL 97
SNMPv3 requirements 92
OpenSSL components 97
N OpenSSL cross-development installation 99
OpenSSL documentation 99
net-SNMP 104 OpenSSL legal issues 104
adding custom modules 95 OpenSSL library 98, 99
components 94 OpenSSL license & copyright 105
documentation 93 OpenSSL native installation 99
known limitations 95 OpenSSL tool 98
license & copyright 95 OpenSSL tool, adding to a LynxOS KDI 100
SNMP protocol overview 92
v3 OpenSSL requirements 92
netstat command 65
netstat output 57 P
network card
configuring 1 IPFW (legacy utility) 25
network connectivity tools 33 ping command 2
network device driver behavior 66 testing TCP/IP 4
network security 25 protocols
firewalls ftp 13
IPFW 25 telnet 3
IPsec 28 tftp 16
SNTP 20
socket options 54
Q spanning tree 60
ssh client configuration 35
QoS 63
ssh daemon configuration 33
Quality of Service 59, 63
SSH protocol suite 33
ssh utility 10
ssh_config 35
ssh_config configuration file example 35
R sshd_config 33
racoon 104 sshd_config configuration file example 33
Random Early Detection 84 sysctl variables 56
rc.network 2
real-time scheduling 79
RED 84
reference manuals viii T
registration 53
tbrconfig utility 66
remote
TCP 1
utilities, ping 4
TCP/IP
remote host
resolv.conf 7
putting files on a 14
testing 4
retrieving files from 14
TCP/IP components
reserved real-time bandwidth 81
/etc/hosts file 3
resolv.conf 7
/etc/resolv.conf file 3
RFCs
hosts file 2
supported 107
ping 2
rlogin utility 10
rlogin command 2
root class 80
rsh command 3
rsh utility 12
telnet command 3
Technical Support x
Telnet utility 8
testing
S TCP/IP 4
sample setting using CBQ 70 TFTP
scp 13, 16, 20 overview 15
Secure Remote Copy 20 secure transfers 16
Secure Sockets Layer 97 simple transfers 15
secure tftp 16 token-bucket regulator 66
security Traffic Management 59
network 25 transport layer 65
service curve, concave 76 Transport Layer Security 97
service curve, convex 77 troubleshooting
service curves in altq.conf 81 TCP/IP 4
setsockopt() 54 tune token bucket 66
shaping by HFSC 82 typographical conventions viii
Simple Network Time Protocol 20
simple rate-limiting by tbrconf 67
SNMP
protocol overview 92
V
Virtual Local Area Network 62
virtual time 77
VLAN 62
VLAN identifier 62
W
Weighted Fair Queuing 89
WFQ 89
X
xntpd 19