Tuesday, September 25, 2007

Early Access to Clearview IP Tunneling

Earlier today, early access build 74 of Project Clearview was announced to networking-discuss@opensolaris.org and clearview-discuss@opensolaris.org.  This build introduces the new GLDv3-based IP tunneling driver to users.  With this work, the 6000 or so lines of kernel code that comprised the "tun" STREAMS module is replaced with a GLDv3 driver which is half of that size and has more features.

With this driver, IP tunnels in Solaris are now fully observable using snoop:

seb# snoop -d ip.tun0
Using device ip.tun0 (promiscuous mode)
seb -> my-desktop TCP D=60722 S=22 Push Ack=624936085 Seq=693788605 Len=80 Win=49644 (1 encap)
my-desktop -> seb TCP D=22 S=60722 Ack=693788685 Seq=624936085 Len=0 Win=49644 (1 encap)
seb -> dns-server DNS C 3.1.168.192.in-addr.arpa. Internet PTR ? (1 encap)

IP tunnels can be given meaningful names (thanks to Clearview vanity naming):

seb# dladm create-iptun -T 6to4 -s 10.8.57.44 ipv6gateway0
IP tunnel created: ipv6gateway0
seb# dladm show-iptun
LINK TYPE SOURCE DESTINATION
ipv6gateway0 6to4 10.8.57.44 N/A
seb# ifconfig ipv6gateway0 inet6 plumb up
seb# ifconfig ipv6gateway0 inet6
ipv6gateway0: flags=202200041<UP,RUNNING,NONUD,IPv6,CoS> mtu 65515 index 3
inet tunnel src 10.8.57.44
tunnel hop limit 64
inet6 2002:a08:392c::1/1


seb# dladm create-iptun -T ipv4 -s seb -d vpngateway vpn0
IP tunnel created: vpn0
seb# ipsecconf -l -i vpn0
#INDEX vpn0,1
{ tunnel vpn0 negotiate tunnel laddr seb/32 dir out } ipsec { encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared }
#INDEX vpn0,2
{ tunnel vpn0 negotiate tunnel laddr seb/32 dir in } ipsec { encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared }
seb# ifconfig vpn0 plumb 10.0.0.1 10.0.0.2 up

IP tunnel links are administered using dladm (although pre-existing ifconfig syntax is still supported for backward compatibility):

seb# dladm create-iptun -T ipv6 -s me -d you trans0
IP tunnel created: trans0
seb# dladm show-linkprop trans0
LINK PROPERTY VALUE DEFAULT POSSIBLE
trans0 autopush -- -- --
trans0 zone -- -- --
trans0 hoplimit 64 64 --
trans0 encaplimit 4 4 --
seb# dladm set-linkprop -p encaplimit=2 trans0
seb# dladm show-linkprop trans0
LINK PROPERTY VALUE DEFAULT POSSIBLE
trans0 autopush -- -- --
trans0 zone -- -- --
trans0 hoplimit 64 64 --
trans0 encaplimit 2 4 --

We welcome users to bfu these bits and try out the new features.  Click here for download instructions and release notes, and let us know what you think by sending us feedback at clearview-discuss@opensolaris.org.