Friday, September 25, 2009

Clearview IP Tunneling in OpenSolaris

I integrated Clearview IP Tunneling (the final component of the Clearview project) into the ON consolidation this week.  It will be included in OpenSolaris build 125 which will make its way to the dev repository in due time.  Thanks to all who participated including the Clearview project team (past and present), and members of various OpenSolaris communities who contributed by doing design and code reviews.  This brings a close to a project that Meem and I conceived years ago while doodling network interface requirements on his whiteboard.  We've now delivered every component that we initially identified as the solutions to meet our requirements.  That's something to be proud of.

With this integration, IP tunnel links can be created using dladm, be given meaningful names using link vanity naming, observed using traditional network observability tools such as snoop and wireshark, assigned to exclusive stack non-global zones, and created from within non-global zones.

This integration also enables the use of dladm in general from within exclusive stack non-global zones.  Aside from the IP tunnel subcommands which are supported from such zones, all of the show-* subcommands now work in such zones, allowing administrators to view datalink configuration pertinent to the zone.  This is a first step towards gradually expanding the set of datalink features available in zones.

Enjoy, and feel free to communicate with us regarding this project at clearview-discuss@opensolaris.org.

3 comments:

  1. when for a (working) openvpn+TAP integration in the IPS base? =)

    ReplyDelete
  2. With Clearview, will it finally be possible to do both AH and ESP over NAT?

    ReplyDelete
  3. sickness, I don't know if anyone is working on OpenVPN, but now that there is not a "tun" STREAMS module in the source base, there will no longer be a conflict between it and the "tun" module that comes with tun/tap.

    UX-admin, AH cannot possibly work with NAT by definition, and it never will on any platform. It includes the outer IP header in its hash computation, and NATs rewrite IP addresses in that header rendering the hash invalid. The protocols are outright incompatible.

    ReplyDelete