PI40291: ENHANCE IPSEC SUPPORT FOR CLIENTS USING DRVIPA TO INITIATE CONNECTIONS FROM LOCAL SYSPLEX DISTRIBUTOR TO TARGET SERVER

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• When a client is on the same TCPIP stack as the sysplex
  distributor and initiates a connection to a target server on
  another TCPIP stack using a distributed DVIPA, the outbound
  packets are not encapsulated even when IPSEC is enabled and
  that OPTLOCAL is specifed on the VIPADISTRIBUTE statement for
  the sysplex distributor.
  
  When client and distributor are on the same TCPIP stack, there
  is no tunnel formed or used for the negotiation. They will
  still go through the policy check to verify that the connection
  is allowed. Once the distributor decides that the local server
  is to be the target, communication then reverts to fast local
  sockets where outbound packets are not encapsulated even when
  the client and the distributor are on the same TCPIP stack
  and the server is on another. The initial SYN packet for the
  connection setup request will flow over the IPSEC tunnel but
  all subsequent traffic will use the fast local sockets.
  

Local fix

• 1) Have the client initiate a connection outside the sysplex
     distributor so that fast local sockets are not used. In
     effect, the packets flowing to the selected target for the
     listener outside the distributor are encapsulated.
  
  2) If the client has to be on the same TCPIP stack as the
     distributor, then use the VIPARANGE method such that the
     server on the target system will allocate the DVIPA for the
     listener. All LPARs in the sysplex must have the same
     VIPARANGE statement(s) to handle failovers of one listener
     from LPAR to another. In this case, the distributed DVIPA
     is not used and the packets flowing to the server owning
     the DVIPA will be encapulated after tunnel negotiation.
  
  KEYWORDS:
  IPSEC DRVIPA DVIPA IKED TRMD TUNNEL POLICY PAGENT OPTLOCAL
  FAST LOCAL SOCKETS SYSPLEX DISTRIBUTOR TARGET LISTENER CLIENT
  SERVER VIPADISTRIBUTE VIPARANGE
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Users of the IBM Communications Server for z/OS Version 2    *
  * Release 1 IP: Sysplex-wide Security Associations             *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * Connection fails when target stack expects traffic to be     *
  * IPSec encapsulated but IP filtering is not done for client   *
  * because the client and DVIPA are on the same stack.          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply the PTF                                                *
  ****************************************************************
  When the client and DVIPA are on the same TCP/IP stack, traffic
  is treated as local on the outbound path even though the
  connection could be forwarded to a target on another TCP/IP
  stack. IP filtering is not done for the local traffic. If IPSec
  policy is in place to require IPSec protection, the connection
  fails when the target server receives the packet in the clear,
  without IPSec protection.
  

Problem conclusion

• A new TCPIP profile parameter, DVLOCALFLTR, is provided on the
  IPSEC statement to enable filtering of TCP traffic between a
  client and an IPv4 dynamic VIPA defined on the same TCP/IP
  stack.
  

Temporary fix

Comments

• ×**** PE15/07/28 FIX IN ERROR. SEE APAR PI45849  FOR DESCRIPTION
  ×**** PE15/07/28 FIX IN ERROR. SEE APAR PI45849  FOR DESCRIPTION
  ×**** PE16/04/04 FIX IN ERROR. SEE APAR PI60199  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI28434 UI28435 PI44865

Modules/Macros

• EZBTCFWR EZBNMSEC EZBISIOC EZBIPINB EZAI2IPF EZAISMSG EZACFYAC
  EZBTCSND EZBISEPR EZACFPSC EZACFPSE EZBIPEPR EZBISFLT EZAI2IPT
  EZANMFTR EZBIPOUT EZBTLFWR EZANMGTT EZBISGFT EZANMI   EZBTCSYN
  EZBTCRD  EZBTCRDG EZAI2CSE EZAIKA@M EZAI2XLI EZBISLVC EZAI2ISA
  EZATCADE EZAIKA@U EZBISEVT EZATDECP EZAI2CIS EZBISTTP EZAI2CCQ
  EZAI2CCR EZAPSCAN EZAI2CCX EZAIKRAD EZAIKANC EZAI2IXL EZAIKSKO
  EZATCAIN EZAI2SAP EZAI2SAQ EZAI2SAR EZBISEN6 EZATENCP EZBNMSEA
  

Fix information

• Fixed component name

  TCP/IP V3 MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R210 PSY UI28434

     UP15/06/30 P F506

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.