TCP/IP enhancements to OS/2 Warp Server for e-business

by Valerie Jackson

The e-business opportunities that use the Web to bring together customers, vendors, suppliers and employees depend on continuing advancements in Internet technologies. To help unite the dependability of existing systems with the power of the Web, the next generation of OS/2 Warp Server - OS/2 Warp Server for e-business - uses many of the latest developments in Internet technologies to help make the transition to e-business as effective and efficient as possible - a seamless transformation.

Enhancements to the TCP/IP subsystem include capacity and performance improvements such as better use of memory, enhanced connection buffering management, reduced handshake requirements prior to connecting and improved HTTP server connection management.

This article explores the technical aspects of these enhancements.

Performance enhancements
Faster network response times are essential to future growth of the Internet - getting beyond the "World Wide Wait" to true e-business. OS/2 Warp Server for e-business has improved the TCP/IP 4.1 stack, fine tuning and adding enhancements to make it faster. Performance enhancing additions over TCP/IP 4.1 include:
 * Reduced connection resources - Previously, a connection between two points required hree basic blocks of resource to maintain the connection information - one on each end and a structure with specific TCP protocol information. When the connection shuts down, these resources create overhead while they wait for residual data or control information to complete. A better use of memory and faster connections can occur if a new, incoming connection from the same host can reuse those resources. Because memory allocation and initialization take time, enhancements to this area have increased throughput.
 * The timewait state wastes precious kernel resources during lockout. Because the underlying physical media has become more reliable, bypassing the timewait state and reusing those resources can appreciably reduce the time for allocation and initialization.
 * Outstanding connection buffering management helps Data traveling over the network interface is held in fixed size buffers. OS/2 Warp Server for e-business helps improve performance throughput by synergistically regulating buffer size in correlation to the OS kernel.
 * Fast path HTTP - HTTP traffic is the most common type of Web activity. When requests pour in at a fast rate, a busy server must be able to accept the connections. To speed up connection time, the OS/2 Warp Server for e-business stack preallocates a cache of initialized structures that are required when a new connection is requested. The stack has faster turnaround time because a new, incoming request assigns these structures as compared to allocating them.
 * Faster access to kernel services - The KEE extensions provide modified kernel entry points into the stack. This helps give the stack fast access to kernel services like locks and memory allocation.
 * Quicker loopback processing - Time-intensive wakeups are removed, where possible.
 * Exceptional FTP server performance - The move from a multiprocess model to a new, enhanced multithreaded FTP server provides fast connection response time and less memory overhead as requests are processed concurrently. Instead of starting a separate instance of FTPDC.EXE for each client, servicing each client with a separate thread improves performance. The FTP server supports restarting broken data transfers. FTP-PM has been modified to take advantage of the multithreaded FTP server.
 * Improved TFTP server performance - Rewriting the Trivial File Transfer Protocol (TFTP) server as a multithreaded process contributes to the performance enhancements.
 * Extraordinary Web server performance - Two new socket APIs were added to help improve the performance of Web servers:
 * accept_and_recv API - Added to support a call similar to AcceptEX in Microsoft Windows NT environment. AcceptEX will set up a new connection, return local and remote addresses and receive the first block of data sent by the remote address. Receiving the addresses and the first block of data in a single output buffer can increase efficiencies.
 * send_file API - Added to support a call similar to the NT function transmitfile, which performs file transfer at ring 0 level. The API is designed to use handles to a connected socket and an open file; then in kernel mode it reads data directly from the system cache and passes it off to the transport protocol. This design avoids the buffer copies, context switches and kernel transitions associated with the typical methods of sending file data.

Security enhancements
To establish a TCP/IP connection, whether telnet, Web or e-mail, the client and server exchange several messages. Client				Server SYN --->  The vulnerability arises at the point where the server system has sent an acknowledgement (SYN-ACK) back to the client but has not yet received the ACK message, creating a half-open connection. The server has a fixed size data structure describing all pending connections. This structure can be made to overflow by intentionally creating too many partially open connections. IP spooling creates half-open connections. The attacking system sends SYN messages to the victim server. While these SYN messages appear legitimate, they reference a client system that is unable to respond to the SYN-ACK messages. Therefore, the final ACK message will never be sent. Normally there is a time-out associated with a pending connection, so the half-open connections eventually expire and the victim server system recovers. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. A syn attack can force the attacked machine to run out of memory, which makes it unable to service any requests, even valid ones.

The key to avoiding a syn attack is to postpone the resource allocation in the stack until the connection is complete. Therefore, preliminary state information is maintained in the sequence number until the connection is complete, then the stack initiates structure allocation. This feature is turned off by default. In case of an attack, it can be dynamically turned on using inetcfg, the stack configuration utility.

Strong encryption
A Virtual Private Network (VPN) permits a company to extend their secure network through the Internet to mobile employees, business partners and suppliers. Replacing a leased line with Internet access is cost effective. Because much of this activity involves the exchange of sensitive, personal or confidential information, security concerns are paramount.

Cryptography is the foundation of security for public networks and provides technology to accelerate the development of secure e-business solutions that: OS/2 Warp Server for e-business has expanded data encryption standards to include 56-bit encryption, where permitted by U.S. government export regulations and unique importing country restrictions. The encryption makes messages less susceptible to attack by hackers and result in increased security of data delivered over the VPN.
 * Ensure data integrity
 * Increase confidentiality
 * Provide enhanced authentication of the identities of individuals and computers on networks

Advantageous authentication
OS/2 Warp Server for e-business extends the SOCKS protocol to include user datagram protocol (UDP) domains and extends the framework to include provisions for a strong authentication scheme. Username/Password Authentication Protocol provides secure application-layer firewall traversal.

When configuration parameters are set in the /mptn/etc/socks.env and /mptn/etc/socks.cfg files, the applications invoke the SOCKS5 client. Thus, the enhancements provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall.

Management and usability enhancements
The TCP/IP updates include several management and usability enhancements.

Simplified debugging
The TIME SERVER(TIMED) on OS/2 is an application that responds to client request for time. It is used to calculate elapsed time by returning the time, in seconds, since midnight Jan. 1, 1900, in either local or GMT time. Enabling the trace flag for the server generates a log file that indicates the number of requests sent to the server by various clients. This trace option for the server can be enabled and disabled without having to stop and restart the server. The trace parameters can be dynamically updated by using an executable that is supplied along with the TIME SERVER. There is no need to stop and restart the server to enable or disable the TIME SERVER.

Track and restart your file transfer at the point of interruption
The FTP-PM client provides restart support through a GUI. This gives the user visual feedback about the status of the transfer and an option to restart the last interrupted transfer. The restart option is useful when a slow link or a broken file transfer connection occurs. Starting over will result in more delay and possibly more transfer failure. Restarting a file transfer from the point of failure is more efficient, as it enables better use of the data that already has been transferred.

The KeepDate function of command line ftp has been incorporated as an option so, at the time of transfer, the user can choose to preserve the original file time stamp. This helps a user track the status of remote files and know when changes have been made. To update the local file set with only the latest changed files, enable the KeepDate option and transfer the files.

To help TCP/IP programmers use the new APIs in customized file transfer applications, three new API calls were added to FTPAPI.DLL. These are the FTPRESTART, FTPSIZE and KEEP_FILE_DATE calls.

Broad management capabilities
The Preboot eXecution Environment (PXE) client is a workstation with a network card updated with PXE BIOS. The DHCP Server sends information about the Image Server to the PXE Client. Then the PXE Client contacts the Boot Image Negotiation Layer (BINL) Server and gets the boot image through TFTP. The server supports both LSA-1 and LSA-2 clients. The BINL server works in conjunction with the DHCP server and provides a mechanism of negotiating the Boot Image.

Share business data across the enterprise - even remotely
The new functions in OS/2 Warp Server for e-business help extend the reach of business data by enabling it to be shared horizontally - interdepartmentally or company-wide. The Network File System (NFS) in OS/2 Warp Server for e-business provides a cost-effective way to manage information as a sharable resource. Now TCP 4.x broadens the reach of the data by providing transparent remote access to shared files across networks. Remote Procedure Call (RPC) primitives built on top of an eXternal Data Representation (XDR) make NFS portable across different machines, operating systems, network architectures and transport protocols.

NFS employs a client-server model, where the server is the host that holds the file and the client is the application accessing the file. When creating files and directories, a client can specify access permission bits and the NFS server honors the permission bits specified by the client. NFS version 3 moves function to ring 0 and adds caching, resulting in increased client performance.

The primary function of the NFSBIOD is to perform optional parallel reads and writes. All IFS calls are handled by NFSBIOD and remain in ring 0. The NFSBIOD code of version 2.0 is moved to the IFS.

Adding caching to the NFS client increases performance. The NFS Client performs: Java's platform-independence and remote configuration capabilities help facilitate the e-business transition. These benefits are extended to NFS, which now supports Java 1.1.7 and can be configured using the Java Configuration Application.
 * Attribute Caching - File and directory attributes are cached to avoid repeated NFS_LOOKUP calls.
 * Data Caching - The File Data is cached on the client side.

Web NFS servers implement semantic extensions to the NFS protocol to support lightweight binding mechanism for conventional or Web browser clients that need to communicate with NFS servers across the Internet. A Web NFS server supports the multicomponent lookup features.

Expanded print capabilities
An OS/2 Warp 4.0 print server and an OS/2 Warp 4.0 workstation running line print daemon (LPD) now can receive print jobs from a Network Computer because OS/2 Warp Server for e-business added streaming mode to the TCP/IP LPD print protocol. This mode allows Network Computers (NCs) to use the streaming mode LPR/LPD protocol to help avoid memory overflows. In streaming mode, an entire print job does not have to be stored in memory.

OS/2 Warp Server for e-business adds security to the Print Server implementation (LPD) on OS/2. NCs can securely access OS/2 Warp print queues by authentication of the client for printing and canceling the job. When a print job arrives, LPD needs to verify that the print client is authorized to print to the requested print queue. LPD should allow the print client that submits the print job to cancel the job after authentication.

LPRPORTD, the TCP/IP LPR print protocol solution on the OS/2 platform, adds streaming mode to work with an LPD print server on a Network Computer. This solution allows an OS/2 Warp 4.0 print server and an OS/2 Warp 4.0 workstation running LPRPORTD to send print jobs using Network Computer. Both non-streaming and streaming modes are support by LPRPORTD.

Summary
For a business to successfully transform into an e-business, it is essential for the company to leverage the IT infrastructure to effectively and efficiently transform how it conducts business. IBM has enhanced the already dependable OS/2 Warp Server to support a flexible and cost effective e-business transformation.

OS/2 Warp Server for e-business enhances the TCP/IP 4.1 subsystem to help provide a more robust and flexible infrastructure. System administrators will discover the following changes that can be beneficial to their network management.


 * It is now possible to install Network File System (NFS) while installing TCP/IP 4.21 rather than as a separately installed kit.
 * If the installation finds an old version of NFS, the option exists for it to be automatically upgraded.
 * The TIME SERVER is now available as part of the TCP/IP BASE and can be configured to run as one of the AUTOSTARTABLE services that automatically start at boot time.
 * The Boot Image Negotiation Layer (BINL) Server now is available as part of DHCP/DDNS.
 * Either Netscape Communicator for OS/2 or Netscape Navigator 2.02 now can be used to install TCP/IP 4.21.
 * Support for version 2.0 kits has been removed.
 * Personal Communications (PCOMM) is removed from the TCP/IP installation package.
 * Configuration applications now can run on Java 1.1.7 for OS/2.
 * Java's platform-independence and remote configuration capabilities are extended to NFS, which now can be configured using the Java Configuration Application.