IP address management strategy
Before configuring a PPP connection profile, you should be familiar with your network IP address management strategy. This strategy influences many of the decisions throughout the configuration process including your authentication strategies, security considerations, and TCP/IP settings.
Starting in IBM® i 7.1, PPP can support both IPv4 and IPv6 addresses. A PPP connection profile can have only IPv4 enabled, only IPv6 enabled, or both IPv4 and IPv6 enabled. By default, both IPv4 and IPv6 are enabled for a PPP connection profile.
IPv4 Address Management
The IP Control Protocol (IPCP) is used to configure and enable IPv4 on both ends of a PPP link. Options related to IPCP and IPv4 address assignment are located on the TCP/IP IPv4 Settings section of a connection profile.
Originator connection profiles
Typically, the local and remote IPv4 addresses defined for an originator profile will be defined as Assigned by remote system. This enables the administrators on the remote system to have control over the IP addresses that will be used for the connection. Most all connections to Internet service providers (ISP) will be defined this way, although many ISPs can offer fixed IP addresses for an additional fee.
If you define fixed IP addresses for either the local or remote IP address, you must be sure that the remote system is defined to accept the IP addresses you have defined. One typical application is to define your local IP address as a fixed IP address and the remote to be assigned by the remote system. The system you are connecting can be defined the same way so when you connect, the two systems will exchange IP addresses with each other as a way to learn the IP address of the remote system. This might be useful for one office calling another office for temporary connectivity.
Another consideration is whether you want to enable IP address masquerading. For example, if the system connects to the Internet through an ISP, this can allow an attached network behind the system to access the Internet. Basically, the system hides the IP addresses of the systems on the network behind the local IP address assigned by the ISP, thus making all IP traffic appear to be from the system. There are also additional routing considerations for both the systems on the LAN (to ensure their Internet traffic is sent to the system) as well as the system where you need to enable the add remote system as the default route box.
Receiver connection profiles
Receiver connection profiles have many more IPv4 address considerations and options than the Originator Connection Profile does. How you configure the IP addresses depends on the IP address management plan for your network, your specific performance and functional requirements for this connection, and the security plan.
Local IP addresses
For a single receiver profile, you can define a unique IP address or use an existing local IP address on your system to identify the end of the PPP connection. For receiver profiles defined to support multiple connections at the same time, you must use an existing local IP address. If no existing local IP addresses are present, you can create a virtual IP address for this purpose.
Remote IP addresses
There are many options for assigning remote IP addresses to PPP clients. The following options can be specified on the TCP/IP page of the receiver connection profile.
Option | Description |
---|---|
Fixed IP address | You define the single IP address that is to be given to remote users when they dial in. This is a host only IP address (Subnet mask is 255.255.255.255) and is only for single connection receiver profiles. |
Address Pool | You define the starting IP address and then a range of how many additional IP addresses to define. Each user that connects will then be given a unique IP address within the defined range. This is a host only IP address (Subnet mask is 255.255.255.255) and is only for multiple connection receiver profiles. |
RADIUS | The remote IP address and it's subnet mask will be determined
by the Radius server. This is only if the following is defined:
|
DHCP | The remote IP address is determined by the DHCP server directly or indirectly through DHCP relay. This is only if DHCP support has been enabled from the Remote Access Server services configuration. This is a host only IP address (Subnet mask is 255.255.255.255). |
Based on remote system's user ID | The remote IP address is determined by the user ID defined for the remote system when it is authenticated. This allows the administrator to assign different remote IP addresses (and their associated subnet masks) to the user that dials in. This also allows additional routes to be defined for each of these user IDs, so that you can tailor the environment to the known remote user. Authentication must be enabled for this function to work properly. |
Define additional IP addresses based on remote system's user ID | This option allows you to define IP addresses based on the user ID of the remote system. This option is automatically selected (and must be used) if the remote IP address assignment method is defined as Based on remote system's user ID. This option is also allowed for IP address assignment methods of Fixed IP address and Address Pool. When a remote user connects to the system, a search will be made to determine if a remote IP address is defined specifically for this user. If it is then that IP address, mask and set of possible routes will be used for the connection. If the user is not defined, the IP address will default to the defined Fixed IP address or the next Address Pool IP address. |
Allow remote system to define its own IP address | This option allows a remote user to define their own IP address if they negotiate to do so. If they do not negotiate to use their own IP address, the remote IP address will be determined by the defined remote IP address assignment method. This option is initially disabled and careful consideration should be used before enabling it. |
IP address routing | The dial-up client and the system must have IP address routing properly configured if the client needs access to any IP addresses on the LAN to which the system belongs. |
IPv6 Address Management
The IPv6 Control Protocol (IPV6CP) is used to configure and enable IPv6 on both ends of a PPP link. Options related to IPV6CP and IPv6 address assignment are located on the TCP/IP IPv6 Settings section of a connection profile.
IPv6 address assignment on a PPP link differs from IPv4 since only a 64-bit interface identifier is negotiated during PPP link establishment. Stateless address autoconfiguration is then used to automatically configure IPv6 addresses for the PPP link. The IPv6 addresses are created by combining an address prefix with the PPP link's interface identifier. A link-local IPv6 address is always created for the PPP link by combining the link-local address prefix (fe80::/10) with the PPP link's interface identifier. Additional IPv6 addresses can be generated by combining a 64-bit network prefix received in a Router Advertisement message with the PPP link's interface identifier. Additional IPv6 addresses can also be assigned to the PPP link using Dynamic Host Configuration Protocol (DHCPv6).
The IBM i TCP/IP stack implements Neighbor Discovery over PPP links in order to support stateless address autoconfiguration. There are two different scenarios for Neighbor Discovery on a PPP link.
In the first scenario, the PPP connection profile has IPv6 datagram forwarding enabled and is the server side of the link. Router Advertisement messages containing information such as a 64-bit address prefix, whether the router is a default router, and the availability of DHCPv6 services are sent over the PPP link. The client side of the link can use this information to configure IPv6 addresses.
In the second scenario, the PPP connection profile does not have IPv6 datagram forwarding enabled and is the client side of the link. Router Solicit messages are sent out over the PPP link and information from Router Advertisement messages received in response are used to configure IPv6 addresses.
IBM i cannot be both the client and the server side of the link at the same time.
Option | Description |
---|---|
Interface identifier | A unique 64-bit interface identifier for each
side of a PPP link is the only option negotiated by IPV6CP. It is
recommended that the default option of Generate is
selected to allow the system to create a random interface identifier
for you. You can also specify an interface identifier for the link,
but it is possible that a different interface identifier is negotiated
by IPV6CP.
|
Allow remote system to access other networks (IP forwarding) | Specifies whether IPv6 datagrams received on this link are forwarded to other networks. Enabling IPv6 datagram forwarding also enables the system to perform router functions for this link, including sending Router Advertisement messages and responding to Router Solicit messages. System-wide IP datagram forwarding is controlled by the IPDTGFWD parameter on the Change TCP/IP Attributes (CHGTCPA) command. Enabling IP forwarding allows remote access clients to access other networks this system is connected to. Disabling IP forwarding allows remote access clients to access only this server. Note: Router
Advertisement messages are only sent on this link if IP forwarding
is allowed.
|
Address prefix | Specifies an address prefix that is included in Router Advertisement messages sent on the PPP link. The remote system combines the address prefix from the Router Advertisement with its negotiated interface identifier to create an IPv6 address for the PPP link. |
Advertise IPv6 default route | Specifies whether the system advertises a default route in Router Advertisement messages sent on this link. |
Advertise DHCPv6 | Specifies that you want to advertise that information is available through Dynamic Host Configuration Protocol (DHCPv6). When this option is selected, either the Managed address configuration or Other configuration option must be selected. This option also requires a DHCPv6 server or relay agent to be configured on the system. |
Managed address configuration | Specifies that the "Managed address configuration"
flag (M flag) is set in Router Advertisement messages sent on this
link. When the M flag is set, it indicates that addresses are available through
Dynamic Host Configuration Protocol (DHCPv6). Note: If the Managed
address configuration is selected, the Other
configuration option cannot be selected because DHCPv6
returns all available configuration information. Examples of such
information are DNS-related information, or information about other
servers within the network.
|
Other configuration | Specifies that the "Other configuration" flag (O flag) is set in Router Advertisement messages sent on this link. When the O flag is set, it indicates that other configuration information is available through Dynamic Host Configuration Protocol (DHCPv6). Examples of such information are DNS-related information, or information about other servers within the network. |
Accept a default route | Specifies whether the system accepts a default route in a Router Advertisement message received on this link. This option is only enabled if IP forwarding is not allowed. |
Define additional static routes | The dial-up client and the system must have IPv6 address routing properly configured if the client needs access to any IPv6 addresses on the LAN to which the system belongs. |