HP OpenVMS Systems Documentation

TCPDUMP works the same way on OpenVMS as it does on UNIX systems, with the following restrictions:

• On UNIX systems, tcpdump sets the NIC (Network Interface Controller) into promiscuous mode and everything in the transmission is sent to tcpdump .
  On OpenVMS systems, TCPDUMP only sees the packets destined for and sent from the local host. Therefore, TCPDUMP works in copy-all mode. Because it only sees a copy of the packets that are processed by the TCP/IP kernel, TCPDUMP can only trace natively IP, IPv6, and ARP protocols on Ethernet.
  TCPDUMP can format or filter packets that have been traced from another platform running TCPDUMP in promiscuous mode. In this case it will process other protocols, like DECnet.
• Ethernet is the only supported type of NIC. Other types of NICS (such as ATM, FDDI, Token Ring, SLIP, and PPP) are not supported.
• The -i option is not supported. On UNIX systems, this option specifies the interface that tcpdump is attached to.
  On OpenVMS systems, TCPDUMP obtains packets from the TCP/IP kernel.
• The -p option is not supported. On UNIX systems, this option specifies that tcpdump stops working in promiscuous mode.
  On OpenVMS, TCPDUMP does not work in promiscuous mode. Therefore, this option is set by default.
• If you are using the Ethereal software to dump IPv6 network traffic, use the following command format to write the data in the correct format:

  $ TCPDUMP -s 1500 -w filename

• Only one process at a time can issue traces. This restriction applies to both TCPTRACE and TCPDUMP.

The following restrictions apply to the TCP/IP management commands:

• An IP address added to a tunnel interface cannot be seen with ifconfig . Execute netstat with -rn to view the new IP address.
• TCP/IP Services Version 5.4 introduced failSAFE IP, which obsoletes the IP cluster alias address. Consequently, the following TCP/IP management commands are no longer supported:
  • SET INTERFACE /NOCLUSTER
  • SHOW INTERFACE /CLUSTER
  
  To display interface addresses, including IP cluster alias addresses, use the following TCP/IP management command:

  TCPIP> ifconfig -a

  
  To delete a cluster alias address from the active system, use a command similar to the following:

  TCPIP> ifconfig ie0 -alias 10.10.10.1

  
  The following TCP/IP management commands continue to be supported:
  • SET INTERFACE/CLUSTER
  • SET CONFIGURATION INTERFACE /CLUSTER
  • SET CONFIGURATION INTERFACE /NOCLUSTER
  • SHOW CONFIGURATION INTERFACE /CLUSTER
• SET NAME_SERVICE /PATH
  This command requires the SYSNAM privilege. If you enter the command without the appropriate privilege at the process level, the command does not work and you are not notified. If you enter the command at the SYSTEM level, the command does not work and you receive an error message.
• SET SERVICE command
  • When you modify parameters to a service, disable and re-enable the service for the modifications to take effect.
  • After a "SET SERVICE" command is used to define a new user defined TCP service, if the same "SET SERVICE" command is entered again, the service may appear disabled and cannot be re-enabled.

For more information on TCP/IP Services management commands, refer to the HP TCP/IP Services for OpenVMS Management Command Reference guide.

This chapter describes the problems corrected in this version of TCP/IP Services.

4.1 Advanced Programming Environment problems fixed in this release

The following sections describe programming-related problems fixed in this release.

4.1.1 Buffer overflow in ntpq program

Problem:

The stack buffer overflows in the ntpq program.

Solution:

This problem is corrected in this release.

4.1.2 With PPE enabled, system crashes during shutdown

Problem:

When PPE is enabled, the system crashes during shutdown with the following message:

"SPLIPLLOW, IPL has fallen below level of owned spinlock(s)" 

Solution:

This problem is corrected in this release.

4.2 BIND Server problems fixed in this release

The following sections describe BIND server problems fixed in this release.

4.2.1 Bind server crashes on receipt of dynamic update message

Bind server crash can be caused on receipt of a specific remote dynamic update message.

Solution:

This problem is fixed in this release.

4.2.2 SYSTEM-W-NOSUCHFILE and %DCL-E-INVIFNEST Errors

TCPIP$BIND_STARTUP.COM displays the %SYSTEM-W-NOSUCHFILE and %DCL-E-INVIFNEST errors when the SYS$SHARE:SSL$LIBCRYPTO_SHR32.EXE image is not present on the system.

Solution:

This problem is fixed in this release.

4.2.3 %LIBRAR-E-LOOKUPERR error in the BIND server

Problem:

While configuring TCP/IP, using TCPIP$CONFIG, in the BIND server, the %LIBRAR-E-LOOKUPERR error is displayed. TCPIP$CONFIG incorrectly looks for LOOPBACK_DB.

Solution:

This problem has been fixed in this release.

4.2.4 BINDSETUP fails to conform to the database filename

Problem:

TCPIP$BINDSETUP fails to conform to the new BIND local host database filename.

Solution:

This problem is corrected in this release.

4.2.5 Entering CTRL/C for TCPIP SHOW HOST (/NOLOCAL)

Problem:

On OpenVMS Integrity servers, entering CTRL/C for the TCPIP SHOW HOST (/NOLOCAL) command may display an ACCIVO error within the BIND resolver.

Solution:

This problem is corrected in this release.

4.2.6 Memory usage statistics

Problem:

This release adds the ability to generate and display the memory usage statistics for the BIND Server.

Solution:

To display the memory usage statistics for the BIND Server, define the logical name as follows:

 $ DEFINE /SYSTEM TCPIP$BIND_MEMSTATS 1 

TCPIP$BIND_MEMSTATS is an existing logical name. The value does not matter; but it must be defined.

Use either the rndc stats command or the TCPIP SHOW NAME /STATISTICS command to send the memory usage statistics to the file TCPIP$BIND.STATS. The memstats information will complement the server Statistics Dump information that is normally sent to the file.

4.2.7 Delay because of using "ROUTE ADD"

Problem:

There is a delay because of using the ROUTE ADD command when the BIND resolver is disabled.

Solution: This problem is corrected in this release.

4.2.8 Resolving the local host database names

Problem:

TCPDUMP, and potentially other applications, fails to resolve the local host database names. When _SOCKADDR_LEN is not defined, a call to the getaddrinfo() function will not look in the local host database. When getaddrinfo() was called with the hints argument as NULL, the routine fails with an ACCVIO.

Solution:

This problem is corrected in this release.

4.2.9 Unexpected IPv6-looking address in the TELNET client

Problem:

The getaddrinfo() function sometimes returned AF_INET structures even when the AI_V4MAPPED flag was set. The most obvious effect was that attempting to reach an unresponsive host via TELNET would provoke a unexpected IPv6-looking address in the TELNET client and displays the Trying ... message.

Solution:

This problem is corrected in this release.

4.2.10 Specifying an invalid port number to getnameinfo()

Problem:

Specifying an invalid port number to getnameinfo() results in an ACCVIO error.

Solution:

This problem is corrected in this release.

4.2.11 NI_* flag values for getnameinfo()

Problem:

The getnameinfo() NI_* flag values were improperly changed for V5.6 when updating to the BIND 9 resolver. Changing these values broke applications that were built on pre_v5.6 versions of TCP/IP Services for OpenVMS.

Solution:

The NI_* flag values for the getnameinfo() function were improperly changed with the V5.6 release. This would cause any applications using the NI_* flag values that were built against pre-V5.6 TCP/IP versions not to run as expected on TCP/IP V5.6. This problem has been corrected, and the flag values have been returned to their pre-V5.6 definitions. Note that any applications using the NI_* flag values that were built against V5.6 will no longer execute properly on V5.6 ECO1 or later. These applications must be rebuilt.

4.2.12 TCPIP$SYSTEM:HOSTS.DAT ASCII file

Problem:

The undocumented TCPIP$SYSTEM:HOSTS.DAT ASCII file is still provided during TCP/IP installation, but the file is no longer used by the BIND resolver.

Solution:

This problem is corrected in this release.

4.2.13 Query IDs

Problem:

Query IDs generated by the DNS server are vulnerable to cryptographic analysis.

Solution:

This problem is corrected in this release.

4.2.14 BIND cluster-wide startup and shutdown command procedures

Problem:

BIND cluster-wide startup and shutdown command procedures are generated with embedded physical device names, requiring extra effort upon changing to a new system disk.

Solution:

This problem is corrected in this release.

4.2.15 BIND9 Resolver aborts

Problem:

The BIND9 Resolver aborts when multiple threads called getadrinfo simultaneously, although, RFC 3493 describes getaddrinfo as a thread safe or re-entrant function.

Solution:

This problem is corrected in this release.

4.2.16 Spoofing and cache-poisoning attack in a BIND/DNS server

Problem:

The BIND/DNS server is vulnerable to a widely publicized spoofing and cache-poisoning attack.

Solution:

This problem is corrected in this release.

4.2.17 Spoofing and cache-poisoning attack in a UDP port

Problem:

The BIND/DNS cache server uses a fixed or an arbitrarily selected UDP port for out going DNS queries. This will lead to UDP port spoofing and cache-poisoning attack.

Solution:

This problem is corrected in this release.

4.2.18 Memory leaks in BIND Resolver functions

Problem:

The BIND Resolver functions, GETNAMEINFO, GETHOSTBYNAME, GETHOSTBYADDR GETNETBYNAME,GETNETBYADDR,GETSERVBYNAME and GETSERVBYPORT causes memory leaks and does not close the files properly when called from a multithreaded program.

Solution:

This problem is corrected in this release.

4.2.19 GETADDRINFO with nodename as NULL fails

Problem:

getaddrinfo with nodename as NULL fails with BADHINTS: Not found in explore

Solution:

This problem is corrected in this release.

4.3 DHCP component problems fixed in this release

The following sections describe the DHCP problems fixed in this release.

4.3.1 DHCP server fails to update the DNS server correctly

Problem:

When DNS updates are enabled, the DHCP server fails to update the DNS server correctly if the netmask for the client's network differs from 255.255.255.0.

Solution:

This problem is corrected in this release.

4.3.2 RMS-E-FLK errors when running the TCPIP$$SETHOSTNAME.COM script's SET HOST and SET NOHOST commands

Problem:

The DHCP client, when run in a cluster where the TCPIP$* data files are shared between cluster members, could incur RMS-E-FLK errors when running the TCPIP$$SETHOSTNAME.COM script's SET HOST and SET NOHOST commands.

Solution:

This problem is corrected in this release.

4.3.3 DHCP server listens on all interfaces

Problem:

The OpenVMS DHCP server cannot be disabled on one or more interfaces. The server always listens on all the interfaces.

Solution:

A new logical, TCPIP$DHCP_IGNOR_IFS is now supported to fix this problem.

4.3.4 DHCPSIGHUP command is issued twice

Problem:

The DHCPSIGHUP command is issued twice to update the DHCP Debug Level.

Solution:

This problem is corrected in this release.

4.3.5 DHCP server logs events on ignored interfaces

Problem:

DHCP server logs events on ignored interfaces. Logging events for ignored interfaces leads to huge log files.

Solution:

This problem is corrected in this release.

4.4 failSAFE IP problems fixed in this release

The following sections describe failSAFE IP problems fixed in this release.

4.4.1 failSAFE IP does not read its configuration file

Problem:

failSAFE IP does not read its configuration file if stored in the STREAM_LF format.

Solution:

This problem is corrected in this release.

4.4.2 failSAFE IP may pick the wrong interface to monitor

Problem:

In some configurations, the failSAFE IP may pick the wrong interface to monitor. This is displayed on OPCOM and in the logfile during failSAFE IP startup.

Solution:

This problem is corrected in this release.

4.4.3 If interface_list not specified, default behavior does not work

Problem:

If the interface_list is not specified, by default, all the interfaces must be monitored. One of the earlier ECO release did not support the default behavior.

Solution:

This problem is corrected in this release.

4.4.4 IP failover sometimes losses the default route

Problem:

failSAFE IP failover sometimes losses the default route when IPv6 is configured.

Solution:

This problem is corrected in this release.

4.4.5 First static route failover

Problem:

Under certain circumstances, only the first static route reliably fails over. This is typically the default route.

Solution:

This problem is corrected in this release.

4.5 FINGER Component problems fixed in this release

The following sections describe FINGER component problems fixed in this release.

4.5.1 File access restrictions when following symbolic links.

Problem:

The FINGER server does not properly enforce the file access restrictions when following symbolic links. The client is vulnerable to a format string attack.

Solution:

This problem is corrected in this release.

4.6 FTP Server and Client problems fixed in this release

The following sections describe FTP server and client problems fixed in this release.

4.6.1 OpenVMS, TCP/IP, or Non-VMS FTP client access to ODS-5 disk

On a non-VMS FTP client, such as Windows, UNIX, or LINUX, the filenames are displayed in the VMS format with the "^" characters in the filename. Also, when retrieving the filenames using the non-VMS FTP client, the filename in OpenVMS format is displayed with "^", such as file^.1^.2^.3^.4.txt. For retrieving the files and saving them on the PC, the "^" characters must not be included in the filenames.

Solution:

This problem is corrected in this release.

4.6.2 FTP client copies multiple versions of a file and places them in reverse order

Problem:

The FTP client copies multiple versions of a file and places them in reverse order.

Solution:

This problem is fixed in this release.

4.6.3 TCPIP$FTP_1 server stops communicating with the FTP child processes

When the FTP server limit is reached and no new connections were accepted the TCPIP$FTP_1 server stopped communicating with the FTP child processes on the system. After the limit was reached, the child processes hung waiting on a mailbox. Although, the process rejected the new incoming connections; it appeared that communication was lost with the old processes.

Solution:

This problem is fixed in this release.

4.6.4 FTP server error messages

In certain scenarios, the OpenVMS FTP server reports the following error messages:

425-Can't build data connection for ... 
425 Connect to network object rejected 

Solution:

This problem is fixed in this release.

4.6.5 Users can still FTP with FTP client disabled

Problem:

Although the FTP client is disabled, users can ftp to another system. Because, FTP is a DCL command, the FTP client image can be invoked even if the FTP client service is shutdown.

Solution:

This problem is corrected in this release.

4.6.6 [VMS]COPY/FTP file with multiple-dot filename does not work

Problem:

On a remote Linux or HP-UX node, if the filename starts with a dot and has multiple dots within the name, for example, .test.001, the filename is truncated. That is, the characters before the second dot are not displayed.

Solution:

This problem is corrected in this release.

4.6.7 Addition of "." to a filename

Problem:

When using FTP or $ COPY /FTP to transfer files from an OpenVMS system to a UNIX system, the FTP client adds a "." character to a filename without extension.

Solution:

This problem is corrected in this release.

4.6.8 USER command in a session that is already logged in

Problem:

The FTP server, upon receiving a USER command in a session that is already logged in, failed to return a proper error, leading to a hang.

Solution:

A message similar to the following is displayed:

"503 User SMITH, is already logged in" 

and the problem is fixed.

4.6.9 Construction of wildcarded filenames

Problem:

The FTP client does not properly construct wildcarded filenames. COPY /FTP TEST.EXE_OLD nodename"username password"::*.EXE creates a file named "_.EXE" on the remote system. Also, COPY /FTP TEST.EXE_OLD nodename"username password"::FILE.* creates a file named "FILE._" on the remote system.

Solution:

The FTP client properly constructs the wildcarded filenames.

4.6.10 "expanded" rooted logical name syntax

Problem:

FTP does not understand the "expanded" rooted logical name syntax.

Solution:

This problem is corrected in this release.

4.6.11 FTP server terminates when there are many connections and disconnections

Problem:

The FTP server terminates with an ACCVIO error when there are many connections and disconnections. The FTP server also displays an error message that is similar to the following:

session connection from 127.124.172.114 at 11-JAN-2007 18:42:08.42 
 %SYSTEM-F-NOSLOT, no PCB available 
 %TCPIP-E-FTP_CREPRC, failed to create a child process 

Solution:

This problem is corrected in this release.

4.6.12 DIRECTORY /FTP command fails to return failure status

Problem:

The DIRECTORY /FTP command fails to return a failure status, even when the target file does not exist.

Solution:

This problem is corrected in this release.

4.6.13 Entries made in TCPIP$ETC:IPNODES.DAT are not read

Problem:

Entries made in the TCPIP$ETC:IPNODES.DAT file are not read by the FTP client.

Solution:

This problem is corrected in this release.

4.6.14 FTP client echoes the keyboard input associated with ACCT

Problem:

The OpenVMS FTP client echoes the keyboard input associated with the Account (ACCT) command. Because, some FTP servers use the "account" as a secondary password, which raised security concerns.

Solution:

This problem is corrected in this release.

4.6.15 GET /FDL and COPY /FTP/FDL commands may fail

Problem:

Because of a non existent owner on the destination system, the GET /FDL and COPY /FTP/FDL commands may fail. The original owner must be omitted or ignored.

Solution:

This problem is corrected in this release.