Chapter 11. Networking

NetworkManager

NetworkManager has been significantly enhanced to configure and monitor all the networking features for enterprise class servers and for desktop applications.
For the enterprise data centers, NetworkManager can be used for tasks such as basic networking configuration, network teaming, configuring virtual LANs, bridges, bonds, IPv6, VPNs, assigning interfaces to firewall zones, and others. For desktop servers it can manage wired and wireless networks and VPNs.
NetworkManager now comes with three types of interfaces:
  • a robust CLI interface that allows users and scripts to interact with NetworkManager;
  • NetworkManager TUI that is a text-based highlight-and-select type of interface;
  • NetworkManager GUI that is more suitable for GUI desktop environments.
NetworkManager can also work side by side with initscripts if the system administrators prefer a mixed environment. NetworkManager also has full support for D-Bus as well as OpenLMI interfaces.

Networking Team Driver

In the past, the bonding driver was used for all types of link aggregation, which created various challenges. Network Teaming has been introduced as an alternative to bonding for link aggregation. The Team driver offers performance and flexibility improvements. Unlike with bonding, the control and management interface is located in user space and the fast data path is in kernel space. The Team driver supports all of the features supported by the bonding driver. A migration tool, bond2team, to assist with migration from bonding to teaming is also available.

Precision Time Protocol

Precision Time Protocol, or PTP, as defined in the IEEE 1588 standard, is fully supported in Red Hat Enterprise Linux 7. PTP can be used for precisely synchronizing distributed system clocks. It is capable of achieving clock accuracy in the sub-microsecond range when used in conjunction with PTP-enabled hardware devices. When used in combination with ntpd or chrony, it can be used to accurately synchronize time from the host to virtual machines. PTP also has the capability to use clock signals from GPS satellites, thus providing the same exact sub-microsecond accuracy across the globe.

chrony Suite

The chrony suite of utilities is available to update the system clock on systems that do not fit into the conventional permanently networked, always on, dedicated server category. The chrony suite should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example.

Dynamic Firewall Daemon, firewalld Suite

Red Hat Enterprise Linux 7 includes the dynamic firewall daemon, firewalld, which provides a dynamically managed firewall with support for network "zones" to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.

DNSSEC

DNSSEC is a set of Domain Name System Security Extensions (DNSSEC) that allows clients to determine origin authentication of DNS data, authenticated denial of existence and data integrity. DNSSEC prevents man-in-the-middle attacks in which active eavesdropping or intercepted communication occurs between two systems.

DDoS Protection

Distributed Denial of Service (DDoS) attacks are increasing, and becoming commonplace, as more and more products and services become dependent on delivering services over the Internet. The SYNPROXY module is designed to protect the system against common SYN-floods and ACK-floods, but can also be adjusted to protect against SYN-ACK floods. The SYNPROXY module filters out false SYN-ACK and ACK packets before the socket enters the "listen" state lock.

Support for 40 Gigabit NICs

Red Hat Enterprise Linux 7 supports 40 Gigabit network interface controllers (NICs) from multiple hardware partners. This provides support for 40 Gigabit Ethernet link speeds enabling faster network communication for applications and systems. Note that the ethtool utility will report interface link speeds up to 40Gb data rates.

WiGig 60 GHz Band (IEEE 802.11ad)

WiGig allows devices to wirelessly communicate at multi-gigabit speeds (up to 7 Gbps). This is nearly 50 times faster than defined in the IEEE 802.11n wireless networking standard.

Network Namespaces

Network namespaces provides a lightweight container-based virtualization that allows virtual network stacks to be associated with a process group. It creates an isolated copy of the networking data structures such as the interface list, sockets, routing table, the /proc/net/ directory, port numbers, and so on. Network namespaces is managed through the ip interface (sometimes also referred to as iproute2), namely by the ip netns command.

Trusted Network Connect

Red Hat Enterprise Linux 7 introduces the Trusted Network Connect functionality as a Technology Preview. Trusted Network Connect is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate end point posture assessment; that is, collecting an end point's system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the end point to access the network.

SR-IOV Functionality in the qlcnic Driver

Support for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported.

FreeRADIUS 3.0.1

Red Hat Enterprise Linux 7 includes FreeRADIUS version 3.0.1, which provides a number of new features the most notable of which are the following:
  • RadSec, a protocol for transporting RADIUS datagrams over TCP and TLS;
  • YubiKey support;
  • Connection pooling. The radiusd server maintains connections to a variety of back ends (SQL, LDAP, and others). Connection pooling offers greater throughput with lower resource demands;
  • The syntax of the server's configuration programming language, unlang, has been expanded;
  • Improved support for site-specific and vendor-specific attributes;
  • Improved debugging which highlights problems in verbose output;
  • SNMP trap generation;
  • Improved WiMAX support;
  • EAP-PWD support.

OpenLMI

Red Hat Enterprise Linux 7 features the OpenLMI project, which provides a common infrastructure for the management of Linux systems. It allows users to configure, manage, and monitor hardware, operating systems, and system services. OpenLMI is intended to simplify the task of configuring and managing production servers.
OpenLMI is designed to provide a common management interface to multiple versions of Red Hat Enterprise Linux. It builds on top of existing tools, providing an abstraction layer that hides much of the complexity of the underlying system from system administrators.
OpenLMI consists of a set of system management agents installed on a managed system, an OpenLMI controller, which manages the agents and provides an interface to them, and client applications or scripts which call the system managements agents through the OpenLMI controller.
OpenLMI allows users to:
  • configure, manage, and monitor bare-metal production servers as well as virtual machine guests;
  • configure, manage, and monitor local or remote systems;
  • configure, manage, and monitor storage and networks;
  • call system management functions from C/C++, Python, Java, or the command-line interface.
Please note that the OpenLMI software Provider is supported as a Technology Preview. The Software is fully functional, however, certain operations may consume excessive resources.
For more information about OpenLMI, see http://www.openlmi.org.