Date: Wed, 2 Jan 2002 16:09:55 -0500 (EST)
From: ImageStream Support
Subject: (SUPPORT) Enterprise Linux 3.0 for routers available
Version 3.0 of ImageStream's Enterprise Linux is now available as an
general release for all ImageStream router customers.
This software release is provided at no charge to all ImageStream
customers. Version 3.0 is highly recommended for all customers. VERSION
3.0 PROVIDES A PATCH TO NEW EXPLOITS PRESENT IN EARLIER SSH VERSIONS IN
PREVIOUS ENTERPRISE LINUX RELEASES.
See "Limitations and Upgrade Instructions" before upgrading.
This release note documents commands and features added between Version
2.3.5 and the Version 3.0 release.
New Features in Version 3.0
Filesystem Layout Change
Version 3.0 simplifies the filesystem layout. All binaries are now
located in /bin. The /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories are symbolic links to /bin. Similarly, all
libraries are now in /lib. The /usr/lib and /usr/local/lib directories are
symlinks to /lib.
Menu Navigation Improved
Version 3.0 includes a new version of menuEngine. In addition to
navigation by number in the menu, menu options are highlighted and may
also be navigated by use of the arrow keys. The new version is also more
SAND Version 3.31 Included
ImageStream's SAND Version 3.31 release is included in the Version
3.0 release. See the release notes for Version 3.31 for more
information about the SAND Version 3.31 software release. This SAND
release includes an updated version of stats, the real-time utility used
to monitor and report status and usage on LAN and WAN devices. The stats
program is configurable. A configuration file is located in
/etc/stats.conf. Configuration file options are:
name string to match against device name;
i.e. : Serial0 matches only Serial0
%s matches all interfaces.
eth%d matches all ethernet master devices
rename Renames the specified device(s) to
description Sets the default description on the device(s) to
bandwidth Sets the bandwidth on the specified device(s) in bytes/sec
encapsulation Sets the encapsulation field on the specified device(s)
[no] show Instructs stats to display (or to hide, in the negative case)
the specified device(s)
OpenSSH Upgraded To Support SSH Version 2
The encrypted shell program, OpenSSH, included with Enterprise Linux, now
supports SSH Version 2. Version 2 is the default protocol version used in
the Version 3.0 release. SSH Version 1 contains a protocol deficiency
that makes an insertion attack difficult but theoretically possible. In
addition, the OpenSSH configuration files have been documented more
clearly, and the serverkeybits value is now set to 1024 instead of 768.
OpenSSH Upgraded To OpenSSH 3.0.2p2
The version of OpenSSH included in Version 3.0 addresses the security
advisory released on September 26, 2001 regarding a weakness in OpenSSH's
source IP based access control for SSH protocol v2 public key
authentication. This bug affects only those users using the 'from=' key
file option combination with both RSA and DSA keys. This version also
addresses the security advisory released on December 4, 2001 regarding a
vulnerability when the "UseLogin" directive is enabled in the configuration.
SNMP Now Uses Net-SNMP (UCD-SNMP)
The SNMP server included in Version 3.0 is net-snmp (ucd-snmp). The
configuration file used in net-snmp (ucd-snmp) is significantly different
than the previous CMU-SNMP implementation. THEREFORE, ANY CONFIGURATION
CHANGES MADE TO THE SNMP IMPLEMENTATION WILL NEED TO BE RECONFIGURED.
Version 3.0 also includes a default configuration file that was not present
in the Version 3.0-beta releases.
router-utils Package Includes Time Configuration Utility
Version 3.0 includes a "set_time" utility available from the command line
to configure localtime for the routers. This utility is also available
from the Configuration and Update Menu under the Global Configuration
router-utils Package Includes Serial Console Configuration Utility
Version 3.0 includes a /etc/sconsoled.conf file available from the command
line and menu to configure the serial console port for modem or terminal
connections. This utility is available from the Configuration and Update
Menu under the Service Configuration submenu.
IPSec/FreeSWan Package Added
Linux FreeSWan, the IPSec VPN package, is included in Version 3.0. The
current version of FreeSWan also supports opportunistic encryption.
IP-Takeover Package Added
ImageStream routers can now be configured in a fault-tolerant, high
availability setup from the command line using IP-Takeover. IP-Takeover
provides less than 50 ms switchovers in the case of a primary router
failure. The failover software is similar to other software failover
implementations, such as Cisco Systems (R) Hot Swap Router Protocol
(HSRP), in that it does not provide for switching of physical cabling.
Separate, relay-based devices are required for a full failover setup.
Quality of Service Package Updated
The bandwidth limiting front-end for quality of service has been updated
in Version 3.0. The new bandwidth limiting script supports additional
options and interfaces directly with the command-line "tc" utility.
Bandwidth limiting commands are translated into tc commands and stored in
/tmp on the router.
GateD Dynamic Routing Package Updated
The GateD dynamic routing program has been updated for Version 3.0. The
interactive interface to gated, gii, now is only available on through a
direct connection on the router (localhost) and ipchains/iptables rules
are not required to block outside access. The "show bgp summary" and
"show bgp peeras " commands now also reflect the number of
route announcements sent to and received from each peer.
Bugs fixed in Version 3.0
The following bugs have been fixed in Version 3.0 (including 3.0-beta
ipchains REJECT Rules Functionality
Due to a kernel configuration error, Version 3.0-beta1 did not support
ipchains REJECT rules. ipchains DENY rules work in both beta versions.
All valid ipchains commands, including ipchains REJECT rules, are
functional in beta2.
Kernel Logging Program Not Started By Default
Previous Enterprise Linux versions started the system message logger
(syslogd), but not the kernel message logger (klogd) by default.
Beginning with Version 3.0-beta2, klogd is also started by default.
Quality Of Service Backwards Compatibility Issue
Version 3.0-beta1 inadvertently excluded the original "bwlimit" script
included in previous versions. Version 3.0-beta2 includes this utility
for backwards compatibility.
Workaround For Cisco IOS Bug in BGP Added to GateD
Certain versions of the Cisco IOS accept and propagate invalid routing
information. This behavior is in violation of the BGP RFC, and causes
RFC-compliant devices, including ImageStream routers, to properly drop
peering sessions. When affected Cisco routers are upstream of an
RFC-compliant device, this can cause a loss of connectivity for the
downstream router. ImageStream has patched GateD to log an error and
ignore invalid route announcements in these situations. Peering sessions
will no longer be automatically terminated.
Gated Display Of "checkconf" Output At Boottime Requiring User Intervention
Gated no longer displays the output of the "checkconf" command at
boottime. Previously, incorrect configurations could cause the router to
require user input at the console to continue the boot process. Beginning
with Version 3.0-beta2, the checkconf output is no longer displayed at
Display Of Duplicate Banner Messages At Login
Version 3.0-beta releases inadvertently copied /etc/issue to
/etc/issue.net resulting in duplicate banner messages at login.
Version 3.0 corrects this behavior. This behavior did not affect the
operation of the router.
Router No Longer Logs System Messages To Serial Port
Version 3.0 removes the serial port (/dev/ttyS0) from the list of devices
used by the system logger (syslogd). Logging to an unconnected serial
port can cause the system to hang waiting for the non-existent terminal
Limitations and Upgrade Instructions
*** NOTE! If the upgrade fails, do NOT reboot! Contact ImageStream's
Technical Support without rebooting. ***
Upgrading to Version 3.0 or later requires the following:
1. 64 MB of RAM or higher.
2. 32 MB of flash.
3. 300 MHz processor or better.
3. Enterprise Linux Version 2.3.2 or higher.
The upgrade utility will not install Version 3.0 if memory and flash
requirements are not met. Users can contact ImageStream to purchase a
RAM, processor or flash upgrade.
Users running an Enterprise Linux version less than 2.3.2 must upgrade
before Version 3.0 will be available from the Update menu. Upgrading any
version prior to 2.3.2 will automatically be upgraded to 2.3.2. A second
upgrade will be required to install Version 3.0.
The upgrade does not otherwise affect the stored configuration in the
ImageStream router. To back up the router's configuration prior to
upgrading, choose option 4 (Backup/Restore) from the router's main menu.
Choose the Backup methods option (Option 1) and select a method from the
choices listed. From the router's command line, use the "backup
" command. The backup utility takes four arguments: flash
(to back up configurations to the router's nonvolatile flash memory),
floppy (to back up to a floppy disk), scp (to back up via secure copy), or
file (to back up to a separate file on the router's nonvolatile flash
Copyright and Trademarks
Copyright 2002 ImageStream Internet Solutions. All rights reserved.
ImageStream is a trademarks of ImageStream Internet Solutions, Inc. All
other marks are the property of their respective owners.
ImageStream makes no representations or warranties with respect to the
contents or use of this document, and specifically disclaims any express
or implied warranties of merchantability or fitness for any particular
purpose. Further, ImageStream reserves the right to revise this
publication and to make changes to its content, any time, without
obligation to notify any person or entity of such revisions or changes.
Contacting ImageStream Technical Support
Every ImageStream product comes with a one year hardware and software
warranty. ImageStream provides technical support via voice, FAX,
electronic mail, and the web. Technical support is available 24 hours a
day, 7 days a week.
To contact ImageStream technical support by voice, dial +1 (574) 935-8484
worldwide. By FAX, dial +1 (574) 935-8488. By electronic mail, send mail
to firstname.lastname@example.org. Using the World Wide Web, see