A printable plain text version is also available.
Date: Sat, 29 Jun 2002 14:05:25 -0500 (EST)
From: ImageStream Support 
Subject: (SUPPORT) Enterprise Linux 4.0.0 for routers available

Version 4.0.0 of ImageStream's Enterprise Linux is now available as a general
availability release for all ImageStream router customers.

This software release is provided at no charge to all ImageStream customers.
Version 4.0.0 is highly recommended for all customers.  VERSION 4.0.0 PROVIDES A
PATCH TO NEW VULNERABILITIES PRESENT IN PREVIOUS ENTERPRISE LINUX RELEASES.
SPECIFICALLY, A NEW VERSION OF SSH IS INCLUDED IN THIS RELEASE.

VERSION 4.0 RELEASES ARE BASED ON THE LINUX 2.4 SERIES KERNELS.  LINUX 2.4 USES
iptables AS A PRIMARY TOOL INSTEAD OF ipchains.  WHILE ipchains IS PROVIDED FOR
BACKWARDS COMPATIBILITY, ALL CUSTOMERS ARE STRONGLY ENCOURAGED TO USE iptables
WITH VERSION 4.0 RELEASES.

This release note documents commands and features added between Version
4.0-beta1 and Version 4.0.0.


----------------------------


New Features in Version 4.0


OpenSSH Upgraded To OpenSSH 3.4p1

The version of OpenSSH included in Version 4.0.0 addresses a recent security
advisory.  Version 3.4p1 included with this release patches the June 26, 2002
advisory regarding Remote Challenge Vulnerability.  This release implements
"privilege separation" by adding a non-privileged user to the router for
authentication purposes.  This minimizes the chances that an undiscovered
vulnerability could compromise routers running SSH.  While no exploits exist
currently for this vulnerability, the upgrade is highly recommended because
OpenSSH 3.4 adds checks for a class of potential bugs.


Filesystem Layout Change

Version 4.0 simplifies the filesystem layout.  All binaries are now located in
/bin. The /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and /usr/local/sbin
directories are symbolic links to /bin.  Similarly, all libraries are now in
/lib. The /usr/lib and /usr/local/lib directories are symlinks to /lib.


Menu Navigation Improved

Version 4.0 includes a new version of menuEngine.  In addition to navigation by
number in the menu, menu options are highlighted and may also be navigated by
use of the arrow keys.  The new version is also more efficient.


Removed 127-character Limit From menuEngine Commands

The version of menuEngine supplied with Version 4.0.0 supports additional
flexibility in reloading and error-checking from the router menu.  Previous
versions limited command strings to 127 characters.


kernel-modules Package Updated To Support New Hardware

Version 4.0.0 includes updated support for accelerated 100 Mbps and Gigabit
Ethernet cards.  The package also supports new token ring cards and National
Semiconductor chipset-based Gigabit Ethernet cards.


SAND Version 3.5.5 Included

ImageStream's SAND Version 3.5.5 release is included in the Version 4.0.0
release.  Version 3.5.5 includes support for GRE tunnelling. See the release
notes for Version 3.5.5 for more information about the SAND Version 3.5.5
software release.  This SAND release adds support for ATM OC-12 and token ring
interfaces.


Interface Statistics Utility Updated

Version 3.5.5 of SAND includes an updates statistics utility ("stats").  This
utility adds several new features and corrects several bugs.  See the Version
3.5.5 release notes for more information.  The stats utility supports CSU/DSU
statistics, reports link status and configuration information for 10/100
Ethernet interfaces, correctly reports bandwidth for Gigabit Ethernet
interfaces, and adds several new usability features.


router-utils Package Includes Time Configuration Utility

Version 4.0 includes a "set_time" utility available from the command line to
configure localtime for the routers.  This utility is also available from the
Configuration and Update Menu under the Global Configuration submenu.


router-utils Package Includes Serial Console Configuration Utility

Version 4.0 includes a /etc/sconsoled.conf file available from the command line
and menu to configure the serial console port for modem or terminal connections.
This utility is available from the Configuration and Update Menu under the
Service Configuration submenu.


IPSec/FreeSWan Package Added

Linux FreeSWan, the IPSec VPN package, is included in Version 4.0.  The current
version of FreeSWan also supports opportunistic encryption.


IP-Takeover Package Added

ImageStream routers can now be configured in a fault-tolerant, high availability
setup from the command line using IP-Takeover.  IP-Takeover provides less than
50 ms switchovers in the case of a primary router failure.  The failover
software is similar to other software failover implementations, such as Cisco
Systems (R) Hot Swap Router Protocol (HSRP), in that it does not provide for
switching of physical cabling. Separate, relay-based devices are required for a
full failover setup.


Quality of Service Package Updated

The bandwidth limiting front-end for quality of service has been updated in
Version 4.0.  The new bandwidth limiting script supports additional options and
interfaces directly with the command-line "tc" utility. Bandwidth limiting
commands are translated into tc commands and stored in /tmp on the router.


GateD Dynamic Routing Package Updated

The GateD dynamic routing program has been updated for Version 4.0.  The
interactive interface to gated, gii, now is only available on through a direct
connection on the router (localhost) and ipchains/iptables rules are not
required to block outside access.  The "show bgp summary" and "show bgp peeras "
commands now also reflect the number of route announcements sent to and received
from each peer.


Menu System Prompts For Reload Of Common Services

Common tasks that support reloading without stopping the service first, such as
Network Interface Configuration, now prompt users from the menu when exiting a
configuration file. Version 4.0 will no longer automatically reload these common
services.


Zebra Dynamic Routing Option Added

A package using version 0.92a of the Zebra dynamic routing software has been
added to Version 4.0.0.  The option to configure and use Zebra has been added to
the Configuration and Update menu under Dynamic Routing Configuration.  Zebra
supports BGPv4, OSPFv2, RIPv1 and RIPv2.  Zebra's BGP implementation includes
support for community strings.  gated is still available as the default dynamic
routing option for Enterprise Linux.


Hardware Status Utility Added

Version 4.0.0 includes a complete hardware health monitoring package.  Users
with newer routers with SMBus (Intel PIIX4) and I2C chipsets can now check
temperature, voltage and fan speed from the Advanced menu.


Boot Times Significantly Reduced

Version 4.0 contains an efficiency update to the router boot procedure. Routers
running Version 4.0 should boot approximately 50% faster than under previous
versions.


Base-libraries Package Updated

The version of the Base-libraries package included in Version 4.0 addresses a
vulnerability in the zlib compression library.  Although no exploits for this
issue are known to exist, this potentially serious vulnerability has been
patched in this release.


Base-networking Package Updated

The version of the Base-networking package included in Version 4.0 addresses a
buffer overflow vulnerability in the netkit utilities for ping, ftp, telnet,
in.telnetd and inetd.  Previous versions of netkit used by ImageStream are not
vulnerable, but the programs have been updated as a precaution.


net-snmp Upgraded To Version 4.2.2

The version of net-snmp included in Version 4.0 addresses multiple
vulnerabilities in trap and request handling in version 1 of SMNP. Although no
exploits for this issue are known to exist, this potentially serious
vulnerability has been patched in this release.


Backup Flash/Restore Flash Options Added To Menu

Previous Enterprise Linux versions omitted "Back configuration up to flash" and
"Restore configuration from flash" menu options.  These options were previously
available only from the command line but have been added to the menu as well in
Version 4.0.


Ethernet Transceiver Diagnostic And Setup Utility Added

Version 4.0 contains a set of utilities used to report the link status and
modify the configuration of Ethernet ports.  The MII register diagnostic utility
reports Ethernet link status as read from the MII transceiver management
registers.  A facility is also provided to force various link speeds and duplex
settings on and Ethernet port.  All 10/100 Ethernet cards, including integrated
ports, may be configured with this utility.  Valid settings include 10 or 100
Mbps, full- or half-duplex and forced or automatically negotiated
configurations.  The "setmiiregisters" script is available from the Service
configuration menu or from the router's Bash shell.


Restore Router To Factory Defaults Menu Updated

The "Restore router to factory defaults" menu now provides additional status
information and prompts users to press enter/return before returning to the
menu.  The change allows for easy confirmation that the router has been
successfully reset to the factory defaults.


----------------------------


Bugs fixed in Version 4.0


The following bugs have been fixed in Version 4.0 (including 4.0-beta releases):


Unused Libraries And Terminal Type Definitions Removed

Version 4.0.0 removes several unnecessary and unused libraries from the
distribution.  Additionally, unused terminal type definitions have been removed
from /usr/lib.  The following terminal types are supported by Enterprise Linux:
linux, vt100, vt102, vt220, ansi, ibm327x, xterm, wy50 (Wyse 50), wy60 (Wyse
60), sun, and screen.  The "unknown" default terminal type is also supported.
The removal of these libraries and terminal definitions increases the space
available for new features and user-defined programs.


Missing Quit Options Added

The Save Configuration To Flash and Revert Router To Factory Defaults menus now
have Quit options.  These options were not present in previous versions.  The
"No" option can still be used to exit the menu.


Missing Bonder Configuration Option Added To Default stats.conf File

Previous versions of Enterprise Linux did not exclude Bonder interfaces from the
non-SAND interface configuration file in /etc/stats.conf.  A "noshow" option has
been added to the default file in Version 4.0.0.  This corrects an error where
stats would not display traffic statistics for Bonder devices.


Memory Test Boot Option Updated

Version 4.0.0 updates the "Memory test" option in the router boot menu.
Selecting this option from the boot menu will load a memory testing program that
automatically examines the RAM installed in the router for any physical problems
or errors.  A thorough memory test may take several hours to complete, so this
boot option is recommended for use during maintenance windows and for routers
able to be removed from service for long periods of time.  The memory test
utility included with Version 4.0.0 has been updated to the latest available
version to support the latest memory architectures and to fix a bug in the
serial console support that affected the use of the "Memory test" boot option on
routers connected to a serial console.


Kernel Logging Program Not Started By Default

Previous Enterprise Linux versions started the system message logger (syslogd),
but not the kernel message logger (klogd) by default. Beginning with Version
4.0-beta2, klogd is also started by default.


Firewall/Packet Filtering Utility No Longer Warns About Sub-Interfaces

Version 4.0.0 eliminates a warning message generated by iptables when used on a
frame relay or ATM sub-interface.  The operation of iptables was unaffected by
this warning message.


Quality Of Service Backwards Compatibility Issue

Version 4.0-beta1 inadvertently excluded the original "bwlimit" script included
in previous versions.  Version 4.0 includes this utility for backwards
compatibility.


Workaround For Cisco IOS Bug in BGP Added to GateD

Certain versions of the Cisco IOS accept and propagate invalid routing
information.  This behavior is in violation of the BGP RFC, and causes
RFC-compliant devices, including ImageStream routers, to properly drop peering
sessions.  When affected Cisco routers are upstream of an RFC-compliant device,
this can cause a loss of connectivity for the downstream router.  ImageStream
has patched GateD to log an error and ignore invalid route announcements in
these situations.  Peering sessions will no longer be automatically terminated.


Gated Display Of "checkconf" Output At Boottime Requiring User Intervention

Gated no longer displays the output of the "checkconf" command at boottime.
Previously, incorrect configurations could cause the router to require user
input at the console to continue the boot process.  Beginning with Version
4.0-beta2, the checkconf output is no longer displayed at boottime.


Gated Menu Options Fixed

Earlier Version 4.0 releases failed to correctly reconfigure Gated after
configuration changes were made from the router menu.  The OSPF configuration
option in the router menu also failed to open the gated.ospf file.  Version
4.0-beta4 corrects these behaviors.


Various Aesthetic Changes To Menu Options

Version 4.0 fixes small typographical errors in all of the router menus, and
adds clearer descriptions of several menu items.


Console Configuration File Fixed

The console configuration file in earlier Version 4.0 releases has been replaced
with a non-binary version.  The default values used for the console control
program were not affected, but users can now reconfigure the console control
program properly.


----------------------------


Limitations and Upgrade Instructions


*** NOTE! If the upgrade fails, do NOT reboot! Contact ImageStream's Technical
Support without rebooting. ***


Limitations

Upgrading to Version 4.0 or later requires the following:

1. 64 MB of RAM or higher.
2. 32 MB of flash.
3. 300 MHz processor or better.
4. Enterprise Linux Version 2.3.2 or higher.

The upgrade utility will not install Version 4.0 if memory and flash
requirements are not met.  Users can contact ImageStream to purchase a RAM,
processor or flash upgrade.

Users running an Enterprise Linux version less than 2.3.2 must upgrade before
Version 4.0 will be available from the Update menu.  Upgrading any version prior
to 2.3.2 will automatically be upgraded to 2.3.2.  A second upgrade will be
required to install Version 4.0.

The upgrade does not otherwise affect the stored configuration in the
ImageStream router. To back up the router's configuration prior to upgrading,
choose option 4 (Backup/Restore) from the router's main menu. Choose the Backup
methods option (Option 1) and select a method from the choices listed.  From the
router's command line, use the "backup" command. The backup utility takes four
arguments: flash (to back up configurations to the router's nonvolatile flash
memory), floppy (to back up to a floppy disk), scp (to back up via secure copy),
or file (to back up to a separate file on the router's nonvolatile flash
memory).


----------------------------


Copyright and Trademarks


Copyright 2002 ImageStream Internet Solutions. All rights reserved.

ImageStream is a trademarks of ImageStream Internet Solutions, Inc.  All other
marks are the property of their respective owners.

Notices

ImageStream makes no representations or warranties with respect to the contents
or use of this document, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
ImageStream reserves the right to revise this publication and to make changes to
its content, any time, without obligation to notify any person or entity of such
revisions or changes.

Contacting ImageStream Technical Support

Every ImageStream product comes with a one year hardware and software warranty.
ImageStream provides technical support via voice, FAX, electronic mail, and the
web. Technical support is available 24 hours a day, 7 days a week.

To contact ImageStream technical support by voice, dial +1 (574) 935-8484
worldwide. By FAX, dial +1 (574) 935-8488. By electronic mail, send mail to
support@imagestream.com. Using the World Wide Web, see
http://support.imagestream.com/