A printable plain text version is also available.
Date: Mon, 23 Aug 2004 11:56:44 -0500 (EST)
From: ImageStream Support 
Subject: (SUPPORT) Enterprise Linux Version 4.2.0 for routers available

Version 4.2.0 of ImageStream's Enterprise Linux is now available as a general
availability (GA) release for all ImageStream router customers.

This software release is provided at no charge to all ImageStream customers.
Version 4.2.0 is a new major release and is highly recommended for all
customers. This new major release includes significant performance enhancements
and numerous new features.

This release note documents commands and features added between Version 4.1.11
and Version 4.2.0.


----------------------------


New Features in Version 4.2.0


Local Image-Based Router Updates Supported

Version 4.2.0 includes support for image-based updates.  Users may update using
a special Enterprise Linux image via a local TFTP, FTP, or HTTP server.
Traditional updates using an ImageStream update server are sitll available.
Downloadable Enterprise Linux images will be available from the ImageStream
Support Web site (http://support.imagestream.com/)


TACACS+ and RADIUS Authentication Support Added

Version 4.2.0 includes support for advanced AAA features.  Users can
authenticate router logins from a local password file as well as a remote
TACACS+ server.  Remote RADIUS authentication is also supported for advanced
users.


Router Can Filter, Prioritize Peer-To-Peer Network Traffic

Version 4.2.0 supports filtering of popular file sharing programs, including
KaZaa, Gnutella and BitTorrent.  Using an extension to the iptables firewall
utility, router administrators can identify and limit or drop peer-to-peer
networking traffic passing through the router.  The P2P filtering is CPU
friendly and should not significantly impact routing performance.  Please see
http://support.imagestream.com/Limiting_P2P_Traffic.html for a detailed example
of the configuration of this new feature.


Kernel Version 2.4.26 Added

Version 4.2.0 uses ImageStream's version of Linux kernel 2.4.26.  This kernel
supports enhanced Ethernet performance for lower latency and additional
router stability under heavy loads, more advanced firewall and quality of
service functions and numerous other smaller improvements.


Network Time Synchronization, Easier Time Zone Support Added

Routers runnning version 4.2.0 can set the system time, time zone and
non-volatile clock manually or by using an SNTP or NTP server.  The included
utility enables users to synchronize with a network time server automatically on
boot and at regularly scheduled intervals.


MD5 Encryption For BGP Sessions Supported

The versions of GateD and Quagga included with Version 4.2.0 support MD5
encryption for BGP sessions.  Administrators may specify an MD5 key for use with
BGP peers when required.


Packet Over SONET/SDH OC3/STM1 Card Added

Version 4.2.0 includes support for ImageStream's new Packet Over SONET/SDH
OC3/STM1 card.  Additional information about the new 1100 series card is
available at http://www.imagestream.com/PCI_1100.html


ebtables Utility Added

Version 4.2.0 includes the Linux ebtables utility.  ebtables enables
administrators to filter traffic at the MAC layer, and perform integrated
routing and bridging on a single device.


Zebra/Quagga Dynamic Routing Daemons Updated

The Zebra dynamic routing suite has been updated to Quagga version 0.96.5.
Quagga 0.96.5 is the latest release for this utility and includes numerous new
features and bug fixes compared to previous releases.  The routing suite is
backwards compatible, but users of the Zebra suite should double-check
configurations after updating to Version 4.2.0.


uality of Service Utilities Updated

Version 4.2.0 includes new versions of ImageStream's bwinit and bwadd utilities.
These utilities enable users to easily add quality of service rules without
using the more advanced tc utility.  The new class-based configuration options
are included in the default Quality of Service file distributed with Version
4.2.0 and in the command line usage output of the bwinit and bwadd utilities.
The version of the traffic control (tc)  utility in Version 4.2.0 has been
updated to support HFSC and enhanced HTB performance.


Multilink PPP Support Added to SAND

The version of SAND included with Version 4.2.0 includes support for multilink
PPP on all WAN devices.  This feature is RFC-compliant and also interoperates
with non-compliant implementations such as the one used with Cisco IOS.
http://support.imagestream.com/MPPP_Configuration.html for a detailed example of
the configuration of this new feature.


Multilink Frame Relay Support Added to SAND

The version of SAND included with Version 4.2.0 includes support for multilink
frame relay on all WAN devices.  This feature is RFC-compliant and also
interoperates with non-compliant implementations such as the one used with Cisco
IOS.  Please see http://support.imagestream.com/MFR_Configuration.html for a
detailed example of the configuration of this new feature.


PPPoE/PPPoA For DSL, ATM PVC Aggregation Added to SAND

The version of SAND included with Version 4.2.0 includes support for PPPoE/PPPoA
on all ATM devices.  This feature, commonly used with DSL
aggregation/termination, allows users to authenticate users using a remote
RADIUS server and assign IP addresses from RADIUS or an internal IP address
pool. Please see http://support.imagestream.com/ATM_DSL_Configuration.html for a
detailed example of the configuration of this new feature.


Support For SSL VPNs Added

Version 4.2.0 supports the use of SSL VPNs and the OpenVPN open source project.
Administrators can configure an "openvpn" tunnel mode.  SSL VPNs are widely
supported by many firewall vendors.  SSL VPNs support high encryption, NAT
traversal by default, point-to-multipoint VPNs, dynamic addressing and "road
warrior" clients.  ImageStream recommends the use of SSL VPNs instead of IPSec
because of its comparatively easy configuration and more robust features.


Cisco HDLC Keepalive Can Be Disabled

Version 4.2.0 includes the ability to disable keepalive messages in the Cisco
HDLC protocol and to change the keepalive interval.


NetFlow Probe Supports All WAN Encapsulations

The NetFlow version 5/version 9 probe included with Version 4.2.0 supports all
WAN encapsulations, including PPP, HDLC, Frame Relay, and ATM.  Previous
versions supported Ethernet encapsulations only.  The NetFlow probe can be
configured to operate on WAN devices using the same included utility present
since Version 4.1.9.


ATM VP Shaping Added

ATM interfaces in the version of SAND in Version 4.2.0 support shaping on a
per-virtual path basis.  Network administrators can configure a single aggregate
bandwidth limit for all VCIs under a particular VPI master interface.


Bridging Support Added For Bonder, MPPP, MFR Devices

Version 4.2.0 supports bridging on bonded and multilink interfaces.  Previous
versions only supported bridging on Ethernet, VLAN and unbundled WAN devices.
Version 4.2.0 allows Bonder and Multilink devices to be added to bridge groups.


Bugs fixed in Version 4.2.0


The following bugs have been fixed in Version 4.2.0:


VRRP Exits When Rebel Router Boots

Versions 4.1.9 through 4.1.11 of Enterprise Linux contained a bug that caused
VRRP sessions to fail on Rebel Routers.  The boot procedure of the Rebel Router
caused VRRP sessions to exit due to a fault in the VRRP software.  No other
routers or versions were affected.  The version of VRRP included in Version
4.2.0 properly handles the Rebel Router boot procedure.


Menu Option To Set Time Exits With Error

Version 4.1.11 contained a script error that caused the menu option to set the
router's system time to fail.  This script error only affected menu operation,
and did not affect the utility used to set the router's time, or the ability to
use this utility from the Bash shell.  The menu script error has been corrected
in Version 4.2.0


Menu Does Not Appear When Console Is Disconnected

In previous versions of Enterprise Linux, routers equipped with a serial console
would not display the normal menu after the console had been disconnnected
during an active login.  This condition occured when a lockfile was not removed.
The lockfile prevents multiple menu sessions from being spawned within the same
login session.  This issue primarily affected Rebel Router and TransPort users,
and has been corrected in Version 4.2.0 through a change to lockfile handling.


Ethernet Routes Not Marked Down When Interface Is Down

Previous versions of Enterprise Linux did not mark all routes through Ethernet
devices as down when the interface went down.  Version 4.2.0 correctly follows
Ethernet status as reported by the MII registers on Ethernet and Gigabit
Ethernet cards.


Ethernet Devices Ignore Manually Configured Bandwidth Setting

Prior to Version 4.2.0, Ethernet devices would only display automatic settings
for bandwidth as reported by the MII registers.  Version 4.2.0 allows users to
manually set a different bandwidth that overrides the settings reported via MII.


Forwarded IPSec Sessions Using DNAT Rules Fails Fixed

In previous versions of Enterprise Linux, IPSec sessions forwarded through a
router using an iptables DNAT rule failed.  The router would intercept the
packets and fail to forward them to the proper destination.  Version 4.2.0
corrects this behavior, and the router will no longer intercept DNATed IPSec
packets.


Various ATM Bridging Fixes

Version 4.2.0 fixes several bridging and timer issues with ATM and SoftATM
interfaces.  As a part of the field testing for this release, Version 4.2.0 has
undergone significant, long-term stress testing of the ATM and SoftATM software.
All oustanding issues relating to interface additions, reloads and stability
have been fixed in this release.  SoftATM should be considered officially GA as
of Version 4.2.0.


/dev/null Permissions Prevent Non-Root Users From Using Device

Previous versions of Enterprise Linux set permissions on the /dev/null device in
a way that prevents non-root users from using this device.  Permissions have
been changed on this device to a more standard configuration allowing global
read, write and execute.


530 Series Cards Report Incorrect Hardware Status in E1 Mode

Previous versions of SAND reported the hardware status of 530 series cards in E1
mode as UP at all times.  The hardware status display did not change when the
status of the device changed.  The version of SAND included in 4.2.0 corrects
this display issue.  The operation of the interface was unaffected by this bug.