3Com 86-0621-000, C36460T software manual Public-Key Infrastructure PKI Implementation

Page 10

10ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES

Public-Key Infrastructure (PKI) Implementation

Applications like IP Security (IPsec) and Internet Key Exchange (IKE) employ public-key technology for such security purposes as identifying oneself to remote entities, verifying a remote entity's identity, or initiating secure communications with remote peers. Such applications require a public-key infrastructure (PKI) to securely manage public keys for widely-distributed users or systems. The implementation of PKI is based on the X.509 standard.

New also is PKI Manager, a graphical management application to aid Enterprise OS devices in obtaining PKI certificates and Certificate Revocation Lists (CRLs) from various Certificate Authorities (CAs). PKI Manager works as a proxy between the device and the CA. It is responsible for collecting the certificate requests from the devices and generating the CA-specific certificate request syntax (CRS), which in turn is sent to the CA. After the CA issues the certificate, PKI Manager retrieves it from the CA and send it to the Enterprise OS device. The CAs that are supported with this first release are Verisign and Entrust. The application is currently supported only on Windows NT. See the “Transcend VPN Application Suite” section of this release note for more information.

Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels

With the Non-Broadcast, Multi-Access (NBMA) characteristics of a Point-To-Multi-Point (P2MP) VPN tunnel (also called IP-Over-IP tunnel), an IP packet must be forwarded via a routed tunnel path. These tunnel paths must be configured statically between each pair of neighbors. All VPN traffic is allowed to flow only through the configured neighboring paths. This makes routing inefficient since data forwarding may not always be using the best route with the shortest hops. To solve this, the user would have to go to the trouble of configuring a fully-meshed VPN so packets could be forwarded with one hop.

With the Next Hop Resolution Protocol (NHRP) implemented in 11.4, tunnels are now established dynamically. NHRP enhances the Point-To-Multi-Point (P2MP) VPN tunnel by eliminating the need to statically configure each and every end-point virtual port on the device. NHRP resolves the next hop when forwarding data through tunnels. The Enterprise OS device will “automatically” discover its short cut path for routing, without having to manually configure every neighboring path.

IP Payload Compression Protocol (IPComp or IPPCP)

Enterprise OS software supports data compression to ease bandwidth problems. However, in previous software releases the compression mechanism was not effective when a data stream was encrypted at layer 3. With 11.4, by using IP Payload Compression Protocol (IPComp), RFC 2393, to first reduce the size of the IP datagram by compressing the data, then performing encryption, the size of IP datagrams has been reduced. This is extremely useful when IPsec encryption is applied to IP datagrams, since compression of outbound IP datagrams is done before any IP security processing, and the decompression of inbound IP datagrams is applied after the completion of all IP security processing. Only dynamic negotiations of the IPComp Association (IPCA) via IKE and one compression algorithm (LZS) is supported for 11.4. Any negotiation of IPComp is always combined with a negotiation of ESP, AH, or both.

Image 10
Contents Enterprise OS Software Version 11.4 Release Notes Santa Clara, California 3Com CorporationBayfront Plaza 95052-8145Contents Dial Idle Timer IBM-Related Services in Token RingMaximum BSC Line Speed Shdlc Half-Duplex Mode Appn Connections to 3174 through Token RingPM-SM Not Supported Over Nbma Media RouteDiscovery Firmware Configuration Firmware UpdateMicrosoft Mppe Patches and Updates Total Control Security and Accounting Server AvailabilityRequirements Approved Dram SIMMs Windows NT MS-CHAP Authentication Platform NotesToken Ring+ Modules Token Ring Auto Start-up Enterprise OS Software Version 11.4 Release Notes IP/IPX Router with 56-bit Encryption JE SuperStack II NETBuilder SIOfficeConnect NETBuilder IP/IPX Router JW NETBuilder FeaturesOfficeConnect SuperStackPublic-Key Infrastructure PKI Implementation Non-Broadcast, Multi-Access Nhrp for VPN TunnelsIP Payload Compression Protocol IPComp or Ippcp Protocol Independent Multicast-Sparse Mode PIM-SM Tunnel Switching Between Different Tunnel TypesOspf External Route Aggregation IGMPv2 Enhancements Multicast Border Router MBRPPP over Ethernet PPPoE Virtual Router Redundancy Protocol Vrrp for Virtual LAN Vlan Many-to-One NAT EnhancementIP Quality of Service IPQoS Bandwidth on Demand with Incoming TrafficNew Features and Feature Enhancements Class-Based Queuing CBQ Management Voice Over Frame Relay VoFR Voice Over VPN VoVPN Upgrade Utilities & Upgrade LinkWeb Link Enhancements Autotargeting for SLA Monitoring/Remote Polling Performance Management Currently available statistics areConsole Output in Telnet Sessions Audit Log Messaging EnhancementsSecure VPN Manager version Domain Name Use in FTP and Tftp CommandsPKI Manager version Features of PKI Manager version Version 11.4 for the NETBuilder and PathBuilder platforms NETBuilder II Software FeaturesFeature Bridge/RouterBritss Appn LNM LAA Memory Requirements NETBuilder II Firmware RequirementsNETBuilder II Firmware Requirements ModuleBF- Boundary Router AX-APPN/Connection ServicesPackages NW-IP/IPX/AT RouterDlsw 16 MB 24 MB PathBuilder S5xx Series Switches Software Features Software Package FeatureLNM LAA Switch PPTP/L2TP R2R, VLL PathBuilder S400 Series Switches Software Features Britss Appn LNM LAA Bridge/Routers 16 MB For Dual ImagesOfficeConnect NETBuilder Bridge/Router Software Features Isdn BRI Isdn PRI Isdn T1/E1 Isdn CT1/CE1 Isdn T3/E3Virtual Ports Restricted Number of Dhcp 256 Addresses RS-Multiprotocol Router with 128-bit Encryption and 3DES RW-Multiprotocol RouterRE-Multiprotocol Router with 56-bit Encryption 10/ST bridge/routerSwitching/Tunneling WANExtender MP6E Module Fast Ethernet 100Base ATM Module/ Lane SuperStack II NETBuilder Token Ring Software Features Software Package CF for TE for Feature ModelSmds Memory Requirements HP-UX 10.x platforms Solaris 2.5 platformsRuuhp114.Z Ruuaix114.ZExecuting Version 11.4 UpgradeUpgrade Manager Profile.batEncryptionLicenseRead Environment Variable Etc/passwd. You must add an entry can be ignoredBridge Static Routes DLSwAppn Connections to Upgrade Link WindowResizing ThroughLeaf Node Sessions Support DLSw CONNectUsage Parameter Default ChangeNumber of DLSw Circuits Relay port is Number of TCP ConnectionsFront-End HPR and ISRIBM-Related Feature Settings for Token Ring Ports Frame Copy Errors under LAN Net Manager Token Ring Frame Copy Errors3Com Bridge/Routers and Supported Features Service Point ModeClients and Large ATM Emulated LANsATM LAN Emulation FramesValue Ports in DCE ModeHistory, the PPP link does not come up Ports Without Leased Dial Idle TimerDisaster Recovery on LinesModems Supported Asynchronous ModemsSupported Synchronous Modem ModemNotation BootP Server Ascii BootBoot Cycle Bootptab FileThese messages do not indicate a problem and can be ignored Than 8k to the policy25bis Modem Setup Remote AccessRunOnBootFail SchedulerVPN Protocols and Services Notes Page Platforms. The topics are presented in alphabetical order Adequate Dram and Flash memory installed prior to shipmentOrder Numbers for Memory Upgrade Kits Memory RequirementsBAud value to 16,000 or 4,000 to avoid this situation T3 Bandwidth LimitationSnmp Management 3Com-approved 20 MB Flash Memory Cards