10ENTERPRISE OS SOFTWARE VERSION 11.4 RELEASE NOTES
Public-Key Infrastructure (PKI) Implementation
Applications like IP Security (IPsec) and Internet Key Exchange (IKE) employ public-key technology for such security purposes as identifying oneself to remote entities, verifying a remote entity's identity, or initiating secure communications with remote peers. Such applications require a public-key infrastructure (PKI) to securely manage public keys for widely-distributed users or systems. The implementation of PKI is based on the X.509 standard.
New also is PKI Manager, a graphical management application to aid Enterprise OS devices in obtaining PKI certificates and Certificate Revocation Lists (CRLs) from various Certificate Authorities (CAs). PKI Manager works as a proxy between the device and the CA. It is responsible for collecting the certificate requests from the devices and generating the CA-specific certificate request syntax (CRS), which in turn is sent to the CA. After the CA issues the certificate, PKI Manager retrieves it from the CA and send it to the Enterprise OS device. The CAs that are supported with this first release are Verisign and Entrust. The application is currently supported only on Windows NT. See the “Transcend VPN Application Suite” section of this release note for more information.
Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels
With the Non-Broadcast, Multi-Access (NBMA) characteristics of a Point-To-Multi-Point (P2MP) VPN tunnel (also called IP-Over-IP tunnel), an IP packet must be forwarded via a routed tunnel path. These tunnel paths must be configured statically between each pair of neighbors. All VPN traffic is allowed to flow only through the configured neighboring paths. This makes routing inefficient since data forwarding may not always be using the best route with the shortest hops. To solve this, the user would have to go to the trouble of configuring a fully-meshed VPN so packets could be forwarded with one hop.
With the Next Hop Resolution Protocol (NHRP) implemented in 11.4, tunnels are now established dynamically. NHRP enhances the Point-To-Multi-Point (P2MP) VPN tunnel by eliminating the need to statically configure each and every end-point virtual port on the device. NHRP resolves the next hop when forwarding data through tunnels. The Enterprise OS device will “automatically” discover its short cut path for routing, without having to manually configure every neighboring path.
IP Payload Compression Protocol (IPComp or IPPCP)
Enterprise OS software supports data compression to ease bandwidth problems. However, in previous software releases the compression mechanism was not effective when a data stream was encrypted at layer 3. With 11.4, by using IP Payload Compression Protocol (IPComp), RFC 2393, to first reduce the size of the IP datagram by compressing the data, then performing encryption, the size of IP datagrams has been reduced. This is extremely useful when IPsec encryption is applied to IP datagrams, since compression of outbound IP datagrams is done before any IP security processing, and the decompression of inbound IP datagrams is applied after the completion of all IP security processing. Only dynamic negotiations of the IPComp Association (IPCA) via IKE and one compression algorithm (LZS) is supported for 11.4. Any negotiation of IPComp is always combined with a negotiation of ESP, AH, or both.
