Filter
Top Products
10
E
NTERPRISE
OS S
OFTWARE
V
ERSION
11.4 R
ELEASE
N
OTES
Public-Key Infrastructure (PKI) Implementation
Applications like IP Security (IPsec) and Internet Key Exchange (IKE) employ
public-key technology for such security purposes as identifying oneself to remote
entities, verifying a remote entity's identity, or initiating secure communications
with remote peers. Such applications require a public-key infrastructure (PKI) to
securely manage public keys for widely-distributed users or systems. The
implementation of PKI is based on the X.509 standard.
New also is PKI Manager, a graphical management application to aid Enterprise OS
devices in obtaining PKI certificates and Certificate Revocation Lists (CRLs) from
various Certificate Authorities (CAs). PKI Manager works as a proxy between the
device and the CA. It is responsible for collecting the certificate requests from the
devices and generating the CA-specific certificate request syntax (CRS), which in
turn is sent to the CA. After the CA issues the certificate, PKI Manager retrieves it
from the CA and send it to the Enterprise OS device. The CAs that are supported
with this first release are Verisign and Entrust. The application is currently
supported only on Windows NT. See the “Transcend VPN Application Suite”
section of this release note for more information.
Non-Broadcast, Multi-Access (NHRP) for VPN Tunnels
With the Non-Broadcast, Multi-Access (NBMA) characteristics of a
Point-To-Multi-Point (P2MP) VPN tunnel (also called IP-Over-IP tunnel), an IP packet
must be forwarded via a routed tunnel path. These tunnel paths must be
configured statically between each pair of neighbors. All VPN traffic is allowed to
flow only through the configured neighboring paths. This makes routing
inefficient since data forwarding may not always be using the best route with the
shortest hops. To solve this, the user would have to go to the trouble of
configuring a fully-meshed VPN so packets could be forwarded with one hop.
With the Next Hop Resolution Protocol (NHRP) implemented in 11.4, tunnels are
now established dynamically. NHRP enhances the Point-To-Multi-Point (P2MP) VPN
tunnel by eliminating the need to statically configure each and every end-point
virtual port on the device. NHRP resolves the next hop when forwarding data
through tunnels. The Enterprise OS device will “automatically” discover its short
cut path for routing, without having to manually configure every neighboring
path.
IP Payload Compression Protocol (IPComp or IPPCP)
Enterprise OS software supports data compression to ease bandwidth problems.
However, in previous software releases the compression mechanism was not
effective when a data stream was encrypted at layer 3. With 11.4, by using IP
Payload Compression Protocol (IPComp), RFC 2393, to first reduce the size of the
IP datagram by compressing the data, then performing encryption, the size of IP
datagrams has been reduced. This is extremely useful when IPsec encryption is
applied to IP datagrams, since compression of outbound IP datagrams is done
before any IP security processing, and the decompression of inbound IP datagrams
is applied after the completion of all IP security processing. Only dynamic
negotiations of the IPComp Association (IPCA) via IKE and one compression
algorithm (LZS) is supported for 11.4. Any negotiation of IPComp is always
combined with a negotiation of ESP, AH, or both.