MultiNet V5.3 Release Notes February 2009 This document contains a list of new features and bug fixes that have been made since MultiNet V5.2. Revision/Update Information: This document supersedes the MultiNet V5.2-A Release Notes Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. o Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. o Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. o MultiNet is a registered trademark of Process Software. o This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) ii o Secure Shell (SSH). Copyright © 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). o TCPware is a registered trademark of Process Software. o UNIX is a trademark of UNIX System Laboratories, Inc. o All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. o Copyright ©1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. o Copyright ©2000, 2001, 2002, 2004 Process Software, LLC. All rights reserved. Printed in USA. o If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. iii ________________________________________________________________ Contents ________________________________________________________________ CHAPTER 1 INTRODUCTION 1-1 __________________________________________________________ 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 __________________________________________________________ 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Contacting Technical Support 1-3 1.2.2 Sending Electronic Mail 1-4 1.2.3 Calling Technical Support 1-5 1.2.4 Contacting Technical Support by Fax 1-5 __________________________________________________________ 1.3 OBTAINING ONLINE HELP 1-6 __________________________________________________________ 1.4 MULTINET FREQUENTLY ASKED QUESTIONS (FAQS) LIST 1-6 __________________________________________________________ 1.5 ACCESSING THE MULTINET PUBLIC MAILING LIST 1-6 __________________________________________________________ 1.6 PROCESS SOFTWARE WORLD WIDE WEB SERVER 1-7 __________________________________________________________ 1.7 OBTAINING SOFTWARE PATCHES OVER THE INTERNET 1-7 __________________________________________________________ 1.8 DOCUMENTATION COMMENTS 1-9 __________________________________________________________ 1.9 CD-ROM CONTENTS 1-9 1.9.1 Online Documentation 1-9 1.9.1.1 PDF Format, 1-10 1.9.1.2 Using Acrobat Reader, 1-10 __________________________________________________________ 1.10 NOTE CONCERNING KERBEROS V5 1-11 __________________________________________________________ 1.11 NOTE CONCERNING MULTIWARE 1-11 iii Contents __________________________________________________________ 1.12 NOTE CONCERNING SSH 1-11 __________________________________________________________ 1.13 NOTE: CONCERNING SSH SESSIONS 1-12 ________________________________________________________________ CHAPTER 2 CHANGES AND ENHANCEMENTS 2-1 __________________________________________________________ 2.1 MULTINET V5.3 INSTALLATION NOTE 2-1 __________________________________________________________ 2.2 INTRUSION PREVENTION SUBSYSTEM(IPS) 2-1 __________________________________________________________ 2.3 PACKET FILTERING MODIFICATIONS 2-2 __________________________________________________________ 2.4 BG PERFORMANCE IMPROVEMENTS 2-3 __________________________________________________________ 2.5 BIND9 ADDITION 2-3 __________________________________________________________ 2.6 DNS RESOLVER 2-3 __________________________________________________________ 2.7 INTRUSION DETECTION AND PREVENTION 2-3 __________________________________________________________ 2.8 FTP UPDATES 2-3 __________________________________________________________ 2.9 IMAP 2-4 __________________________________________________________ 2.10 IPV6 ADDITIONS 2-4 __________________________________________________________ 2.11 KERNEL MODIFICATIONS 2-4 __________________________________________________________ 2.12 MASTER SERVER 2-5 __________________________________________________________ 2.13 NTP SERVER 2-5 iv Contents __________________________________________________________ 2.14 POP3 UPDATES 2-6 __________________________________________________________ 2.15 SMTP UPDATES 2-6 __________________________________________________________ 2.16 SNMP UPDATES 2-6 __________________________________________________________ 2.17 SSH UPDATES 2-6 __________________________________________________________ 2.18 UCX LIBRARY EMULATION 2-7 __________________________________________________________ 2.19 FIXED PROBLEMS 2-7 2.19.1 Bootp 2-7 2.19.2 DHCP 2-7 2.19.3 Finger 2-8 2.19.4 Fontserver 2-8 2.19.5 FTP 2-8 2.19.6 Include/Netdb.h 2-8 2.19.7 Kernel 2-9 2.19.8 Master Server 2-12 2.19.9 Named 2-13 2.19.10 NFS 2-15 2.19.11 NTP 2-15 2.19.12 RPC40 2-15 2.19.13 RTSOLD 2-15 2.19.14 Set Arp 2-15 2.19.15 Set Route 2-16 2.19.16 SMTP 2-16 2.19.17 SCP/SFTP 2-16 2.19.18 Socket Library 2-17 2.19.19 SSH 2-17 2.19.20 Telnet 2-19 2.19.21 UCXDriver 2-19 2.19.22 UCX Library Emulation 2-19 v Contents ________________________________________________________________ CHAPTER 3 DOCUMENTATION UPDATES 3-1 __________________________________________________________ 3.1 MULTINET V5.3 3-1 __________________________________________________________ 3.2 CORRECTIONS TO THE MULTINET V5.3 DOCUMENTATION 3-1 ________________________________________________________________ CHAPTER 4 KNOWN BUGS/ISSUES 4-1 ________________________________________________________________ TABLES 1-1 Typographical Conventions 1-1 1-2 System Information 1-4 vi _______________________________________________________ 1 Introduction These Release Notes describe the changes and enhancements made to the MultiNet product in version 5.3. This chapter describes conventions used in the MultiNet documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in the MultiNet V5.3 MultiNet Consolidated Distribution, refer to Chapter 2 of these Release Notes. o For information about changes to the documentation set, refer to Chapter 3 of these Release Notes. __________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conventions: ________________________________________________________________ Table 1-1 Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you with a slash hold down the key labeled or while simultaneously pressing another key; in this example, the A key. 1-1 Introduction Typographical Conventions ________________________________________________________________ Table 1-1 (Cont.) Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the item is a single ___________________________________________element._____________ __________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained MultiNet from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction Obtaining Technical Support _____________________________ 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1 Verify that your Maintenance Service Agreement is current. 2 Read the online Release Notes completely. 3 Have the following information available: o Your name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o MultiNet layered products and versions 4 Have complete information about your configuration, error messages that appeared, and problem specifics. 5 Be prepared to let a development engineer connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, MultiNet version, and layered products with the MULTINET SHOW /LICENSE command. Execute the following command on a fully loaded system and email the output to support@process.com: $ MULTINET SHOW /LICENSE Process Software MultiNet V5.3 Rev A, VAXstation 4000- 90, OpenVMS VAX V7.1 In this example: The machine or system architecture is VAX. 1-3 Introduction Obtaining Technical Support The OpenVMS version is V7.1. The MultiNet version is V5.3. Use the following table as a template to record the relevant information about your system: ________________________________________________________________ Table 1-2 System Information _______________________________________________________ Your System Required_Information_______________Information_________ Your name Company name Your email address Your voice and fax telephone numbers System architecture VAX or Alpha OpenVMS version _________MultiNet_version_______________________________________ Please provide information about installed MultiNet applications and patch kits, by sending a copy of MULTINET:MULTINET_VERSION.; file. _____________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical Support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the information listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. 1-4 Introduction Obtaining Technical Support Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. _____________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508- 628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. Be prepared to discuss problem specifics with your Technical Support Specialist and to let that person connect to your system. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our automatic call logging feature by sending email to support@process.com (see the Section on Sending Electronic Mail). _____________________________ 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information 1-5 Introduction Obtaining Technical Support to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. __________________________________________________________ 1.3 Obtaining Online Help Extensive information about MultiNet is provided in the MultiNet help library. For more information, enter the following command: $ HELP MULTINET __________________________________________________________ 1.4 MultiNet Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about MultiNet from the Process Software MultiNet home page located at http://www.process.com/techsupport/multinet_faqs.html. __________________________________________________________ 1.5 Accessing the MultiNet Public Mailing List Process Software maintains two public mailing lists for MultiNet customers: o Info-MultiNet@process.com o MultiNet-Announce@process.com The Info-MultiNet@process.com mailing list is a forum for discussion among MultiNet system managers and programmers. Questions and problems regarding MultiNet can be posted for a response by any of the subscribers. To subscribe to Info-MultiNet, send a mail message with the word SUBSCRIBE in the body to Info- MultiNet-request@process.com. The information exchanged over Info-MultiNet is also available via the USENET newsgroup vmsnet.networks.tcp-ip.multinet. You can retrieve the Info-MultiNet archives by anonymous FTP to ftp.multinet.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO- MULTINET]. 1-6 Introduction Accessing the MultiNet Public Mailing List The MultiNet-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to MultiNet (patch releases, product releases, etc.). To subscribe to MultiNet-Announce, send a mail message with the word SUBSCRIBE in the body to MultiNet-Announce- request@process.com. __________________________________________________________ 1.6 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select MultiNet) or use the URL http://www.process.com/techsupport/multinet.html __________________________________________________________ 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.multinet.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the following commands: $ MULTINET FTP/USERNAME=ANONYMOUS/PASSWORD="emailaddress" - _$ FTP.MULTINET.PROCESS.COM A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP.MULTINET.PROCESS.COM>CD [.PATCHES.MULTINETxxx] FTP.MULTINET.PROCESS.COM>GET update_filename In these commands: emailaddress is your email address in the standard user@host format xxx is the version of MultiNet you want to transfer 1-7 Introduction Obtaining Software Patches over the Internet update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD- SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX and Alpha for decompressing ZIP archives in the [PATCHES] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your MultiNet system with the software patch. 1-8 Introduction Documentation Comments __________________________________________________________ 1.8 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________ 1.9 CD-ROM Contents The directory structure on the CD is as follows: [MULTINET053] MultiNet Kit for VAX and Alpha systems [MULTINET_I64053] MultiNet Kit for Integrity Systems [Documentation] PDF format (.pdf) Release Notes [BIND9-DOC] [VAX55-DECC-RTL] _____________________________ 1.9.1 Online Documentation The MultiNet documentation set is available on the product CD in PDF format. The Release Notes are available on the product CD in text format. 1-9 Introduction CD-ROM Contents _____________________________ 1.9.1.1 PDF Format The MultiNet documentation set has the following PDF files: o MULTINET_ADMIN_GUIDE.PDF (Installation and Adminstrator's Guide) o MULTINET_ADMIN_REFERENCE.PDF (Administrator's Reference Guide) o MULTINET_MESSAGES.PDF (Messages, Logicals, & DECnet Apps) o MULTINET_PROGRAMMERS_REFERENCE.PDF (Programmer's Reference) o MULTINET_USER_GUIDE.PDF (User's Guide) The PDF format is readable from a PC, a VAX, or an Alpha system. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Acrobat Reader free from Adobe Systems' Website: www.adobe.com. PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the MultiNet CD directly to a PC. Load them to your VAX or Alpha machine, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf _____________________________ 1.9.1.2 Using Acrobat Reader To read the PDF files using Acrobat Reader: 1 Double click Acrobat Exchange. 2 Choose Open from the File menu. 3 Select the .pdf file you want to open. 1-10 Introduction CD-ROM Contents 4 Use the menu bar at the top of the screen to navigate the document, or click a Table of Contents entry (on the left) to go directly to that information. Note The binocular icon opens search functions. The magnifying glass icon enlarges the text and illustrations. __________________________________________________________ 1.10 Note Concerning Kerberos V5 MultiNet now supports Kerberos V5 for SSH and Telnet (Alpha and Integrity only). Kerberos V5 requires Kerberos for HP OpenVMS. VMS V8 systems are distributed with Kerberos V5, and pre-V8 systems (OpenVMS VAX V7.3 and OpenVMS AXP v7.2-3, 7.3-*) can download Kerberos V5 from the HP website. The Kerberos V5 applications can also run with any Kerberos V5 compliant Key Distribution Center (KDC) software. __________________________________________________________ 1.11 Note Concerning MultiWare If you want to continue to use MultiWare with MultiNet, do not install MultiNet V5.3 on your system. MultiWare and all MultiWare-related applications, including management/configuration functionality, have been removed. MultiWare was desupported by TGV prior to 1997. __________________________________________________________ 1.12 Note Concerning SSH You must install the DEC C 6.0 backport library on all OpenVMS VAX v5.5-2 and v6.0 systems prior to using SSH. This is the AACRT060.A file. You can find the ECO on the MultiNet CD in the following directory: VAX55_DECC_ RTL.DIR. 1-11 Introduction Note: Concerning SSH Sessions __________________________________________________________ 1.13 Note: Concerning SSH Sessions For each active SSH session two(2) channels are used. Please adjust the CHANNELCNT parameter to account for this usage. 1-12 _______________________________________________________ 2 Changes and Enhancements This chapter describes the changes and enhancements made for MultiNet V5.3. __________________________________________________________ 2.1 MultiNet V5.3 Installation Note MultiNet V5.3 installations may only be performed from a random-access device (e.g., disk or CD-ROM). If the MultiNet V5.3 installation is attempted from a sequential-access device (e.g., magtape or TKxx cartridge), the installation will fail. If the distribution savesets have been copied to a sequential- access device (for transporting them, for example), they must be copied to a disk for installation. __________________________________________________________ 2.2 Intrusion Prevention Subsystem(IPS) Components of MultiNet, including FTP, IMAP, POP3, SMTP, SNMP, SSH, and TELNET have been instrumented to report various failures ("events") such as invalid login attempts, etc, to a central filter server. The filter server correlates reported events via rulesets and may implement a packet filter on a interface based on the results of the event correlation. This can be based on either the source address, essentially blocking all traffic of a particular protocol (e.g., IP, UDP, etc) from a system; or on the destination address and port, blocking traffic only to that port. Rules may be implemented such that certain source networks or addresses are excluded from event correlation, or have event correlation applied with different parameters, allowing the same rule to be applied differently, for example, to internal versus external network traffic. 2-1 Changes and Enhancements Intrusion Prevention Subsystem(IPS) An API is supplied so that MultiNet users may incorporate this event reporting into their own applications, as well as implementing the corresponding rulesets for event correlation for their applications in the filter server. Refer to chapter 32 of the Installation and Administrator's Guide for specific details on the IPS subsystem. __________________________________________________________ 2.3 Packet Filtering Modifications Packet filtering has been updated to be IPV6-aware. When specifying a filter in a filter file, the format of the individual filter source address and mask, and destination address and mask, has changed. In previous releases, these were specified as an IPv4 address and IPv4 mask (e.g., "192.168.0.11 255.255.255.0"). This has been changed to use addresses and masks specified in CIDR (Classless InterDomain Routing) format (e.g., "192.168.0.11/24"). This not only makes the specification of addresses and masks clearer, it also allows for the implementation of IPv6 addresses which are substantially longer than IPv4 addresses, leading to potential problems with long filter file lines. The FILTER_CONVERT utility is provided to convert from the old-format filter file (one which uses separate address/mask fields) to the new-format filter file (one which uses CIDR format address specification). To use this: $ FILTER_CONVERT :== $MULTINET:FILTER_CONVERT $ FILTER_CONVERT When a filter file has been converted, the resulting output file should be checked for correctness prior to using it. 2-2 Changes and Enhancements BG performance improvements __________________________________________________________ 2.4 BG performance improvements o Updated UCX$IPC_SHR to support VMS V8.3 WITH additional entry points in the order that VMS has them for V8.3. [DE 10267] o Updated UCX$IPC_SHR to support operations with a length count of greater than 65535 bytes on VMS V8.3. [de 10621] __________________________________________________________ 2.5 BIND9 Addition Added RNDC-CONFGEN image to the Namerserver tool base. __________________________________________________________ 2.6 DNS Resolver The resolver can now perform its request over IPv6 or IPv4. __________________________________________________________ 2.7 Intrusion Detection and Prevention Intrusion Detection and Prevention support has been added to FTP, IMAP, POP3, SMTP, SNMP, SSH, and TELNET. __________________________________________________________ 2.8 FTP Updates o FTP has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via FTP. o FTP has been modified to support RFC 4217 - Securing FTP with TLS. The new commands are: Authenticate - Use before the USER command to start an encrypted session PROTECTION {Clear|Private} - Use to set the protection level for file transfers, default is clear. CCC - Use to set clear communication channel after setting protection so that firewalls & NAT devices can parse the PORT/PASV/EPRT/EPSV and their replies and open the appropriate ports. See chapter 18 of the Administrator's Guide for instructions on 2-3 Changes and Enhancements FTP Updates setting up the server for this. o FTP user authentication can now use Process Software's VMS Authentication Module (VAM). If the logical MULTINET_FTP_VAM_AUTH_METHOD is defined, then the contents of the logical is used for the VAM authentication method if the user has the appropriate VAM_LGI_method rights identifier. If the user does not have the rights identifier then the traditional password authentication is used. o If the logical MULTINET_FTP_VAM_REQUIRED is defined, then traditional password is not allowed for the users that don't have the VAM method. o The user must also have the FTP rights identifier. [DE 10334] __________________________________________________________ 2.9 IMAP o IMAP has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via IMAP. __________________________________________________________ 2.10 IPv6 Additions IPV6 Support has been added to POP3, IMAP, SMTP, Print Symbionts, Syslog, and TFTP. Packet Filtering is now IPV6 aware. __________________________________________________________ 2.11 Kernel Modifications o On VMS V8 (Integrity and Alpha) MultiNet now gets its memory from non-paged pool instead of the system free list. This change means that there are fewer times when MultiNet can not get the memory that it needs to perform an operation. o On Integrity, alignment faults that occurred due to Telnet sessions have been corrected. 2-4 Changes and Enhancements Kernel Modifications o On Alpha and Integrity, each Ethernet interface now has it's own transmit spinlock instead of using the MultiNet memory management spinlock when managing it's transmit buffers. This allows multiple Ethernet interfaces to transmit concurrently and reduces contention on the MultiNet memory management spinlock. o Ephemeral port randomization: Ephemeral ports are now allocated randomly out of the pool to improve security. [DE 10756] __________________________________________________________ 2.12 Master Server The Master Server's code for accept/reject host/net has been re-written so that it should run faster when there are a large number of entries. This rewrite should also address the problems with IPv4 address on services that listen on IPv6. A multicast name responder has been added to the services(LLMNR) that will respond to both the LLMNR and mDNS protocols. MultiNet configure/network can be used to allow the system to choose one of these two protocols instead of traditional DNS. Multicast name lookup is a zero configuration item useful for small networks. __________________________________________________________ 2.13 NTP Server o Added functionality to allow the NTP server to be configured to update time once per day . [DE 10766] o On VMS V8, the NTP server will observe the setting of the AUTO_DLIGHT_SAV system parameter for daylight saving time change to prevent the time being changed by both VMS and NTP. 2-5 Changes and Enhancements POP3 Updates __________________________________________________________ 2.14 POP3 Updates o POP3 has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via POP3. __________________________________________________________ 2.15 SMTP Updates o SMTP has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via SMTP. __________________________________________________________ 2.16 SNMP Updates o SNMP has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via SNMP. __________________________________________________________ 2.17 SSH Updates o Most privileged SSH functions have been consolidated in a single installed shareable image named SSHSHR. This has replaced the previous SSH_ACCPORNAM shareable image and drastically reduced the number of SSH images in, and therefore the size of, the MultiNet distribution. o SSH has been instrumented to use the Intrustion Prevention System(IPS) subsystem in MultiNet. This can drastically reduce the impact from denial-of- service attacks or system breakin attempts via SSH. 2-6 Changes and Enhancements SSH Updates o Support has been added to allow multiple SSHD_ MASTER processes on a system. This allows different addresses to be handled by each process, with possibly different configurations for each address. As the process of implementing this can be somewhat sensitive, those users who wish to do this should contact Process Software Technical Support for details. __________________________________________________________ 2.18 UCX Library Emulation o Added the logical MULTINET_SKIP_IPV6_LOOKUP which can be defined to: True/Yes/1 to cause getaddrinfo to not attempt to look up the name as an IPv6 (AAAA) name. [DE 10828] __________________________________________________________ 2.19__Fixed_Problems_________ 2.19.1 Bootp o Corrected a problem with how static arp definitions are entered into the routing tables that prevents them from being used when a lookup is done for them. This change allows BOOTP to correctly assign an address to a remote piece of hardware. [DE 10776] _____________________________ 2.19.2 DHCP o A problem with class matching logic has been corrected. [DE 10697] o A DHCP Server crash that could occur while doing dynamic updates has been corrected. [DE 10518] 2-7 Changes and Enhancements Fixed Problems _____________________________ 2.19.3 Finger o A vulnerability to an attack with a username that exceeded 32 characters in length has been corrected. [DE 10773] _____________________________ 2.19.4 Fontserver o A build error that prevented MKFONTDIR from working on Integrity systems has been corrected. [DE 10541] _____________________________ 2.19.5 FTP o A problem using the wrong port when opening the data connection over IPv6 connections has been corrected. This includes connections that are created using IPv4 mapped addresses. [DE 10539] o The FTP client image has been linked with a new version of the getaddrinfo routine that will not attempt to use the name server if the MULTINET_ NAMESERVERS logical does not exist. [DE 10545] o The FTP client image now checks the logicals MULTINET_LOWERCASE_USERNAME and MULTINET_LOWERCASE_ PASSWORD before changing the case for a username or password entered on the command line. If the appropriate logical is define to NO, False or 0 (zero), then the username or password will not be converted to lowercase. _____________________________ 2.19.6 Include/Netdb.h o Netdb.h was modified to correct the entry point references for Integrity systems. [DE 10698] 2-8 Changes and Enhancements Fixed Problems _____________________________ 2.19.7 Kernel o Modified how ARP information is maintained and retrieved for interfaces, which corrects problems with old ARP information not being deleted on PD interfaces that didn't initially have an address when the interface was set down. [DE 10795] o Added support for QIO IO$_TTY_PORT_BUFIO | IO$M_TN_ SENSEMODE to telnet terminals for the TN$_REMOTE_ ADDRESS and TN$_ACCPORNAM items. [DE 10808] o Corrected a UDP buffer management problem that can cause inaccurate usage counts and dropped packets on sockets. [DE 10779] o An IGMP data structure's initialization has been corrected so the code that walks the multicast data structures doesn't ACCVIO and cause a system crash. [DE 10734] o Corrected an error that prevents MULTINET SET/ARP from being able to delete existing arp entries. [DE 10721] o The main interrupt processing loop has been modified such that it takes a break and releases the spinlock if it has held it for more than 1/2 of the spinwait timeout value. This provides an opportunity for the other code that needs the spinlock to acquire it and reduces the chance of a spinwait timeout crash. [DE 10703] o An error in IPSEC key processing that can cause a system crash has been corrected. o Added code to cope with the situation where a BSD 44 style socket has been passed to a BSD 43 routine. [DE 10764] o Fixed a potential crash. [DE 10718] o MultiNet v5.n requires the difference between the available window and the amount of window known to peer to be at least 50% of the maximum possible window before a window update is sent when there is no other reason to send a packet. MultiNet v4.4 2-9 Changes and Enhancements Fixed Problems required the difference to be at least 35% to send the window update. Setting the kernel variable TCP_ 44_WIN_UPD to 1 will return to the V4.4 behavior. [DE 10686] o The way that IPv6 Link Local addresses are generated have been changed so it now matches RFC 3513 Appendix A. The universal/global bit will now be clear for addresses that are generated from the Ethernet adapter's manufacturer's MAC and set to 1 when the address is generated from the DECnet Ethernet address. This will change the resulting addresses of Ethernet adapters that are being use for IPv6. [DE 10677] o For Alpha and Integrity systems, the Ethernet message transmit queue has been increased in size to 5000. A new kernel variable SE_QUEUE_HIGH has been added to keep track of the maximum value seen. [DE 10673] o Corrected a couple of potential crashes due to improper interlocking. [DE 10653] o The ARP information with an associated interface is deleted when the interface is set down. o For VMS V8, (Alpha and Integrity) implement of transfers larger than 65535 bytes such that 65535 is returned in the second word of the IOSB and the actual number of transferred bytes is returned in the third and fourth words of the IOSB. This duplicates the behavior of TCP/IP Services. [DE 10662, 10619] o An error that limited the number of PD interfaces that could be defined on Integrity system to 8 has been corrected. [DE 10635] o An error in managing the routing table update timers that can cause a system crash has been corrected. [DE 10633] o Corrected a potential routing problem when using IP Cluster aliases. 2-10 Changes and Enhancements Fixed Problems o A new bind to an address and port when there is an existing socket that is disconnected and has SORESUSEADDR or SOREUSEPORT set, is now allowed. [DE 10616] o Internal priority of memory allocation has been changed to be more important than packet processing. This can help avoid panics due to being out of memory in very busy systems. o The IPv6 STF (6 to 4) interface can now send the IPv4 encapsulated IPv6 packets through a relay router when a route has been sent up to one. Use the following to set up a route: $ mult set/route/add=(dest=0::0,gateway=2002:c058:6301::) - /proto=i6 This requires that your system is able to route IPv4 packets to 192.88.99.1 o Reduced the number of alignment faults on Integrity systems. o Corrected errors in how the NTYDRIVER port routines link to the terminal on Integrity systems. This fix is necessary for Point Secure's System Detective to work with MultiNet on Integrity systems. [DE 10570] o Corrected problems with cluster alias addresses. [DE 10551] o Corrected problems with processing some IPv6 packets. [DE 10549] o Corrected a few errors in IPv6 code that could cause a system crash. o Added controls to routing header 0 (zero) processing for IPv6. Routing headers are disabled unless one of the following is true: o The MultiNet kernel variable ip6_rht0 is greater than zero, or 2-11 Changes and Enhancements Fixed Problems o ip6_forwarding is non-zero and ip6_rht0 is zero The default is that ip6_forwarding is zero (end node/host) and that ip6_rht0 is -1 (don't process). A processing limit of 1 routing header has also been added. o Improved IPv6 PCB lookup algorithms. o Corrected a buffer management error that can cause crashes when DECnet over IP or the PWIPDRIVER is being used. [DE 10525] o Corrected an error that can cause the FIN flag to be set on the second to last packet of a TCP connection. This causes the other side to drop the final packet and any data that may be contained in it. [DE 10508] _____________________________ 2.19.8 Master Server o Corrected errors in handling Accept/Reject- Hosts/Nets lists. [DE 10786] o Provided a SHUTDOWN command for the CLUSTERALIAS service so that the current cluster aliases can be properly shutdown before restarting the MultiNet master server. o Corrected a build error that could lead to memory leaks on Integrity systems. o Fixed handling of mapped IPv4 addresses when doing accounting so that VMS intrusion handling continues to work as it did in prior versions of MultiNet. Note that this does not address the issue for IPv6 addresses that are not IPv4 mapped addresses. [DE 10517] o Corrected errors in checking accept-net and reject- net configuration when the configuration information has IPv4 addresses and connections have IPv4 mapped IPv6 addresses. 2-12 Changes and Enhancements Fixed Problems o Changed the CLUSTERALIAS service to force it to release the address before restarting the master server so that the kernel data structures are properly cleaned up before another member of the cluster grabs the CLUSTERALIAS address. o Corrected an error in checking IPv4 addresses in access restriction lists when the incoming address is a IPv4 mapped address. [DE 10510] _____________________________ 2.19.9 Named o Corrected a problem with timeofday functionality when using TSIG/DNSSEC for nsupdates. [DE 10820] o Fixed the problem that caused named to use the default .conf file after reloading, instead of the .conf specified by the conffile parameter. [DE 10797] o Corrected an intermittent fatal error found in one of the supporting named libraries. [DE 10793] o Fixed the problem with temporary file handling used with netcontrol reload functionality. [DE 10791] o Fixed the file lock error with the netcontrol domain reload function. [DE 10778] o Implemented latest ISC patch to address performance issues in the 9.4.2-p1 release. [DE 10767] o Corrected a problem where the lowest rated node did not have a load rating displayed by the netcontrol domain show function. [DE 10765] o Implemented latest ISC security patch. ISC released 9.4.2-p1 to combat a potential attack exploiting weaknesses in the DNS protocol which enable the poisoning of caching recursive resolvers with spoofed data. [DE 10750] o Fixed a problem with the Nameserver Rewrite-TTL variable. [DE 10749] 2-13 Changes and Enhancements Fixed Problems o Implemented recent ISC security update to fix the Cache Poisoning problem which could result in pharming attacks when the nameserver is configured as caching-only. [DE 10556] o Corrected a logging problem where specifying a file version limit could cause the nameserver to crash. [DE 10550] o Corrected possible locking/cpu usage issues on VAX platforms. o Corrected a problem with the handling of type 0/invalid class queries. [DE 10528] o Corrected a version number problem with local database files, multiple versions will no longer be created after zone transfers. [DE 10527] o Corrected a problem where Nameserver could crash/hang with "UDP client handler shutting down" message. [DE 10519] o Debug log files can now be accessed while the nameserver is running. o Corrected an intermittent problem with netcontrol domain restart command. o Restored the automatic forging of A records for Cluster Service hosts when the MULTINET_CLUSTER_ SERVICE_NAMES logical is defined. [DE 10509] *** Please Note *** If your existing configuration includes a zone definition with A records for cluster service members, and you have defined the MULTINET_ CLUSTER_SERVICE_NAMES logical, you may see a duplicate zone error message when the nameserver attempts to load the configuration. Either comment out the zone file definition or deassign the logical name. 2-14 Changes and Enhancements Fixed Problems _____________________________ 2.19.10 NFS o Corrected a problem with directory caching/file visibility on Integrity platforms. [DE 10632] o ACL's are now propagated to newly created sub- directories. [DE 10332] o Fixed a problem with mixed case handling consistency between ODS-2 and NFS exports. [DE 10223] _____________________________ 2.19.11 NTP o The problem that could cause the NTP server process to be created with zero process priority has been fixed. [DE 10811] _____________________________ 2.19.12 RPC40 o Decoding a double value from the XDR stream has been corrected. [DE 9894] _____________________________ 2.19.13 RTSOLD o RTSOLD has been modified to set the socket's multicast hop limit before ending the router solicit message so that the message has the correct value. [DE 10549] _____________________________ 2.19.14 Set Arp o Fixed a problem in exception handling that caused a stack dump on Integrity systems. [DE 10702] 2-15 Changes and Enhancements Fixed Problems _____________________________ 2.19.15 Set Route o /ADD using a mask_length that was longer than what was expected for the specified route address now sets the route mask correctly. [DE 10807] _____________________________ 2.19.16 SMTP o Corrected processing errors that could cause the symbiont to ACCVIO in specific situations. [DE 10674] _____________________________ 2.19.17 SCP/SFTP o Changed "Unexpected error" message when there are no files in a directory to "No matching files". [DE 10727] o Problems which caused SFTP>LS directory_ specification to list the directory file instead of the contents of the directory, on Alpha processors, has been corrected. [DE 10717] o Improvements in SFTP access controls (directory and operation restrictions). [DE 10701] o Improvements in handling SFTP realpath operations. [DE 10700, 10656] o Corrected errors in processing when attempting to disable SRI encoding on ODS2 disks by defining the logical: MULTINET_SFTP_ODS2_SRI_ENCODING to FALSE. [DE 10671] o Carats (^) are now added where necessary in ODS5 file specifications. [DE 10654] o Problems with SCP-SERVER1 on Alpha have been corrected. [DE 10651] o SFTP no longer writes output to the terminal one character at a time. This makes batch logs readable. [DE 10638] 2-16 Changes and Enhancements Fixed Problems o Removed code that attempts to resolve the proper setting of the "execute" bit on files as this has a very different meaning on VMS than it does on UNIX. [DE 10622] o SFTP now disables the SMG unsolicited input mailbox. This should correct some cases where SFTP can not start SSH. [DE 10602] o A problem which could cause the SFTP or SCP client to ACCVIO has been resolved. o Corrected a problem with SFTP assuming that files do not have a dot in their name to be directories and hence not being able to transfer them. [DE 10572] o The SFTP server no longer returns error status of "no permission" for unimplemented requests to perform modifications to file attributes. [DE 10557] o Corrected problems with large file transfers and directory of files larger than 4GB. [DE 10735] o For ODS-5 devices, SFTP will only put carets in file names if the logical MULTINET_SFTP_ADD_ODS5_CARETS is defined to be True, Yes, or 1. In all other cases the name will be used as-is. _____________________________ 2.19.18 Socket Library o Corrected errors in recvfrom when used with IPv6. o Fixed errors in gethostbyname. [DE 10247] _____________________________ 2.19.19 SSH o SSH sessions could occasionally encounter a fatal error of "Assertion failed: iorec != ((void *) 0)". This has been corrected. [DE 10716] o When executing SSH sessions in a batch job that executes a script on a UNIX system, the SSH client could hang in a loop, consuming system resources. This has been corrected. However, a timing issue 2-17 Changes and Enhancements Fixed Problems may remain that can be cured with the addition of a "sleep 1" statement at the end of the UNIX script. o The PWD_EXPIRED UAF flag wasn't being handled correctly. o Corrected an ACCVIO when public key authentication fails in batch mode. [DE 10675] o On VMS 8.x systems and some 7.3-2 systems after applying some VMS ECO's, SSH sessions would fail with the log file showing an error of "Failed to get handed-off socket: errno 6". [DE 10636] o SSH OPCOM session accept and session reject messages would sometimes display garbage at the end of the message. [DE 10629] o The SSH client would sometimes enter an infinite loop when run in a DCL command procedure. [DE 10614] o When file transfers were done in batch jobs, the SSH client would sometimes enter an infinite loop. [DE 10592] o Forwarded X11 sessions would sometimes exhibit delays when updating the screen, due to TCP_NODELAY not being set on the channel. This could be modified by setting the NoDelay keyword in the SSHD2_CONFIG file, but that would affect all connections. The keyword X11NoDelay has been added that, when set to YES (its default), will set CP_NODELAY for X11 sessions only. [DE 10573] o Hostbased authentication would occasionally fail because the key signer was apparently hanging. [DE 10548] o If a public key has variable record format, operations involving that key, such as publickey authentication, will fail. [DE 10522] o For accounts with time-of-day access limitations in SYSUAF, sessions were allowed to continue past their allowable access time. [DE 10512] 2-18 Changes and Enhancements Fixed Problems o On some systems, OPCOM session accept/reject messages from the SSH server would have garbage at the end of them. [DE 10446] o After logging out of an SSH2 session, the server process that was handling the session would occasionally enter a tight loop. [DE 10287] _____________________________ 2.19.20 Telnet o The getaddrinfo function that Telnet uses now searches the host tables if the logical MULTINET_ NAMESERVERS is not defined. [DE 10669] _____________________________ 2.19.21 UCXDriver o Increased the maximum allowed read size to 65536 to allow ConsoleWorks to properly function with MultiNet V5.2. [DE 10578] o Set options at socket creation so that out of band data processing more closely match TCP/IP Services. [DE 10558] o Stop returning more data than there is space provided for in IO$_ACPCONTROL calls. [DE 10555] o Return sucess status (instead of EPIPE) when a zero byte packet is received on a UDP port. This corrects a problem with some control programs causing BIND to hang. [DE 10519] _____________________________ 2.19.22 UCX Library Emulation o Corrected errors in the implementation of GETNAMEINFO. [DE 10740] o Fixed errors in select that could cause problems for Alpha programs that use threads. [DE 10695] o Correct errors in BSD 4.4 operations. [DE 10678] o Correct error in flag values for GETADDRINFO. [DE 10625] 2-19 Changes and Enhancements Fixed Problems o Reduce alignment faults in gethostbyname for Integrity systems. [DE 10593] o Added an entry point to support Samba (CIFS) EFT2 on Integrity systems. o Provided support routines for CIFS (samba) on OpenVMS V8 for Alpha and Integrity processors. [DE 10546] o Updates to images for Alpha V6 and V7 to support data collector. [DE 10433] o Return results of gethostbyaddr when gethostbyname is given an IP address. [de 10152] o Corrected errors in the implementation of GETADDRINFO. o Updated image GSMATCH so that Kerberos V2.1-72 can be used on OpenVMS V7.3-2. o Provide TCPIP$RES_QUERY entry support for Precise Mail Anti-Spam SPF support. o Provide DNS resolver entry points for SPF support for PMDF and PreciseMail Anti-Spam. Note that this increases the size of the executable significantly. o Correct an error in the value returned for gethostname. o Removed read limit checking for VMS V8. o Corrects a potential crash. 2-20 _______________________________________________________ 3 Documentation Updates This chapter contains a summary of changes to the documentation for MultiNet V5.3. __________________________________________________________ 3.1 MultiNet V5.3 o Changed the MultiNet version number to read V5.3. o Information about using FTP over TLS has been added to the Users and Administrator's manuals. o Chapter 32, describing the Intrusion Prevention System (IPS) has been added to the MultiNet Installation and Administrator's Guide. o The packet filtering section of Chapter 11 of the Installation and Administrator's Guide has been updated to reflect changes for IPV6 in packet filtering and the new filter file format. o The MultiNet SET/IPS and MultiNet SHOW/IPS commands for the IPS subsystem have been added to the Administrator's Reference manual. o The MultiNet SHOW/INTERFACE/FILTERS command in the Administrator's Reference manual has been updated to show the new-style display for packet filters. __________________________________________________________ 3.2 Corrections to the MultiNet V5.3 documentation 3-1 _______________________________________________________ 4 Known Bugs/Issues The following are known bugs and issues with MultiNet V5.3. 4-1