Release Note для Cisco Cisco Tunnel Terminating Gateway (TTG)
System Changes in Release 15.0
▀ System and Platform Enhancements for September 30, 2013
▄ Cisco ASR 5x00 Release Change Reference
606
Multiple Child SA (MCSA) Support – The creation of multiple child SAs helps an operator to segregate and
limit the secure traffic into multiple flows. For example, control and data paths between two nodes can be
established over two child SAs; the rest of the data between the nodes will bypass IPSec. Multiple child SAs
may be used for carrying traffic with different class of services (QoS). Similarly, different SAs could be used
to carry different traffic with specific security properties.
established over two child SAs; the rest of the data between the nodes will bypass IPSec. Multiple child SAs
may be used for carrying traffic with different class of services (QoS). Similarly, different SAs could be used
to carry different traffic with specific security properties.
Certificate Management Protocol (CMPv2) – The Certificate Management Protocol (CMP) is an Internet
protocol used for obtaining X.509 digital certificates in a public key infrastructure (PKI). It is described in RFC
4210. StarOS implements the subset of CMPv2 functions:
4210. StarOS implements the subset of CMPv2 functions:
Key pair and X.509 certificate request generation: The StarOS security gateway acts as an end entity
as described in RFC 4210. The gateway generates the X.509 public and private key pair for
authentication during IKE AUTH. It generates the public and private keys using OpenSSL libraries.
The generated private key is saved locally on the management card, and the public key is embedded in
the generated X.509 certificate request. The key uses RSA encryption; SHA-1 with RSA encryption is
used on the Hashing function for the generated certificate. Certificate requests are sent to the
Certificate Authority (CA) or Registration Authority (RA) during the certification process via CMPv2.
authentication during IKE AUTH. It generates the public and private keys using OpenSSL libraries.
The generated private key is saved locally on the management card, and the public key is embedded in
the generated X.509 certificate request. The key uses RSA encryption; SHA-1 with RSA encryption is
used on the Hashing function for the generated certificate. Certificate requests are sent to the
Certificate Authority (CA) or Registration Authority (RA) during the certification process via CMPv2.
Initial certificate request transaction (ir and ip): A certificate request triggers the CMPv2 messaging
to get the first certificate certified by the Certification Authority (CA). This CMPv2 transaction is
identified by the Certification Request and Certification Response messages (ir and ip). At the end of
this transaction the security gateway may receive the certificate signed by the CA in the response
message. This certificate is then saved in the management card and is also propagated to the packet
processing cards via internal messaging. The IKEv2 tunnel creation done at the packet processing
cards requires this certificate for the IKE_AUTH transaction.
identified by the Certification Request and Certification Response messages (ir and ip). At the end of
this transaction the security gateway may receive the certificate signed by the CA in the response
message. This certificate is then saved in the management card and is also propagated to the packet
processing cards via internal messaging. The IKEv2 tunnel creation done at the packet processing
cards requires this certificate for the IKE_AUTH transaction.
Certificate enrolment (cr and cp): This CMPv2 transaction obtains additional certificates certified by
CA after the initial certification is done. The security gateway triggers additional certificate
enrolment. The additional certificates are saved and used in a manner similar to the initial certificate.
enrolment. The additional certificates are saved and used in a manner similar to the initial certificate.
Polling request and response (pollReq and pollRep): The ip, cp or the kup message received from the
CA may contain a status code of “waiting”. This indicates that the CA is still evaluating the certificate
request and will require more time to sign the certificate. In this case the security gateway sends a
pollReq message to the CA. The pollRep message from the CA may either contain the signed
certificate or indicate a status of “waiting” again. If the pollRep message contains the certificate, it is
treated as an ip/cp/kup message with a signed certificate and all relevant actions are taken. The
security gateway also supports a CLI command to manually trigger polling for any request.
request and will require more time to sign the certificate. In this case the security gateway sends a
pollReq message to the CA. The pollRep message from the CA may either contain the signed
certificate or indicate a status of “waiting” again. If the pollRep message contains the certificate, it is
treated as an ip/cp/kup message with a signed certificate and all relevant actions are taken. The
security gateway also supports a CLI command to manually trigger polling for any request.
Certificate update transaction (kur and kup): This key pair update transaction re-certifies or updates
a public/private key pair of the certificate after or before its validity expires. The Key Update Request
(kur) message is sent to the CA with a certificate having a new public key, and the CA sends a Key
Pair Update Response (kup) message with the signed certificate. The security gateway also supports
two mechanisms to update an existing certificate:
(kur) message is sent to the CA with a certificate having a new public key, and the CA sends a Key
Pair Update Response (kup) message with the signed certificate. The security gateway also supports
two mechanisms to update an existing certificate:
Manual Update: The gateway sports a CLI command to trigger the certificate update
transaction.
Auto update: The gateway can be configured to automatically trigger a certificate update a
specified number of days before the certificate expires.
For both manual and automatic updates, the updated certificate is saved on the management
card and propagated to the packet processing cards.
Online Certificate Status Protocol (OCSP) – OCSP provides a facility to obtain timely information on the
status of a certificate (RFC 2560). OCSP messages are exchanged between a gateway and an OCSP responder
during a certificate transaction. The responder immediately provides the current status of the presented
certificate. The status can be good, revoked or unknown. The gateway can then proceed based on the response.
during a certificate transaction. The responder immediately provides the current status of the presented
certificate. The status can be good, revoked or unknown. The gateway can then proceed based on the response.