This product bulletin provides the content and delivery information for Cisco IOS® Software Release 12.2(13)ZG. It should be used in conjunction with the Cisco IOS Software 12.2(13)ZG release note for more detailed information. This is a special early-deployment release and supports Cisco 830 Series secure broadband routers and Cisco SOHO 90 Series routers.
This feature is in the base image and supports the Cisco 831 Ethernet Broadband Router, the Cisco 837 ADSL Broadband Router, and the Cisco 836 as well as the Cisco SOHO 91 Ethernet Broadband Router, the Cisco SOHO 97 ADSL Broadband Router, and the Cisco SOHO 96.
- Incompatibility between IPSec Authentication Header and NAT—Because the Authentication Header security protocol incorporates the IP source and destination addresses in the keyed message integrity check, NAT, or reverse NAT devices making changes to address fields, will invalidate the message integrity check. Because IPSec extended services platform (ESP) does not incorporate the IP source and destination addresses in its keyed message integrity check, this issue does not arise for ESP.
- Incompatibility between checksums and NAT—Transmission Control Protocol/User Datagram Protocol (TCP/UDP) checksums have a dependency on the IP source and destination addresses through inclusion of the "pseudo-header" in the calculation. As a result, checksums that are calculated and checked on receipt will be invalidated by passage through a NAT or a reverse NAT device.
- Incompatibility between fixed Internet Key Exchange (IKE) destination ports and port address translation (PAT)—When multiple hosts behind the PAT initiate IKE Security Associates (SAs) to the same responder, a mechanism is needed to allow the PAT to demultiplex the incoming IKE packets.
- Incompatibility between IPSec ESP and PAT—PAT or reverse PAT devices cannot handle ESP packets. They drop ESP packets if they find legislative IP address and port.
For Cisco 830 Series secure broadband routers, whenever tunneling or encryption is turned on, the packets are encapsulated by a tunnel or an encryption header. Quality-of-service (QoS) features cannot examine the original packet header to correctly classify the packets.
Preclassification is designed as a feature to be applied on a tunnel interface. A new command-line interface (CLI) command is introduced to allow toggling of preclassification. When the command is enabled, the QoS features on the output interface where the tunnel traverses can classify the packets prior to tunneling or encryption, thus allowing preferential treatment of certain flows within the tunnel.
This capability adds the following options to the already-existing Data Encryption Standard (DES) and Triple DES (3DES) options in crypto isakmp policy ISAKMP protection suite and crypto ipsec transform IPSec transform definition.
The Cisco IOS Firewall Intrusion Detection System (IDS) feature supports intrusion detection technology when the Cisco IOS Firewall is present. The Cisco IOS IDS feature statically identifies 100 of the most common network attacks using "signatures" to detect patterns of misuse in network traffic. Statically means that the signatures are part of the compiled Cisco IOS IDS code. They consist of a broad cross-section of intrusion-detection signatures representing severe breaches of network security, the most common network attacks, and information-gathering scans.
There are no additional CLI commands to configure these additional signatures. The ip audit signature command will allow the new signatures to be disabled or to apply extended access control lists (ACLs) to individual signatures for filtering out sources of false alarms.
Overheads associated with VPN tunnel encapsulations can result in packets exceeding the maximum transmission unit (MTU) threshold of the interface. As a result, data traffic and video-stream traffic can become fragmented after encryption. Fragmentation is done at the Cisco Express Forwarding level in the packet path but reassembly is necessitated on the tunnel end point. This reassembly is done at the process level. All packets that need to be decrypted should first be queued for reassembly, causing a serious decline in encryption performance.
This feature aims at "look ahead fragmentation" where packet size that would result after an impending encryption operation is calculated or checked in advance with the available knowledge of transform sets configured on the IPSec SA. If the packet in addition to this "to be added encapsulation size" exceeds the MTU of output interface, an attempt is made to fragment the packet before encryption. This avoids process-level reassembly before decryption, helping improve decryption performance and overall IPSec throughput.
The Cisco IOS Firewall authentication proxy allows network administrators to apply specific network security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. With authentication proxy, users can be identified and authorized on the basis of their per-user policy. Tailoring access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.
When authentication proxy is enabled on the Cisco router, users can log in to the network or access the Internet via Hypertext Transfer Protocol (HTTP). When a user initiates an HTTP session through the firewall, the authentication proxy is triggered. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password. When authenticated, their specific access profiles are automatically retrieved and applied from a Cisco Secure Access Control Server, or another Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) authentication server. The user profiles are active only when there is active traffic from the authenticated users.
Web Cache Communications Protocol (WCCP) provides a mechanism to establish and maintain cache clusters, as well as redirect user requests from network components to those clusters in real time. Additionally, WCCP has built-in load-balancing and fault-tolerance features and possesses excellent scaling attributes because it can be implemented in a distributed fashion across the network.
Easy VPN will support multiple peer statements. If the negotiation fails while connecting to a peer, Easy VPN should fail over to the next peer. This continues in a round-robin fashion. When the last peer is reached Easy VPN should roll over to the first one. The IKE or IPSec SAs to the previous peer should be deleted. Multiple-set peer statements should work for both IP addresses as well as hostnames. Setting or unsetting the peer statements shouldn't affect their order.
This feature is in the base image and supports the Cisco 831 Ethernet Broadband Router, the Cisco 837 ADSL Broadband Router, and the Cisco 836 ADSL over ISDN Router. The feature is also known as Optimize Xauth by re-using the last successful username and password.
When the server allows user to use the saved password, the client configured username and password is used for Xauth. Hence, the client need not enter the information manually every time the VPN tunnel comes up.
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP).