MultiNet 5.5 release notes *UCXDRIVER (BG)*changed to buffered I/O to improve performance. *Kernel:* ·Maximum Segment Lifetime Truncation (from NETBSD and Coyote Point Systems). This varies the value used for MSL based upon how close the remote system is. Loopback and local connections expire more quickly when MSLT is used. This reduces the number of TCP connections that need to be scanned and hence reduces the load on the system. The adjusted MSL values are: ·2 seconds for loopback ·10 seconds for local (same link/subnet) ·60 seconds for remote (traditional value) The following kernel variables are available to control this functionality ·*tcp_msl_enable *enable TIME_WAIT truncation ·*tcp_msl_loop*MSL for loopback ·*tcp_msl_local *MSL for 'local' ·*tcp_msl_remote *MSL otherwise ·*tcp_msl_remote_threshold*RTT threshold ·*tcp_rttlocal *Use RTT to decide who's 'local' ·Don't compute checksums on packets sent through the loopback interface. This can be changed by setting the kernel variable *cksum_loopback* to a non-zero value. ·*no_ipsec*is now 1 by default and will be automatically changed to 0 when the first ipsec rule is added.** ·A new TCP ephemeral port allocation algorithm for connect operations. This algorithm selects the source address first so that hashing tables can be used when checking for a free port number. This results in fewer connections being checked to verify that a potential port number is available. This is controlled by the variable *USE_NEW_TCP_CONNECT*.** ·SCTP improvements.** * * *FTP* ·FTP changed to use the BG device on ia64 systems to take advantage of the improved performance. ·MODE Z (deflate) support added to FTP. Mode Z allows for data transfers to be compressed when encryption is not desired or not necessary. A compressed file transfer will generally take less time than an uncompressed transfer when the limiting factor is the slowest link between the systems involved. MODE Z is enabled with the DEFLATE LEVEL n command, where n is a value between -1 (default) and 9 (maximum). ·MLST/MLSD (RFC 3659) support added to the FTP server to support clients that want a machine formatted listing. ·Allow the FTP client to verify TLS certificates that are signed by a signing authority as well as self-signed certificates (which prior versions supported). The VERIFY PEER command will enable the new functionality; the default remains to verify the certificate as a self-signed certificate (VERIFY SELF). This can be done from the command line with the /TLS=PEER qualifier. In order for certificates to be verified the certificates must be in a directory specified by the logical SSLCERTS and the certificates must be hashed as described in Chapter 3 of the HP Open Source Security for OpenVMS Volume 2 http://h71000.www7.hp.com/doc/83final/ba554_90007/ch03s01.html If the logical MULTINET_FTP_DONT_WORRY_ABOUT_ISSUER_CERT is defined to T,Y, or 1 then errors getting the issuer's certificate will not cause a failure in the TLS negotiation. ·Make the FTP_SERVER correctly report errors in renaming files. ·Correct the error status returned for the SIZE command for file structured transfers, such that it will return a 550 status value when the file does not exist. ·Correct a possible ACCVIO when responses to the FEAT command are very long. ·Allow for the sending of the FEAT command after connection to be disabled by defining the logical MULTINET_FTP_SEND_FEAT_ON_CONNECT to False, No, or 0 (zero). ·Added support for +VMS+ mode to provide better interoperability with TCP/IP Services. *BIND 9.9.8-P4*from isc.org. * Provide configuration support for DNSSEC for DNS clusters with the new logical MULTINET_CLUSTER_SERVICE_DNSSEC. This can be configured with the MULTINET CONFIGURE/NETWORK command "SET CLUSTER-SERVICE-DNSSEC DEVICE:[DIRECTORY]" . This directory should be on an ODS-5 device since key names are derived from DNS zone names and will most likely have multiple dots in the name. Generate a key signing key and zone signing key as documented in section 4.8.1 of the BIND manual http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch04.html#DNSSEC and place the keys in the specified directory. The address list for the zone that is created for the DNS cluster is maintained using NSUPDATE. DNSSEC signatures are maintained using the provided keys and the zone configuration options available in NAMED. *NTP 4.2.8p4*from ntp.org** New *DHCP* client (DHCLIENT4) and server (DHCP4) based on ISC version 4.2.5-P1 /(see TCPware release notes for some information on DHCP4. There are significant changes in some areas.)/ An adaptation of *ARPSNMP* has been included to allow system managers to record the information in MultiNet's ARP tables in a file on disk so that changes can be tracked. Define a symbol to run MULTINET:ARPSNMP.EXE and use the â=80=93f qualifier to specify the location for ARP.DAT if it isnâ=80=99t the current directory. â=80=93d displays some debugging information while running. *PEERNAME*utility added which defines the symbols TCPIP$PEERNAME_LOCAL_ADDRESS, TCPIP$PEERNAME_LOCAL_PORT, TCPIP$PEERNAME_REMOTE_ADDRESS and TCPIP$PEERNAME_REMOTE_PORT. It provides functionality that matches the TCP/IP Services PEERNAME utility. *NFSv3 client*added. Use SET NFS3 TRUE in MULTINET CONFIGURE/NETWORK to get the new driver loaded. Current MultiNet NFSMOUNT commands should work even though there are significant differences between the two clients. The new client will handle NFSv2 mounts as well as NFSv3 simultaneously.NFS V3 supports larger file sizes and has modifications to the protocol to reduce the number of packets that need to be exchanged to get information about files in a directory. This can improve performance. The NFSv3 client will present the disk as an ODS-5 disk when the server and the version of VMS that MultiNet is installed on support mixed case file names and the NFSv3 client will use the process variables when presenting filenames and searching for files. The mount procedure will attempt a V3 mount first, then fall back to V2 if the server does not support NFS V3. The NFSMOUNT command has an additional qualifier (/SEMANTICS=[NO]READDIRPLUS) to restrict whether or not the READDIRPLUS call is used by the client. The client will normally stop using READDIRPLUS if it detects that the server does not support it. The NFSv3 client uses the converted NFS information that the NFSv3 server uses for UID mappings, NFS groups and password file maintenance. If an *SMTP* reject filter is not present at SMTP startup one is created based upon the default file. *SSH2 * * If a server configuration file is not present at SSH startup one is created based upon the default file. SSH2 host keys are also generated if not present at startup. * The maximum number of SSH sessions has been increased to 5000 for ia64 systems. Systems may encounter tuning or performance limits before reaching this limit.** * Provide the logical MULTINET_SFTP_OPEN_AS_BINARY, which can be defined to Yes, True or 1 to cause the SFTP server to open files in binary mode instead of Stream-LF. * When the logical MULTINET_SSH_ACCESS_AUTHORIZATION is defined /system user authentication checking will take place separately from access control checking. The value of the logical will be used to determine whether or not the desired access is allowed at this time. The value of the logical should be a string of the format: SHELL=,EXEC=,SUBSYSTEM= where is one of NETWORK, LOCAL, REMOTE. If one of SHELL, EXEC, or SUBSYSTEM is omitted, then that type of access will not be allowed at all. Using a value of SHELL=REMOTE,EXEC=REMOTE,SUBSYSTEM=NETWORK would provide access control similar to typical VMS access controls. *PING* Added /NOSYMBOLIC qualifier to prevent reverse lookups of IP address in command. [End of release notes]