Release Notice: LoadMaster LMOS 7.2.52.0

Release Date: 14th October 2020

 

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:

 

  • 7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml
    • Use this file when upgrading a LoadMaster running a release that is prior to LMOS 7.2.51.
  • 7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE.checksum.xml
    • Use this file when upgrading from LMOS 7.2.51 or repeating an upgrade to LMOS 7.2.52 -- that is, LoadMaster is already running 7.2.52.0 and you want to repeat the upgrade process.

LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to 7.2.52, you can verify the digital signatures using a manual process documented on the support website.

Downgrading to Earlier Versions

Downgrading a LoadMaster running Version 7.2.52 to LMOS 7.2.51 can be performed using any desired Update Verification Options setting.

Downgrading to LMOS 7.2.50 or a previous release can only be done when the Update Verification Options setting is set to Optional or No verification file - deprecated. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

[Note: The XML file verification is not part of the process of switching the active LoadMaster partition to the LMOS release that was running on LoadMaster before the last update.]

 

Release Highlights

New Features

  • Rate Limiting / Quality of Service for Incoming Connections
    • The ability to limit the number and rate of client connections to LoadMaster is now supported via controls on a new System Configuration > Rate Limiting UI page. The following methods of limiting incoming connections are provided.
      • Global limits on all incoming connections to LoadMaster:
        • Concurrent connection limit
        • Connection per second (CPS) limit
        • Request per second (RPS) HTTP request limit
      • Client limits specified by network addresses or ranges of addresses:
        • Concurrent connection limit
        • Connection per second (CPS) limit
        • Request per second (RPS) HTTP request limit
      • URL-Based (or VS-based) RPS limits, specified by string-matching on specific URL fields:
        • Request URL
        • Host
        • User Agent
  • SSL Information in Client Request Headers
    • A new check box, Add Received Cipher Name, has been added to the SSL Properties section for HTTP/HTTPS Virtual Services. This option is disabled by default which means there is no change from the behavior in previous releases. When this option is enabled, the LoadMaster adds the following headers:
      • X-SSL-Cipher
      • X-SSL-Protocol
      • X-SSL-Serialid
      • X-SSL-ClientSerialid
      • X-SSL-SNIHost
  • DHCPv6 Support
    • Support for DHCPv6 (Dynamic Host Configuration Protocol for IPv6) has been added for initial LoadMaster deployment and can optionally be enabled afterward if required.
  • RADIUS 2-Factor Plus LDAP Authentication
    • LoadMaster now supports RADIUS 2-factor plus LDAP authentication for Single Sign On (SSO).
  • Content Rule Page Updates
    • A number of usability improvements have been made to the content rule functionality based on customer feedback.
  • Ability to use SNI in SubVS, as well as SNI-Hostname Pass Through
    • The Server Name Indication (SNI) feature has been enhanced to support the following:
      • The ability to pass through the original hostname as the SNI hostname to the Real Server.
      • The ability to specify a different (manual) SNI hostname per SubVS. This is the same as the previous functionality to specify this on the parent Virtual Service (Reencryption SNI Hostname) but on the SubVS level with content switching.
  • Permitted Groups in Multi-Domain Environment
    • In previous releases, values specified for the Permitted Groups parameter in the Virtual Service ESP Options must be groups defined within the same domain (or sub-domain) in which the user profile is defined, or the group check will fail. With this release, a new Multi-Domain Permitted Group Check option has been introduced within ESP Options. Once enabled, LoadMaster will check for permitted group membership within all sub-domains under the top-level domain. This option is disabled by default.
  • HTTP/HTTPS Health Check OPTIONS Method Support
    • A new HTTP/HTTPS health check option has been added to the Real Servers tab for all Virtual Services. When the Real Server Health Check Method is set to either HTTP Protocol or HTTPS Protocol, a new OPTIONS setting is available for the HTTP Method This specifies that the server will be marked up when LoadMaster receives a 200 OK in response to an HTTP (or HTTPS) OPTIONS request sent by LoadMaster.
  • Quality of Service DSCP Pass Through Support
    • Support for the Differentiated Services Code Point (DSCP) architecture in previous releases allowed the setting of a specific DSCP option via the Virtual Service Quality of Service option (under Standard Options). A new option, Pass Through, has been added to the Quality of Service drop-down to support DSCP settings passed to LoadMaster in the client connection. When this option is enabled and there is a DSCP option received in a client request, LoadMaster will pass that DSCP option on to the server.  
  • GEO: DNS TXT Record Support
    • GEO has been enhanced to support a single Domain Name Service (DNS) TXT record that will be returned whenever GEO answers a TXT record request for any domain defined within GEO.

 

Change Notices

  • Best Practices Cipher Set Updated
    • In LoadMaster firmware version 7.2.52, the BestPractices cipher set was updated. The cipher set is now based on the recommendations provided in the Use Secure Cipher Suites section of the following SSL Labs article: SSL and TLS Deployment Best Practices.
  • Adjustable Timeout for KCD Connections
    • In previous releases, when Server Side Authentication is set to KCD (Kerberos Constrained Delegation) in a Virtual Service's ESP Options, LoadMaster will always wait up to 2 seconds to determine whether or not the connection was rejected. Unfortunately, in configurations where large POSTs are common, this can lead to latency issues.
    • A new L7 Wait after POST parameter on the System Administration > Miscellaneous Options > L7 Configuration page of the UI allows you to set the time to wait for a server response, so that the timeout can be set appropriately for different configurations. The default value is 2000ms (or, 2 seconds). Valid values are 1 to 2000.
  • Per-VS Health Check Settings
    • In previous releases, health check settings were global-only, located on the Rule & Checking > Check Parameters UI page:
      • Check Interval
      • Connect Timeout
      • Retry Count
    • These settings now also appear within the Virtual Service Real Servers tab, so that you can tune health check behavior for specific VSs and SubVSs
  • Disabling SSL Master Secret Extension Handling
    • LoadMaster by default will process the SSL Master Secret Extension (as defined in RFC7627). This can cause problems for some legacy clients, so this behavior can be disabled by turning on the Disable Master Secret Handling option, found in the UI on the System Configuration > Miscellaneous Options > Network Options Disable Master Secret Handling. By default, the LoadMaster processes the Master Secret SSL Extension.
  • Modified EC Curves in LoadMaster Client Hello
    • The following EC curves for ECDHE ciphers are no longer supported to meet Common Criteria security requirements.
      • x25519
      • x448
  • Enhanced HA Sync Parameters
    • The following new options have been added to the HA Parameters when Inter HA L4 TCP Connection Updates check box is selected:
      • L4 Sync Threshold: The minimum number of incoming packets that a connection must receive before the connection is synchronized. The range of the threshold is from 0 to (the Sync Period -1). The default value is 3. 
      • L4 Sync Period: A connection is synchronized every time the number of its incoming packets modulus Sync Period equals the threshold. Valid values range from the Sync Threshold+1 to 255. The default value is 50. 
      • L4 Sync Refresh Period: The difference (in seconds) in the reported connection timer that triggers a new sync message. Valid values range from 0-10. The default value is 0. 

 

Security Updates

  • Best Practices Cipher Set Updated
    • See section above under Change Notices.
  • GEO: Response Contains Internal IP Address
    • In LMOS Version 7.2.50 / GEO Version 2.3.50, a change was introduced that caused GEO responses to DNS requests for any FQDN defined within GEO to include an additional record that listed the internal IP address of a NATed LoadMaster, rather than the public IP address. This issue has been addressed by instead returning "0.0.0.0" in the additional records sections unless a specific IP4 or IPv6 address is configured in the Global Balancing > Miscellaneous Params > Glue Record IP text box.
  • Enhanced Server-Side KCD Authentication Cipher Option
    • A new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of LoadMaster's server side KCD connections to meet evolving security policies.
    • In previous release, KCD was configured to use RC4, DES, and DES3 ciphers for server connections; these ciphers could not be modified. With this release, you can now enable the Use AES 256 SHA1 KCD Cipher option on the Virtual Services > Manage SSO UI page to specify that the RC4, DES, and DES3 ciphers be disabled for server-side KCD and that the aes256-cts-hmac-sha1-96 cipher be used instead. This option can be enabled/disabled as needed within different server-side Single Sign On (SSO) configurations.
  • Certificate Signing Request (CSR) Generation
    • In previous releases, both the unsigned Certificate Signing Request (CSR) generated by LoadMaster and the associated private key were displayed in the UI (or returned via the API). A new option has been provided to allow the private key to be managed more securely, preventing unintentional disclosure or improper handling of the private key by the user.
    • This new option appears only when the Certificates & Security > Remote Access > Self-Signed Certificate Handling option is set to EC certs with an EC signature -- which means that an elliptical curve cipher will be used for both the certificate and the digital signature.
  • Syslog and LDAPS Server Certificate Validity Checking
    • LoadMaster has been modified to use OCSP to check the validity of the server certificates supplied by syslog and LDAPS servers configured into the configuration. If these checks fail, connections to the server are not permitted.
  • Enhanced Random Number Generator Seeding
    • In previous releases, seeding the system random number generator was performed on all platforms using entropy sources that were available directly to the kernel after boot, providing an acceptably high level of entropy. Best practices in the industry (e.g., Common Criteria) have evolved to generally recommend that, when available, systems running on Intel architectures take advantage of Intel's Digital Random Number Generator (DRNG) software to provide additional entropy sources from the processor at boot time.
    • LoadMaster has been enhanced to attempt to use the Intel DRNG architecture's RDSEED and RDRAND processor instructions to provide additional entropy for seeding the random number generator. This behavior is disabled by default; to enable:
      • In the UI, navigate to Certificates & Security > Remote Access.
      • Set the Self-Signed Certificate Handling option to EC certs with an EC signature.
      • Reboot the LoadMaster
  • Enhanced NTP Key Exchange Algorithms
    • The SHA-1 hashing algorithm has been added to the key types supported for NTP on the System Configuration > System Administration > Date/Time UI page. Click Show NTP Authentication Parameters to display the NTP Key Type Note that, in previous releases, SHA-1 was presented as a choice, but this was actually implementing the legacy SHA (a.k.a. SHA-0) hashing algorithm. This has also been corrected in this release, so that the three key types supported are now: MD5, SHA-1, and legacy SHA.

 

Recommended Reading

For full details on all the firmware updates, consult the LoadMaster 7.2.52.0 Release Notes

Download Links

Current GA Version - 7.2.52.0

Was this article helpful?

0 out of 0 found this helpful

Comments