SDX 6.4.0 Release Notes > Release Highlights

Release Highlights

Highlights include the following product enhancements.

Juniper Policy Server

• Juniper Policy Server

The Juniper Policy Server (JPS) acts as a policy server in the PacketCable Multimedia Specification (PCMM) environment. The JPS now complies with the PacketCable Multimedia Specification PKT-SP-MM-I03-051221, or PCMM I03.

NIC

• Local NIC Host

NIC now provides a local host mode in which the NIC host and the NIC proxies communicate with each other within the same application. Because both components run within the same application, the application and the NIC host start and stop at the same time.

If an application uses a local NIC host, typically all NIC proxies for the application communicate with the local NIC host, but some of the NIC proxies can be configured to communicate with a NIC host that runs on another system.

• New NIC Configuration Scenarios

NIC supports the following three new configuration scenarios:

• OnePopAcctId—Maps the accounting ID of a subscriber to the SAE IOR and maps the IP address of a subscriber to an accounting ID.

Use this scenario for configurations in which subscribers can be identified by an accounting ID. One or more subscribers can use an accounting ID. Volume-tracking applications use this scenario.

The OnePopAcctId scenario includes two new NIC agents:

• AcctIdIp—Maps subscriber accounting IDs to subscriber IP addresses.
• IpAcctId—Maps subscriber IP addresses to accounting IDs.

• OnePopPrimaryUser—Maps a primary username of a subscriber to the SAE IOR.

Use this scenario for applications that use the SAE programming interfaces and that identify subscribers by the primary username. Aggregate services and the Dynamic Service Activator application can use this scenario.

This scenario includes a new NIC agent, UserNameVr, which maps a primary username to a virtual router.

• OnePopStaticRouteIp—Maps assigned subscriber IP addresses to the SAE IOR.

Use this scenario for situations in which subscribers have an assigned IP address and these IP addresses can be associated with interfaces on JUNOS routing platforms. The Threat Mitigation Application Portal uses this scenario.

• Network Publisher for NIC

In addition to the new OnePopStaticRouteIp configuration scenario to support the Threat Mitigation Application Portal, NIC provides a network publisher component to gather information from JUNOS routing platforms for use with the OnePopStaticRouteIp configuration scenario.

The network publisher gathers information about interfaces on specified JUNOS routers and then stores that information in the directory. You run the network publisher whenever you want to get interface information from one or more routers; the NIC does not automatically update configuration information in the directory. You can configure network publisher to troubleshoot problems encountered connecting to the router or obtaining information from the router.

• Multiple Values for a NIC Key

In previous releases, the NIC mapped a key to a single value. With release 6.4.0, the NIC can map a key to more than one value. For example, if a key can be mapped to an SAE reference for more than one SAE, the NIC can return all such SAE references.

• NIC Access Interface Module

The NIC access interface module (nicAccess.idl) is a simplified CORBA interface used to perform NIC resolutions. Use the NIC access module to develop applications not written in Java.

• NIC Qualified Data Types

You can now qualify a data type by adding an identifier to it. An identifier lets you distinguish between different instances of a data type in a resolution scenario, or to provide information about a data type to clarify the use of that data type in a resolution.

• AnyString Data Type for NIC

The AnyString data type lets you encapsulate an alphanumeric string to refer to a type of data not provided by other data types. You can specify the type of data represented by AnyString by adding a qualifier to the data type.

Policies

• Extended Classifiers

As part of JPS compliance, classify-traffic conditions have been extended to comply with PacketCable Multimedia Specification PKT-SP-MM-I03-051221 (PCMM I03). Specifically, you can now enter a range for source or destination ports.

• Expanded Classifiers

To support IMS, you can specify that classify-traffic conditions for JUNOSe policies are expanded into multiple classifiers. If you enter a comma-separated list of values in the source and destination IP address and source and destination port fields, the software creates a classifier for each possible combination of address and port.

For example, if a classify-traffic condition has the following:

source address—192.1.1.0/255.255.255.0, 192.2.1.0/255.255.255.0

source port eq 10, eq 20

It is expanded into four classifiers that have the following combination of source addresses and source ports:

192.1.1.0/255.255.255.0 eq 10

192.1.1.0/255.255.255.0 eq 20

192.2.1.0/255.255.255.0 eq 10

192.2.1.0/255.255.255.0 eq 20

SAE

• Securing the Connection Between the SAE and the JUNOS Routing Platform

You can use Transport Layer Security (TLS) to secure the Blocks Extensible Exchange Protocol (BEEP) connection between the SAE and the JUNOS routing platform.

To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (http://www.verisign.com). You must then install both certificates on the SAE and on the JUNOS routing platform.

You also need to configure the SAE to accept TLS connections and configure the keystore (database of keys and certificates from trusted entities) on the SAE.

• Checking Changes to the JUNOS Configuration

The SAE can check the configuration of a JUNOS routing platform under its control to detect whether the configuration has changed by a means other than through the SAE. The SAE checks the configuration installed on the router against the state of the SAE session layer (subscriber, service, and interface sessions). If the SAE finds a disparity between the router and the SAE configurations, it can take the following actions:

• Remove the disparate sessions from the router.
• Re-create the sessions that have been removed.
• Report disparities to the operator without making any changes to the router configuration.

Traffic Mirroring

• Packet Mirroring Support for JUNOSe Routers

Packet mirroring allows you to mirror subscriber traffic by configuring a script service with the SDX software that applies policies on a JUNOSe router for RADIUS-based packet mirroring.

The SAE provides an infrastructure that allows script services to send dynamic RADIUS requests, such as change-of-authorization (CoA) messages, to a RADIUS device such as a JUNOSe router. The script services activate and deactivate dynamic interface mirroring.

The JUNOSe software provides RADIUS-based packet mirroring, which allows the router to create dynamic secure policies for the mirroring operation. The RADIUS administrator can configure and manage interface mirroring services that are activated by means of CoA. For information about configuring RADIUS-based packet mirroring on the JUNOSe router, see the JUNOSe Policy Management Configuration Guide.

For information about dynamic RADIUS requests, see RFC 3576—Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (July 2003).

NOTE: This feature is not qualified for SDX Release 6.4.0.

Configuration Tools

• Online Help for Using Configuration Tools

SDX Admin, SDX Configuration Editor, and Policy Editor have a Help > Online Help menu item that displays information in PDF format about using the application. A Help button for the local configuration tool for SAE displays information about using that application.