Professional Documents
Culture Documents
AOS12 3 1 - Release Notes - v1r2
AOS12 3 1 - Release Notes - v1r2
This document details new features, known issues and clarifications concerning Allot
Operating System software version AOS12.3.1
Some of the features described in these Release Notes require a specific license.
Please check http://www.allot.com/support.html for any updates to this document.
This document contains Proprietary Trade Secrets of Allot Communications LTD and its
receipt or possession does not convey any right to reproduce, disclose its contents or to
manufacture, use or sell anything that it may describe.
Allot reserves the right to make changes, add, remove or change the schedule of any
element of this document.
Allot Operating System v12.3.1 Release Notes
Contents
1 Platform and Software Management ................................................................................. 4
1.1 Software Version Compatibility .......................................................................... 4
1.2 Protocols and Applications................................................................................... 4
1.3 Performance and Sizing ....................................................................................... 6
2 Enhancements ................................................................................................................... 6
2.1 New Features in AOS12.3 .................................................................................... 6
2.1.1 Tethering Detection ...................................................................................... 6
2.1.2 Inline DHCP Gleaning .................................................................................. 8
2.1.3 Increased number of Policy Elements........................................................... 9
2.1.4 Secure Data Enrichment in HTTP redirect ................................................... 9
2.1.5 HTTP Redirect to HTTPS ............................................................................. 9
2.1.6 IPv6 support .................................................................................................. 9
2.1.7 IPv6 Support in Steering to Value Added Services .................................... 12
2.1.8 DPI Improvements ...................................................................................... 13
2.1.9 Predictive DPI / Layer7 Traffic Steering from the First Packet ................. 13
2.1.10 Troubleshooting Improvements .................................................................. 14
2.1.11 Extended SNMP With Device Level Byte and Packet Count .................... 15
2.1.12 O&M improvements ................................................................................... 15
2.1.13 Support for Additional Features Added in SMP/NX12.3 ........................... 15
2.2 New Features in AOS12.2 .................................................................................. 15
2.2.1 Selective Bypass by VLAN Group ............................................................. 15
2.2.2 DPI capabilities – further inspection capability of SIP traffic .................... 16
2.2.3 Support for Additional Features Added in SMP/NX12.2 ........................... 16
2.3 New Features in AOS12.1 .................................................................................. 17
2.3.1 Real Time Usage Monitoring...................................................................... 17
2.3.2 Monitoring rules.......................................................................................... 18
2.3.3 Steering Enhancements ............................................................................... 18
2.3.4 VoIP minutes of use reporting .................................................................... 18
2.3.5 Embedded Service Protector Sensor ........................................................... 19
2.3.6 Teredo Tunneling ........................................................................................ 19
2.3.7 Raw HTTP Handling .................................................................................. 19
3 Resolved Issues .............................................................................................................. 20
3.1 Resolved in 12.3 ................................................................................................. 20
3.2 Resolved in 12.2 ................................................................................................. 23
NOTE SMP 12.3 is considered limited availability for upgrade. If required please contact
Allot Customer Support.
A new license key is required when upgrading your AOS software version.
Please make sure you have a valid license for the AOS version you are installing
before starting the upgrade. However, Allot strongly recommends that after
upgrading, you retain the previous license key in a safe place in case you must
rollback to the previous version.
In this location, you will also find the latest release notes for the protocol pack and its
predecessors, containing detailed information about the supported applications, as well as
information on resolved and known issues..
2 Enhancements
2.1 New Features in AOS12.3
This section documents those AOS features which were first introduced in AOS12.3 and are
included in all subsequent versions.
The Policy editor is now enriched with options to classify traffic based on tethering or a
combination of tethering and a specific application services:
Tethering Detection
The method of using a user-agent to identify laptop tethering with a smart phone (as
employed by some DPI vendors) is not considered resistant to fraud. Allot’s tethering
detection support is based on layer 3 IP characteristics, also known as OS fingerprinting
and is much more resilient.
The following matrix presents the test results for the “OS fingerprinting” method
(employed by Allot). The left column (“Tethering”) presents the operating system of the
mobile device used for tethering. The upper heading (“Tethered”) presents the operating
system or the tethered device (Windows, MAC or another Smartphone).
Tethered Windows MAC OS iOS Android WinPhone BlackBerry Symbian
Tethering
DHCP
DHCP DHCP + Option 82
Relay
Agent
DHCP SG
VOIP
Internet
CM CMTS
DHCP + Opt 82 (copy)
PC/Router
MGMT
Network
SMP
The type of DHCP messages parsed by the gleaner is configurable. The user can select
one or more of the following options:
1. Parse All DHCP ACK messages (with or without OPTION 82)
2. Parse Only DHCP ACK messages with OPTION 82
3. Parse Only DHCP ACK messages without OPTION 82 – DHCPACK is message
type 5 (type defined in DHCP OPTION 53)
Performance:
Each DHCP gleaner (embedded in the SMP server) is able to parse 1000 DHCP messages
per second, for up to 10 in-line platforms per Gleaner
Each Core Controller is able to send/mirror 100 DHCP messages/second to gleaners.
Note: DHCP in-band gleaning is supported only in the SG-Sigma E platform.
If IPv4 is going to stay for the long-term and is required to coexist with IPv6, there will
still remain a need to support IPv4 subscribers and maintain communication with IPv4
servers.
“Dual Stack” is the classic way for IPv4 and IPv6 to co-exist. It simply means support for
both IPv4 and IPv6 at the same time. Dual stack hosts select which IP to use based on
application. For example: for web browsing, the destination is selected based on a DNS
query.
Dual stack subscribers with IPv4 and IPv6 addresses (at the same time) are managed by
Allot as a single subscriber with a unified QoS.
The table below describes the IPv6 support in all the different areas of the Allot solution.
Solution Area IPv6 Support in Allot Solution
1 Subscriber Data Single IPv4 per APN *
Plane (QoS, Single IPv6 per APN *
Reporting & Usage Single IPv6 + IPv4 addresses per APN (IPv4v6 APN) *
Monitoring)
2 Identification Protocol Identification capability for IPv6 Traffic
(application and Protocol Identification capability for IPv4 and IPv6 Mixed
protocol traffic
recognition)
L7 protocol signature will not indicate whether the L3 protocol
used was IPv6 or IPv4. i.e. HTTP over IPv4 and HTTP over
IPv6 will both appear as HTTP)
3 Classification Services Entry (Applications & Protocols)
(condition Time Catalogue for IPv6 Traffic
catalogs) classification based on IPv6 Traffic Class (ToS)
IPv6 prefixes for dynamic host groups (service plans for
subscriber management)
4 Subscriber to IP When User Equipment is assigned an IPv4 Only address*
Mapping (SMP) When User Equipment is assigned an IPv6 Only interface
address (to be appended to a defined network prefix). A
user can be identified as prefix that can be /48 /56 or /64*
When User Equipment is assigned an IPv4 and IPv6
addresses (uncorrelated) *
5 RADIUS Interface Supports IPv6 Radius (RFC 3162) protocol with no change
(SMP) of functionality compared to how IPv4 Radius messages
are handled
6 PCRF Triggers Service Plans based on PCRF Gx message (CCAi)
(SMP as PCEF) Change of Service Plans based on PCRF triggers (RAR)
7 Integrated Services HTTP Redirection to Captive Portal with IPv6 Traffic
WebSafe (URL Filtering) with IPv6 Traffic
8 Traffic Statistics Per Policy Element Statistics (Short Term & Long Term)
with IPv4 and IPv6 mixed traffic*
Conversations Elements Statistics (Short Term & Long
Term) with IPv4 and IPv6 mixed traffic
Most Active URL statistics with IPv4 and IPv6 mixed
traffic
9 Northbound API Gx IPv6 specific AVP with no change of functionality
compared to how Gx messages are handled with IPv4
fields
The above refers to data plane only. All communication with PCRF (control
plane) can manage all APN types (IPv4 only, IPv6 Only, IPv4v6)
I/F or two physical interfaces, for directly connected servers these should
be on the same physical interface.
Interfaces can share the same VLAN or have separate VLANs. Health
checks will be performed only with the servers’ IPv4 interface. If the
service is activated as IPv4 /IPv6 capable, there will be only one unique
and common load balancing pool of servers. This means that IPv4 and
IPv6 flows will be sent to servers using load balancing methods and
therefore it is necessary for the same server part of the pool to be able to
handle both protocols.
2.1.9 Predictive DPI / Layer7 Traffic Steering from the First Packet
Predictive DPI was designed with two specific scenarios in mind. The first involves
redirecting HTTP Video for optimization or caching, while the second is used to ensure
that certain HTTP File Sharing protocols are excluded from redirection. In the case of
some proxy-based services (such as video Optimization and caching), the steering must
be from the first packet. Since usually a first packet is a TCP syn that cannot be
associated to any specific application using traditional DPI techniques, new methods are
required.
While other DPI vendors overcome this obstacle by implementing a broad classification
of steering all HTTP (port 80) traffic, Allot took a different approach in order to perform
optimal filtering of irrelevant connections and provide a cost-efficient solution. This
method, while not as accurate as traditional DPI, provides significant value in granular
filtering of video-only traffic as opposed to port-based steering. In addition, for a video
optimization service, the cost of a small percentage of false negative/positive results is
negligible.
Allot’s Predictive DPI feature, enables the user to manually flag certain services
(protocols) for the system to study in order to predict when they are being employed, thus
ensuring that traffic using such services can be steered based service from the very first
packet.
In order to do this, all available data about a selected service is analyzed, including
Allot’s extensive library of protocol knowledge together with a history of previous
connections and a list of the active hosts serving this protocol, so that a NetEnforcer or
Service Gateway can predict when this service is being used in new sessions based on
that service’s recorded behavior.
This means that new sessions to the server will be identified and matched to the
corresponding service from the first packet of the session, i.e. from the initial TCP SYN
packet. This allows only the desired traffic to be sent to the proxy.
After several packets of the session are seen by the NetEnforcer/Service Gateway, if the
system makes a more accurate identification, the traffic is then reclassified and matched
to the correct service.
While the mechanism is designed for support of additional use cases and protocols, no
others have been tested at this stage.
2.1.11 Extended SNMP With Device Level Byte and Packet Count
Until now, Allot’s SNMP MIB enabled an in-line platform to be polled for information
per port. This information however was not aggregated per platform.The AOS SNMP
ifTable and related tables have now been enhanced to include a new row: a logical
interface representing an aggregate of all network ports. The new logical interface is
represented in the MIB as follows:
All Counter32 and Counter64 columns in ifTable, ifXTable and alIfXTable
(including the newly added alIfXHCInTotalPkts and alIfXHCOutTotalPkts) were
populated with the corresponding sum of all network ports, i.e. all rows whose
alIfXType is internal(1) or external(2).
Additional columns populated. See details in MIB document.
capability was used to achieve this aim, but in doing so, system resources were still
utilized (i.e: virtual channel, connection etc.)
This new capability performs selective bypass with minimal impact on Service Gateway
resources and performance. Configuration is performed independent of the policy so as
not to utilize policy elements. Traffic matching a predefined group of VLAN tags
bypasses the DPI elements of the system and hence does not utilize policy elements
resources or DPI resources that impact the Connection Establishment Rate (CER). Note
that forwarding resources, reflected in packet per second parameter (which affects
bandwidth) are still affected by bypassed traffic.
1
Mobile analytics is a licensed add-on feature
(1) At initial CCRi/CCAi, the PCRF returns a policy asking to report when a certain
threshold is reached
(2) The SMP provisions the in-line platform with volume reporting and threshold
(3) The in-line platform counts usage and compares it to the thresholds set by the SMP in
real-time.
(4) The in-line platform reports only once the volume threshold has been crossed or at
pre-defined reporting points (e.g: end of session)
(5) The SMP notifies the PCRF. The PCRF then provides a new threshold or a different
service plan.
In case the SMP is integrated with an Online Charging System (OCS), a similar flow of
messages will take place, based on a “grant” issued by the OCS to the SMP. The final
grant may be accompanied by an action (block or redirect)
3 Resolved Issues
3.1 Resolved in 12.3
(Case ID: The CPU utilization value in the MIB was not Fixed
121558) calculated correctly.
21608 CPU usage was calculated incorrectly. Fixed
20368 The FB-200 blade in slot 9 was erroneously Fixed
(Case ID: reported as not active.
116297)
19070 Security: The Telnet service was not disabled by Fixed. Disabled by
default default
19836 MAX & MIN QoS policies were not enforced on a Fixed
policy element with classification based on an IP
range
20478 / Fixed
21582 Rare crashed in SNMP process
4 Known Issues
5 Software Upgrade
NOTES The Software Upgrade Procedure may fail if the database of your in-line platform
is corrupted. In such cases, please consult Allot Customer Support at
support@allot.com.
A new key is required when upgrading to AOS12.3. In order to receive a new key
you must have your Boxkey number ready when contacting Allot Customer
Support. For a script and full instructions for accessing the Boxkey of your
chassis see https://c.eu0.visual.force.com/apex/KB?KBID=13697184
If downloading the version installation files from the Allot FTP site using Internet
Explorer, the browser may change the file name from *.tgz to *.tar. The
installation script will fail for .tar files. Allot recommends not to use Internet
Explorer to download these files. If this is the only method available, you should
rename the file after download from .tar to .tgz
1. Download the software version from the Allot ftp site by completing the following steps:
Open Telnet and log in to the In-line platform with User Name: sysadmin
Password: sysadmin (default).
Type mkdir AOS123.
Type cd AOS123.
Type ftp ftp.allot.com (the IP address is 209.62.76.11)
Log into the ftp site as an anonymous user.
Type cd <directory> /*See below FTP location information*/
Type hash.
Type bin.
Type prompt.
Type mget *
All required files will be downloaded automatically.
When the download finishes, type bye. This will close the ftp site but leave Telnet open.
2. Type chmod u+x aos-instl.sh
3. Type ./aos-instl.sh
4. The upgrade procedure could take as long as 10 minutes. You may be prompted to enter
a new key.
5. Type ac_reboot when you see a message that states that the upgrade completed
successfully.
AC-500:
ftp://ftp.allot.com/DPI_device/AC-500/GA/AOS.AC500.12.3.1_B32