Manualshelf

HP Tru64 UNIX and TruCluster Server Version 5.1.B-4 Patch Summary and Release Notes (13156)

ManualsBrandsHP ManualsSoftwareTru64 UNIX 5.1
11121314151617181920
1.14 Command Option Now Provides Additional EMX Driver Information
After installing this kit, issuing the following command for an EMX adapter will return the
hardware revision, firmware revision, SAN address, and full duplex flag attributes:
# hwmgr -get att
1.15 New EMX Subsystem Attribute Turns on LLER for Tape I/O
This release provides a new attribute, erp_ller, to the EMX subsystem that allows you to turn
on Link Level Error Recovery (LLER) for tape I/O. When enabled, the Emulex adapter attempts
to successfully complete I/O that would have otherwise failed to a link error. If the adapter is
unable to successfully complete the I/O, the I/O will be returned with an appropriate error.
Setting erp_ller to a value of 1 enables this feature. It is turned off by default due to issues
seen with network storage routers and its handling of device resets. Command timeout errors
may be returned if a device reset is issued when Link Level Error Recovery is enabled.
If you are experiencing failed tape I/O due to link issues, you can enable this feature and see if
it helps.
To view the current setting of the attribute use the following command:
# sysconfig -q emx erp_ller
For more information, see the revised emx(7) reference page delivered in this kit.
1.16 Kernel Attributes Protect Against ICMP Security Vulnerability
A new kernel attribute delivered in this kit, icmp_tcpseqcheck, and an existing attribute,
icmp_rejectcodemask, can protect your system against potential Internet Control Message
Protocol (ICMP) security vulnerabilities. This release note describes these attributes and provides
background information on the security issues. For information about setting these attributes,
see the revised sys_attrs_inet(5) reference page delivered in this kit.
An overview of these attributes follows:
icmp_tcpseqcheck
Mitigates ICMP attacks against the Transmission Control Protocol (TCP) by checking that
the TCP sequence number contained in the payload of the ICMP error message is within
the range of the data already sent but not yet acknowledged. An ICMP error message that
does not pass this check is discarded. This behavior protects TCP against spoofed ICMP
packets.
icmp_rejectcodemask
A bitmask that designates the ICMP codes that the system should reject. The
icmp_rejectcodemask attribute can be used to reject any ICMP packet type, or multiple
masks can be combined to reject more than one type.
In the Requirements for Internet Protocol (IP) Version 4 Routers (RFC 1812), research suggests
that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for
congestion. HP therefore recommends using the icmp_rejectcodemask attribute to ignore
ICMP Source Quench packets.
The ICMP type codes are in /usr/include/netinet/ip_icmp.h.
The ICMP (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery
(RFC 816), which is the group of actions that hosts and routers take to determine if a network
failure has occurred.
The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets
can be used to perform a variety of attacks such as blind connection reset attacks and blind
throughput-reduction attacks:
20 Enhancements, Improvements, and Features