Manual Chapter :
New Features in BIG-IP Version 16.1.3
Applies To:
Show Versions
BIG-IP APM
- 16.1.3
BIG-IP Analytics
- 16.1.3
BIG-IP Link Controller
- 16.1.3
BIG-IP LTM
- 16.1.3
BIG-IP PEM
- 16.1.3
BIG-IP AFM
- 16.1.3
BIG-IP FPS
- 16.1.3
BIG-IP DNS
- 16.1.3
BIG-IP ASM
- 16.1.3
New Features in BIG-IP Version 16.1.3
General
Support for FIPS 140-3
This release introduces support for and compliance with FIPS 140-3, the successor to FIPS 140-2. The FIPS 140-2 was discontinued in September 2021.
New in LTM/TMOS
BIG-IP version 16.1.3 introduces the following new
features for LTM/TMOS:
Enhanced SSL C3D capabilities
BIG-IP 16.1.3 introduces several enhancements to the SSL Client
Certificate Constrained Delegation (C3D) capabilities using iRules providing
end-to-end encryption during client authentication. These new features give the
ability to:
- Encode and return the commonName (CN) found in the client certificate subject in a UTF8 format using the X509::subject <X509 certificate> commonName irule command.
- Insert a commonName in a C3D cert template using the SSL::c3d subject commonName <value> irule command.
- Insert Subject Alternative Name (SAN) to the forged client certificate using the SSL::c3d extension SAN <oid value> irule command.
- Add the Authority Key Identifier (AKI) extension to the client certificate if the CA certificate has a Subject key Identify (SKI) extension.
- Add KeyUsage and ExtendedKeyUsage values to the forged client certificate as per the supported RSA cert type.
Add extensions to forged server certificate for SSL
Forward Proxy
Enhancements to the SSL Forward Proxy capabilities allow you to add extensions to the
forged server certificate. You can now:
- Add the Authority Key Identifier (AKI) extension to the forged server certificate if the CA certificate has a Subject key Identify (SKI) extension.
- Add KeyUsage and ExtendedKeyUsage values to the forged server certificate as per the supported cert type.
- Add certificatePolicies as an extension to the forged server certificate using the SSL:forward_proxy extension <oid oid-value> iRule command.
New Log Manager role to modify system log configuration
settings
A new Log Manager role allows users to view all configuration data
on the system, similar to an Auditor role. Users with this role can modify the
system log configuration settings, including creating log filters, destinations, and
publishers, and have access to all partitions on the system.
Support AES-CCM and AES-CCM8
BIG-IP now supports (RSA)-AES128-CCM and (RSA)-AES128-CCM8
ciphers.
Support ECDH-RSA for SSLFWD
BIG-IP now supports Elliptic Curve Diffie-Helman (ECDH) ciphers in
SSL Forward Proxy, which includes support in SSL Orchestrator. Note that Elliptic
Curve Diffie-Helman Ephemeral (ECDHE) has been supported in SSL Forward Proxy since
version 14.1.
Support FFDHE for SSL Forward Proxy
BIG-IP now supports Negotiated Finite Field Diffie-Helman
Ephemeral (FFDHE) ciphers.
New in AFM
BIG-IP version 16.1.3 introduces the following new
feature for AFM:
Support for IPv6 traffic reputation
The BIG-IP Intelligence is responsible for reputation of the IP addresses, it only supports IPv4 traffic. From this release the BIG-IP Intelligence supports both IPv4 and IPv6 traffic reputation.
New in APM
BIG-IP version 16.1.3 introduces the following new features
for APM.
CRLDP Maximum Size Cache Support
For the CRLDP cache cleanup, a Max Cache Size is configurable
through a tmsh sys db variable configuration path as
modify sys db
apm.crldp.maxcacheentries
to check and limit the maximum entries of the
CRLDP cache. If the number of cache entries reaches the configured cache size limit,
a cache entry that is least recently used (LRU) is removed and a new entry is
populated into the cache. You can set the cache size value between 0 to 10,000
entries. The maximum number of entries allowed is 10,000 entries which is a default
value set for the Cache size option.TLS 1.2 AES GCM ciphers support for OAuth Provider
Discovery
Starting January 31, 2022, Microsoft has discontinued support for
Transport Layer Security (TLS) 1.0/1.1/3DES cipher suites due to potential protocol
downgrade attacks and other TLS vulnerabilities. Microsoft Azure AD plans to phase
out support for the TLS 1.0/1.1/3DES cipher suites and implement a secure TLS 1.2
cipher suite that supports the secure transmission of data between clients and
servers. Therefore, Microsoft Azure AD chooses the following TLS 1.2 AES GCM cipher
suites during the TLS handshake:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
In addition, the latest version of the OpenShift Container
Platform recommends the use of the most secure TLS 1.2 AES GCM cipher suite over
previous weak cipher suites. Due to the use of weak TLS 1.0, 1.1, 3DES cipher
suites, the Oauth provider discovery module option does not function. TLS 1.2 AES
GCM cipher suites support is added to resolve the Oauth provider discovery
failures.
