DANOS 2105 Release Notes

 

Overview

Welcome to the 2105 (May 2021) version of DANOS.

The DANOS 2105 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 1911 version of DPDK, and the 7.5.1 version of FRR.

show version

vyatta@vm-d2105-1:~$ show version Version: 2105 Description: DANOS (Inverness) 2105 (DANOS:Shipping:2105:20210611) Built on: Fri Jun 11 11:58:32 UTC 2021

Configuration and operational mode commands

The full list of configuration commands and operational mode (e.g. “show”) commands are attached to this page.

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to enter a username and password manually. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Enhanced Syslog

The Enhanced Syslog feature allows syslog to be configured using a rule-based approach, similar to firewall rules. This provides more flexibility such that more complex expressions can be used to select which messages to discard and select, to which files/hosts those messages are forwarded, as well as rate-limiting based support.

system syslog-enhanced system syslog-enhanced file <entry> system syslog-enhanced file <entry> archive files <value> system syslog-enhanced file <entry> archive size <value> system syslog-enhanced file <entry> filename <value> system syslog-enhanced host <entry> system syslog-enhanced host <entry> hostname <value> system syslog-enhanced host <entry> port <value> system syslog-enhanced host <entry> protocol tcp system syslog-enhanced host <entry> protocol udp system syslog-enhanced host <entry> source-interface <value> system syslog-enhanced host <entry> tls system syslog-enhanced host <entry> tls authentication mode x509/fingerprint system syslog-enhanced host <entry> tls authentication mode x509/name system syslog-enhanced host <entry> tls authentication peers <peer> system syslog-enhanced host <entry> tls authentication peers <peer> fingerprint <value> system syslog-enhanced host <entry> tls cipher-suite <cipher> system syslog-enhanced input journal rate-limit burst <value> system syslog-enhanced input journal rate-limit interval <value> system syslog-enhanced rule <rule-number> system syslog-enhanced rule <rule-number> description <value> system syslog-enhanced rule <rule-number> disable system syslog-enhanced rule <rule-number> match facility all system syslog-enhanced rule <rule-number> match facility auth system syslog-enhanced rule <rule-number> match facility authpriv system syslog-enhanced rule <rule-number> match facility cron system syslog-enhanced rule <rule-number> match facility daemon system syslog-enhanced rule <rule-number> match facility dataplane system syslog-enhanced rule <rule-number> match facility kern system syslog-enhanced rule <rule-number> match facility local0 system syslog-enhanced rule <rule-number> match facility local1 system syslog-enhanced rule <rule-number> match facility local2 system syslog-enhanced rule <rule-number> match facility local3 system syslog-enhanced rule <rule-number> match facility local4 system syslog-enhanced rule <rule-number> match facility local5 system syslog-enhanced rule <rule-number> match facility local6 system syslog-enhanced rule <rule-number> match facility local7 system syslog-enhanced rule <rule-number> match facility lpr system syslog-enhanced rule <rule-number> match facility mail system syslog-enhanced rule <rule-number> match facility mark system syslog-enhanced rule <rule-number> match facility news system syslog-enhanced rule <rule-number> match facility protocols system syslog-enhanced rule <rule-number> match facility security system syslog-enhanced rule <rule-number> match facility sensors system syslog-enhanced rule <rule-number> match facility syslog system syslog-enhanced rule <rule-number> match facility user system syslog-enhanced rule <rule-number> match facility uucp system syslog-enhanced rule <rule-number> match msg posix-match <regex> system syslog-enhanced rule <rule-number> match msg posix-match <regex> unless <value> system syslog-enhanced rule <rule-number> match severity at-least alert system syslog-enhanced rule <rule-number> match severity at-least crit system syslog-enhanced rule <rule-number> match severity at-least debug system syslog-enhanced rule <rule-number> match severity at-least emerg system syslog-enhanced rule <rule-number> match severity at-least err system syslog-enhanced rule <rule-number> match severity at-least info system syslog-enhanced rule <rule-number> match severity at-least notice system syslog-enhanced rule <rule-number> match severity at-least warning system syslog-enhanced rule <rule-number> match severity at-most alert system syslog-enhanced rule <rule-number> match severity at-most crit system syslog-enhanced rule <rule-number> match severity at-most debug system syslog-enhanced rule <rule-number> match severity at-most emerg system syslog-enhanced rule <rule-number> match severity at-most err system syslog-enhanced rule <rule-number> match severity at-most info system syslog-enhanced rule <rule-number> match severity at-most notice system syslog-enhanced rule <rule-number> match severity at-most warning system syslog-enhanced rule <rule-number> match severity equals alert system syslog-enhanced rule <rule-number> match severity equals crit system syslog-enhanced rule <rule-number> match severity equals debug system syslog-enhanced rule <rule-number> match severity equals emerg system syslog-enhanced rule <rule-number> match severity equals err system syslog-enhanced rule <rule-number> match severity equals info system syslog-enhanced rule <rule-number> match severity equals notice system syslog-enhanced rule <rule-number> match severity equals warning system syslog-enhanced rule <rule-number> match with-flag <value> system syslog-enhanced rule <rule-number> match without-flag <value> system syslog-enhanced rule <rule-number> otherwise clear-flag <value> system syslog-enhanced rule <rule-number> otherwise console system syslog-enhanced rule <rule-number> otherwise discard system syslog-enhanced rule <rule-number> otherwise file <value> system syslog-enhanced rule <rule-number> otherwise host <value> system syslog-enhanced rule <rule-number> otherwise set-facility all system syslog-enhanced rule <rule-number> otherwise set-facility auth system syslog-enhanced rule <rule-number> otherwise set-facility authpriv system syslog-enhanced rule <rule-number> otherwise set-facility cron system syslog-enhanced rule <rule-number> otherwise set-facility daemon system syslog-enhanced rule <rule-number> otherwise set-facility dataplane system syslog-enhanced rule <rule-number> otherwise set-facility kern system syslog-enhanced rule <rule-number> otherwise set-facility local0 system syslog-enhanced rule <rule-number> otherwise set-facility local1 system syslog-enhanced rule <rule-number> otherwise set-facility local2 system syslog-enhanced rule <rule-number> otherwise set-facility local3 system syslog-enhanced rule <rule-number> otherwise set-facility local4 system syslog-enhanced rule <rule-number> otherwise set-facility local5 system syslog-enhanced rule <rule-number> otherwise set-facility local6 system syslog-enhanced rule <rule-number> otherwise set-facility local7 system syslog-enhanced rule <rule-number> otherwise set-facility lpr system syslog-enhanced rule <rule-number> otherwise set-facility mail system syslog-enhanced rule <rule-number> otherwise set-facility mark system syslog-enhanced rule <rule-number> otherwise set-facility news system syslog-enhanced rule <rule-number> otherwise set-facility protocols system syslog-enhanced rule <rule-number> otherwise set-facility security system syslog-enhanced rule <rule-number> otherwise set-facility sensors system syslog-enhanced rule <rule-number> otherwise set-facility syslog system syslog-enhanced rule <rule-number> otherwise set-facility user system syslog-enhanced rule <rule-number> otherwise set-facility uucp system syslog-enhanced rule <rule-number> otherwise set-flag <value> system syslog-enhanced rule <rule-number> otherwise set-indicator <value> system syslog-enhanced rule <rule-number> otherwise set-severity alert system syslog-enhanced rule <rule-number> otherwise set-severity crit system syslog-enhanced rule <rule-number> otherwise set-severity debug system syslog-enhanced rule <rule-number> otherwise set-severity emerg system syslog-enhanced rule <rule-number> otherwise set-severity err system syslog-enhanced rule <rule-number> otherwise set-severity info system syslog-enhanced rule <rule-number> otherwise set-severity notice system syslog-enhanced rule <rule-number> otherwise set-severity warning system syslog-enhanced rule <rule-number> otherwise user <value> system syslog-enhanced rule <rule-number> rate-limit <flag> system syslog-enhanced rule <rule-number> rate-limit <flag> burst <value> system syslog-enhanced rule <rule-number> rate-limit <flag> interval <value> system syslog-enhanced rule <rule-number> rate-limit <flag> select-every-nth <value> system syslog-enhanced rule <rule-number> then clear-flag <value> system syslog-enhanced rule <rule-number> then console system syslog-enhanced rule <rule-number> then discard system syslog-enhanced rule <rule-number> then file <value> system syslog-enhanced rule <rule-number> then host <value> system syslog-enhanced rule <rule-number> then set-facility all system syslog-enhanced rule <rule-number> then set-facility auth system syslog-enhanced rule <rule-number> then set-facility authpriv system syslog-enhanced rule <rule-number> then set-facility cron system syslog-enhanced rule <rule-number> then set-facility daemon system syslog-enhanced rule <rule-number> then set-facility dataplane system syslog-enhanced rule <rule-number> then set-facility kern system syslog-enhanced rule <rule-number> then set-facility local0 system syslog-enhanced rule <rule-number> then set-facility local1 system syslog-enhanced rule <rule-number> then set-facility local2 system syslog-enhanced rule <rule-number> then set-facility local3 system syslog-enhanced rule <rule-number> then set-facility local4 system syslog-enhanced rule <rule-number> then set-facility local5 system syslog-enhanced rule <rule-number> then set-facility local6 system syslog-enhanced rule <rule-number> then set-facility local7 system syslog-enhanced rule <rule-number> then set-facility lpr system syslog-enhanced rule <rule-number> then set-facility mail system syslog-enhanced rule <rule-number> then set-facility mark system syslog-enhanced rule <rule-number> then set-facility news system syslog-enhanced rule <rule-number> then set-facility protocols system syslog-enhanced rule <rule-number> then set-facility security system syslog-enhanced rule <rule-number> then set-facility sensors system syslog-enhanced rule <rule-number> then set-facility syslog system syslog-enhanced rule <rule-number> then set-facility user system syslog-enhanced rule <rule-number> then set-facility uucp system syslog-enhanced rule <rule-number> then set-flag <value> system syslog-enhanced rule <rule-number> then set-indicator <value> system syslog-enhanced rule <rule-number> then set-severity alert system syslog-enhanced rule <rule-number> then set-severity crit system syslog-enhanced rule <rule-number> then set-severity debug system syslog-enhanced rule <rule-number> then set-severity emerg system syslog-enhanced rule <rule-number> then set-severity err system syslog-enhanced rule <rule-number> then set-severity info system syslog-enhanced rule <rule-number> then set-severity notice system syslog-enhanced rule <rule-number> then set-severity warning system syslog-enhanced rule <rule-number> then user <value> system syslog-enhanced tls system syslog-enhanced tls certificate-authority <CA> system syslog-enhanced tls certificate-authority <CA> file <value> system syslog-enhanced tls local-certificate certificate <value> system syslog-enhanced tls local-certificate key <value> system syslog-enhanced host <entry> routing-instance <value>

ARP Configuration support

This feature adds support to allow the ARP cache timeout (ARP timeout or ARP ageing timeout) and the ARP cache size to be configured.

system ip arp stale-time <value> system ip arp table-size 1024 system ip arp table-size 2048 system ip arp table-size 4096 system ip arp table-size 8192 system ip arp table-size 16384 system ip arp table-size 32768 system ip arp table-size 65536 system ip arp table-size 131072 system ipv6 neighbor table-size 131072

NETCONF support for adding copy-config to the candidate configuration

This feature adds the ability for a pre-generated configuration to be pushed to the router and have it applied to the candidate datastore via the NETCONF RPC.

Prohibit password reuse

This feature adds the ability to prohibit the use of old passwords for the same system account. It only affects local system accounts and not those such as GRUB passwords or TACACS+ accounts. It also enforces password expiry based on a configurable time, thereby forcing users to update their passwords after a given time.

Password history and expiration operate on a system-wide level i.e. this policy cannot be enforced on a per user basis.

New DPI applications and protocols

Upgrade to use nDPI 3.4, which will introduce support for: anydesk, blookbert, capwap, discord, doh_dot, iec60870, microsoft365, nats, s7comm, soap, teams, websocket, zabbix.

DHCP enhancements for switch interfaces

ISIS enhancements

IS-IS routing protocol now supports topology and MPLS-TE configuration options, and IS-IS can be applied to a VIF interface.

Support for non-dataplane interfaces

Some interfaces do not (yet) have support in DPDK and will be owned by the kernel. They are likely to be used for the management of the system and not for the main packet forwarding functions. The ‘interfaces system’ configuration model provides a method of configuring such interfaces in a manner consistent with the rest of the system. All packet forwarding on such interfaces will occur in the kernel. The configuration available on these interfaces is a significantly smaller subset of the configuration available on interfaces owned by the dataplane.

Miscellaneous changes

Obsolete features

None

Operational command changes

tech-support archive removed

To prevent DANOS users from accidentally uploading “tech-support” archives that have sensitive information, we have removed this feature.

Query dataplane pipeline to find out which features are enabled

If you are working with different pipeline nodes, it can be useful to check which pipeline nodes are actually enabled.

Query the dataplane’s view of the MPLS routes

Miscellaneous changes

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-10730, CVE-2020-27840, CVE-2021-20277: Debian DSA-4884-1 : ldb - security update

  • CVE-2020-35523, CVE-2020-35524: Debian DSA-4869-1 : tiff - security update

  • CVE-2015-9542: [DLA 2116-1] libpam-radius-auth security update

Licenses

MSTP/RSA

/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software. */