Overview

Welcome to the 2005 (May 2020) version of DANOS.

The DANOS 2005 release is based upon Debian 10, with the 4.19 version of the Linux Kernel, the 18.11 version of DPDK, and the 7.3.1 version of FRR.

Important changes

Default username and password

The default LiveCD and ONIE image username and password have changed from vyatta/vyatta to tmpuser/tmppwd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

AS5916-54XKS

This release introduces support for Accton/Edgecore Qumran-MX platform AS5916-54XKS 10G/100G Edge Router.

Dataplane Pluggable (vector) architecture

The packet forwarding dataplane now supports a pluggable (vector) architecture to allow the integration of new features dynamically. The following links are a good starting point to learn more.

Commit archive credentials

To allow commit archive credentials to be kept secret, a new configuration has been added as an alternative to "system config-management commit-archive location <url>", which is now being deprecated. Users are encouraged to use the new configuration "system config-management commit-archive archive <url>" configuration, and to transition existing configurations to the new "system config-management commit-archive archive <url>" configuration, which keeps archive password credentials secret from unauthorised users. Example of deprecated configuration:

system {
    config-management {
        commit-archive {
            location "scp://user-fred:freds-password@192.168.1.1/home/username/archive-location"
        }
    }
}

Example of the new configuration:

system {
    config-management {
        commit-archive {
            archive "scp://192.168.1.1/home/username/archive-location" {
                password freds-password
                username user-fred
            }
        }
    }
}

For users that are not members of the secrets group, passwords will be obfuscated when listing the configuration. e.g.

system {
    config-management {
        commit-archive {
            archive "scp://192.168.1.1/home/username/archive-location" {
                password "********"
                username user-fred
            }
        }
    }
}

New Features

Zone-base Firewall (ZBF)

VRRP state retrieval via NETCONF

This feature allows the retrieval of the state of VRRP via NETCONF in addition to the existing mechanism of the CLI using the "show vrrp" commands

Enhancements to the configuration of QoS Burst Size

This feature will allow for the burst size for a shaper to be specified in units of milliseconds.

Hot Fix Installation

This feature adds the support for hot-fix Debian package installation.

Display uptime/last clear in "show interface dataplane" output

A small change to add uptime and last-clear output to "show interface dataplane detail foo".

Link Aggregation fast-periodic ("fast rate") support

Link aggregation, 802.1AX-2014 (formerly 802.3ad), supports a shorter timeout for LACPDU packets and this feature adds such support. This is often called "fast periodic" or "fast rate”.

IPsec Remote Access VPN server: EAP-TLS authentication support

This feature adds support for EAP-TLS (RFC 5126).

IPsec RA VPN server: DNS configuration attributes

This feature introduces support for the configuration payloads INTERNAL_IP4_DNS and INTERNAL_IP6_DNS. These allow the IPsec RA VPN server to communicate to the IPsec RA VPN client which DNS server should be used inside the tunnel, in accordance with RFC 7296.

IPsec RA VPN server: Per-profile client ID authentication filtering and matching

This feature allows filters to be configured which IKE uses to match and filter remote peers

Increase TWAMP Server Maximum Control Sessions

This feature allows support for up to 4096 concurrent control sessions.

Netconf – Confirmed Commit

Commit confirm is a feature which is currently available on the vRouter CLI. It helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed

Yang Identity and Identityref Support

This feature will complete the support of identities in the Yang compiler, as specified in RFC 6020

TLS 1.3 Support

TLS 1.3 support has been added for the following features:

vyatta-zerotouch / Phone Home Client
vyatta-restclient-perl
add system image ...
clone image ...
vyatta-openvpn / resource service-users ldap
strongswan / ext-fetcher

Expanded PPPoE features

PPPoE support for: tcp-mss, policy route pbr, firewall in, firewall out, firewall local,

CGNAT

Support for PCP in CG-NAT

Port Control Protocol (PCP) support in a Carrier-Grade NAT system is a way for individual subscribers to open a public port such as to allow inbound connections to be made.

CGNAT and SNAT, DNAT and/or Stateful Firewall and/or ALGs on same interface

Support independent SNAT, DNAT and ALG flows along with CGNAT on the same interface. Packets will be translated once.

CGNAT mechanism to remove selected subscribers from an active system

There is a requirement to remove select subscribers from an active CGNAT policy so that they may be moved to an alternative policy of device.

Allow the ability to configure thresholds on resource usages to generate resource constraint alerts on threshold crossings.

This feature provides the ability to configure thresholds on CGNAT resource usages. Resource constraint alerts are generated upon threshold crossing.

For each of the CGNAT resource constraints listed below, it will be possible to configure a threshold. An alert will be logged when the resource exceeds the threshold. Each threshold will be expressed as a percentage.

Maximum sessions
No available public addresses in a NAT pool
Mapping Table full
Subscriber Table full

For each threshold, it will also be possible to configure an optional rate at which the notification is generated if the resource remains constrained. The warning will not repeat if the rate is omitted; the resource must fall below the threshold before the warning can be logged again.

Log the port block allocation logs, subscriber logs and resource constraint logs to a Kafka cluster

CGNAT will be enhanced so that the logging infrastructure will have the option to send the logs off-box to managements devices in a Kafka cluster.

There are two categories of logging information: information that should not be lost and should be stored on disk (subject to a maximum size) if waiting to be sent off-box - this is called "persistent" information; information (such as session logging) which, due to the volume it creates, will not be stored on disk and will be buffered in memory (with a smaller maximum size) - this is called "non-persistent" information. Note that the "non-persistent" information will likely result in drops of logs if unable to send out for a short period or due to overloading the channels to the Kafka cluster.

Add the NatPolicy name to the port block allocation logs

Include NatPolicy Name along with the port block allocation log entries to allow correlation between the two.

Provide a way to control CGNAT session time out for DNS

This feature allows configuration of session timeout values for individual port numbers. When configured, these take precedence over any other protocol-specific timeout value or the default value.

Full CGNAT configuration

Allow descriptions to be added to static routes and tables

Add CLI feature to enable rsyslog TLS

Syslog TLS config revolves around a "server certificate" and "client certificate" + "client key". These files, plus a remote hostname are the only mandatory requirements needed to configure a Syslog TLS remote logging connection.

SNMP config obfuscation to redact community strings

The vRouter Yang models currently model the SNMP community strings as a list key. The community string permits SNMP access to a device, so is considered as sensitive information that warrants restricted access.

Allow firewall rule logging on packets which have session state by NAT or FW without significantly affecting throughput

Customers often want connection attempts to or through any interface of the firewall logged in order to create a record of the network activity. Vyatta only offered the ability to log per-packet and this impacted the forwarding performance of the router. This feature implements per-session logging as an alternative to per-packet logging. This will greatly reduce the number of messages logged.

Ephemeral component support

The goal of this infrastructure is to make the transition to Vyatta components easier and to allow for some code reuse with the existing implementations. Some features will benefit from this but others are written so far outside of the recommended mechanism that they will still require significant rework to be ported and a fully developed component should be considered in those cases for performance reasons.

Tracking feature support for VRRP/Route

VRRP currently tracks interfaces. The state of these tracked objects can modify a group's priority or take it down completely. As part of the CG-NAT project as well as tracking level 1 (interface up), level 2 (ping the other side of the connection) it would be advantageous to also track the state of level 3 (has BGP converged). Rather than explicitly tracking the state of BGP tracking of when a route exists provides a more generic feature and fulfils the requirements.

For the CG-NAT use case, this feature will be used for checking of upstream routers. If BGP peering fails the MASTER ship can change to a router that hopefully has an active and relevant route.

IPsec RA VPN server

Make use of Virtual Feature Point (VFP) interfaces to apply firewall/DNAT/SNAT rules on the IPsec RA VPN server terminated tunnel traffic.

Configuration of Neighbor Discovery cache size

minimum-links bonding configuration

Support configuration for the bonding interface to specify the minimum number of links that need to be up before the bonding interface comes up.

Storm control can be applied to bonding interfaces

Miscellaneous QoS configuration changes

Configure system behavior following Non-Maskable Interrupt (NMI) events

Control the configuration of the kernel bootup parameter (requires a reboot to take effect)

Acknowledgements

Special thanks to Niral Networks (https://niralnetworks.com/) for the upgrade of FRR to version 7.3.1, and thanks to the following people who submitted fixes:

https://github.com/bbs2web

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

[DSA 4667-1] linux security update
[DSA 4665-1] qemu security update
[DSA 4613-1] libidn2 security update
[DSA 4616-1] qemu security update
[DSA 4608-1] tiff security update
[DSA 4579-1] nss security update
[DSA 4566-1] qemu security update
[DSA 4564-1] linux security update
[DSA-4602-1] xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
CVE-2020-1967 [DSA-4661-1] openssl - security update
CVE-2020-11501 [DSA-4652-1] gnutls28 - security update
CVE-2020-10531 [DSA-4646-1] icu - security update
CVE-2020-8597 [DSA-4632-1] ppp - security update
CVE-2020-12243, [DSA-4666-1] openldap - security update
CVE-2019-18634, DSA-4614-1] sudo - security update
CVE-2018-19052 lighttpd package showing 1.4.45-1 as vulnerable
CVE-2019-15795, CVE-2019-15796, [DSA-4609-1] python-apt - security update
CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-16544 busybox package showing 1:1.22.0-19 vulnerable
CVE-2020-3810, [DSA-4685-1]apt - security update
CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284: [DSA 4497-1] linux security update (VRVDR-47897)
CVE-2018-20815, CVE-2019-13164, CVE-2019-14378: [DSA-4506-1] : qemu - security update (VRVDR-48074)
CVE-2019-9511 CVE-2019-9513: [DSA 4511-1] nghttp2 security update (VRVDR-48132)
CVE-2019-13164 CVE-2019-14378: [DSA 4512-1] qemu security update (VRVDR-48133)
CVE-2019-15903: [DSA-4530-1] : expat - security update (VRVDR-48389)
CVE-2019-14821, CVE-2019-14835, CVE-2019-15117, CVE-2019-15118, CVE-2019-15902: [DSA-4531-1] : linux - security update (VRVDR-48412)
CVE-2019-5094: [DSA-4535-1] : e2fsprogs - security update (VRVDR-48446)
CVE-2019-1547, CVE-2019-1549, CVE-2019-1563: [DSA-4539-1] : openssl - security update (VRVDR-48502)
CVE-2019-14287: [DSA-4543-1] : sudo - security update (VRVDR-48652)
CVE-2019-16866: [DSA 4544-1] unbound security update (VRVDR-48691)
CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166: [DSA-4547-1] : tcpdump - security update (VRVDR-48691)
CVE-2019-18218: [DSA-4550-1] : file - security update (VRVDR-48841)
CVE-2019-14818: DPDK leaking resources (VRVDR-49058)
CVE-2018-5265: Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials (VRVDR-49155)