DANOS 2005 Release Notes
- 1 Overview
- 2 Important changes
- 3 New Features
- 3.1 Zone-base Firewall (ZBF)
- 3.2 VRRP state retrieval via NETCONF
- 3.3 Enhancements to the configuration of QoS Burst Size
- 3.4 Hot Fix Installation
- 3.5 Display uptime/last clear in "show interface dataplane" output
- 3.6 Link Aggregation fast-periodic ("fast rate") support
- 3.7 IPsec Remote Access VPN server: EAP-TLS authentication support
- 3.8 IPsec RA VPN server: DNS configuration attributes
- 3.9 IPsec RA VPN server: Per-profile client ID authentication filtering and matching
- 3.10 Increase TWAMP Server Maximum Control Sessions
- 3.11 Netconf – Confirmed Commit
- 3.12 Yang Identity and Identityref Support
- 3.13 TLS 1.3 Support
- 3.14 Expanded PPPoE features
- 3.15 CGNAT
- 3.15.1 Support for PCP in CG-NAT
- 3.15.2 CGNAT and SNAT, DNAT and/or Stateful Firewall and/or ALGs on same interface
- 3.15.3 CGNAT mechanism to remove selected subscribers from an active system
- 3.15.4 Allow the ability to configure thresholds on resource usages to generate resource constraint alerts on threshold crossings.
- 3.15.5 Log the port block allocation logs, subscriber logs and resource constraint logs to a Kafka cluster
- 3.15.6 Add the NatPolicy name to the port block allocation logs
- 3.15.7 Provide a way to control CGNAT session time out for DNS
- 3.15.8 Full CGNAT configuration
- 3.16 Allow descriptions to be added to static routes and tables
- 3.17 Add CLI feature to enable rsyslog TLS
- 3.18 SNMP config obfuscation to redact community strings
- 3.19 Allow firewall rule logging on packets which have session state by NAT or FW without significantly affecting throughput
- 3.20 Ephemeral component support
- 3.21 Tracking feature support for VRRP/Route
- 3.22 IPsec RA VPN server
- 3.23 Configuration of Neighbor Discovery cache size
- 3.24 minimum-links bonding configuration
- 3.25 Storm control can be applied to bonding interfaces
- 3.26 Miscellaneous QoS configuration changes
- 3.27 Configure system behavior following Non-Maskable Interrupt (NMI) events
- 3.28 Control the configuration of the kernel bootup parameter (requires a reboot to take effect)
- 4 Acknowledgements
- 5 Resolved Security Vulnerabilities
Overview
Welcome to the 2005 (May 2020) version of DANOS.
The DANOS 2005 release is based upon Debian 10, with the 4.19 version of the Linux Kernel, the 18.11 version of DPDK, and the 7.3.1 version of FRR.
Important changes
Default username and password
The default LiveCD and ONIE image username and password have changed from vyatta/vyatta to tmpuser/tmppwd.
As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.
AS5916-54XKS
This release introduces support for Accton/Edgecore Qumran-MX platform AS5916-54XKS 10G/100G Edge Router.
Dataplane Pluggable (vector) architecture
The packet forwarding dataplane now supports a pluggable (vector) architecture to allow the integration of new features dynamically. The following links are a good starting point to learn more.
vyatta-dataplane/include/readme.md at master · danos/vyatta-dataplane
vyatta-dataplane/src/pipeline/nodes/sample/sample.c at master · danos/vyatta-dataplane
Commit archive credentials
To allow commit archive credentials to be kept secret, a new configuration has been added as an alternative to "system config-management commit-archive location <url>", which is now being deprecated. Users are encouraged to use the new configuration "system config-management commit-archive archive <url>" configuration, and to transition existing configurations to the new "system config-management commit-archive archive <url>" configuration, which keeps archive password credentials secret from unauthorised users. Example of deprecated configuration:
system {
config-management {
commit-archive {
location "scp://user-fred:freds-password@192.168.1.1/home/username/archive-location"
}
}
}
Example of the new configuration:
system {
config-management {
commit-archive {
archive "scp://192.168.1.1/home/username/archive-location" {
password freds-password
username user-fred
}
}
}
}
For users that are not members of the secrets group, passwords will be obfuscated when listing the configuration. e.g.
system {
config-management {
commit-archive {
archive "scp://192.168.1.1/home/username/archive-location" {
password "********"
username user-fred
}
}
}
}
New Features
Zone-base Firewall (ZBF)
VRRP state retrieval via NETCONF
This feature allows the retrieval of the state of VRRP via NETCONF in addition to the existing mechanism of the CLI using the "show vrrp" commands
Enhancements to the configuration of QoS Burst Size
This feature will allow for the burst size for a shaper to be specified in units of milliseconds.
Hot Fix Installation
This feature adds the support for hot-fix Debian package installation.
Display uptime/last clear in "show interface dataplane" output
A small change to add uptime and last-clear output to "show interface dataplane detail foo".
Link Aggregation fast-periodic ("fast rate") support
Link aggregation, 802.1AX-2014 (formerly 802.3ad), supports a shorter timeout for LACPDU packets and this feature adds such support. This is often called "fast periodic" or "fast rate”.
IPsec Remote Access VPN server: EAP-TLS authentication support
This feature adds support for EAP-TLS (RFC 5126).
IPsec RA VPN server: DNS configuration attributes
This feature introduces support for the configuration payloads INTERNAL_IP4_DNS and INTERNAL_IP6_DNS. These allow the IPsec RA VPN server to communicate to the IPsec RA VPN client which DNS server should be used inside the tunnel, in accordance with RFC 7296.
IPsec RA VPN server: Per-profile client ID authentication filtering and matching
This feature allows filters to be configured which IKE uses to match and filter remote peers
Increase TWAMP Server Maximum Control Sessions
This feature allows support for up to 4096 concurrent control sessions.
Netconf – Confirmed Commit
Commit confirm is a feature which is currently available on the vRouter CLI. It helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed
Yang Identity and Identityref Support
This feature will complete the support of identities in the Yang compiler, as specified in RFC 6020
TLS 1.3 Support
TLS 1.3 support has been added for the following features:
vyatta-zerotouch / Phone Home Client
vyatta-restclient-perl
add system image ...
clone image ...
vyatta-openvpn / resource service-users ldap
strongswan / ext-fetcher
Expanded PPPoE features
PPPoE support for: tcp-mss, policy route pbr, firewall in, firewall out, firewall local,
CGNAT
Support for PCP in CG-NAT
Port Control Protocol (PCP) support in a Carrier-Grade NAT system is a way for individual subscribers to open a public port such as to allow inbound connections to be made.
CGNAT and SNAT, DNAT and/or Stateful Firewall and/or ALGs on same interface
Support independent SNAT, DNAT and ALG flows along with CGNAT on the same interface. Packets will be translated once.
CGNAT mechanism to remove selected subscribers from an active system
There is a requirement to remove select subscribers from an active CGNAT policy so that they may be moved to an alternative policy of device.
Allow the ability to configure thresholds on resource usages to generate resource constraint alerts on threshold crossings.
This feature provides the ability to configure thresholds on CGNAT resource usages. Resource constraint alerts are generated upon threshold crossing.
For each of the CGNAT resource constraints listed below, it will be possible to configure a threshold. An alert will be logged when the resource exceeds the threshold. Each threshold will be expressed as a percentage.
Maximum sessions
No available public addresses in a NAT pool
Mapping Table full
Subscriber Table full
For each threshold, it will also be possible to configure an optional rate at which the notification is generated if the resource remains constrained. The warning will not repeat if the rate is omitted; the resource must fall below the threshold before the warning can be logged again.
Log the port block allocation logs, subscriber logs and resource constraint logs to a Kafka cluster
CGNAT will be enhanced so that the logging infrastructure will have the option to send the logs off-box to managements devices in a Kafka cluster.
There are two categories of logging information: information that should not be lost and should be stored on disk (subject to a maximum size) if waiting to be sent off-box - this is called "persistent" information; information (such as session logging) which, due to the volume it creates, will not be stored on disk and will be buffered in memory (with a smaller maximum size) - this is called "non-persistent" information. Note that the "non-persistent" information will likely result in drops of logs if unable to send out for a short period or due to overloading the channels to the Kafka cluster.
Add the NatPolicy name to the port block allocation logs
Include NatPolicy Name along with the port block allocation log entries to allow correlation between the two.
Provide a way to control CGNAT session time out for DNS
This feature allows configuration of session timeout values for individual port numbers. When configured, these take precedence over any other protocol-specific timeout value or the default value.
Full CGNAT configuration
Allow descriptions to be added to static routes and tables
Add CLI feature to enable rsyslog TLS
Syslog TLS config revolves around a "server certificate" and "client certificate" + "client key". These files, plus a remote hostname are the only mandatory requirements needed to configure a Syslog TLS remote logging connection.
SNMP config obfuscation to redact community strings
The vRouter Yang models currently model the SNMP community strings as a list key. The community string permits SNMP access to a device, so is considered as sensitive information that warrants restricted access.
Allow firewall rule logging on packets which have session state by NAT or FW without significantly affecting throughput
Customers often want connection attempts to or through any interface of the firewall logged in order to create a record of the network activity. Vyatta only offered the ability to log per-packet and this impacted the forwarding performance of the router. This feature implements per-session logging as an alternative to per-packet logging. This will greatly reduce the number of messages logged.
Ephemeral component support
The goal of this infrastructure is to make the transition to Vyatta components easier and to allow for some code reuse with the existing implementations. Some features will benefit from this but others are written so far outside of the recommended mechanism that they will still require significant rework to be ported and a fully developed component should be considered in those cases for performance reasons.
Tracking feature support for VRRP/Route
VRRP currently tracks interfaces. The state of these tracked objects can modify a group's priority or take it down completely. As part of the CG-NAT project as well as tracking level 1 (interface up), level 2 (ping the other side of the connection) it would be advantageous to also track the state of level 3 (has BGP converged). Rather than explicitly tracking the state of BGP tracking of when a route exists provides a more generic feature and fulfils the requirements.
For the CG-NAT use case, this feature will be used for checking of upstream routers. If BGP peering fails the MASTER ship can change to a router that hopefully has an active and relevant route.
IPsec RA VPN server
Make use of Virtual Feature Point (VFP) interfaces to apply firewall/DNAT/SNAT rules on the IPsec RA VPN server terminated tunnel traffic.
Configuration of Neighbor Discovery cache size
minimum-links bonding configuration
Support configuration for the bonding interface to specify the minimum number of links that need to be up before the bonding interface comes up.
Storm control can be applied to bonding interfaces
Miscellaneous QoS configuration changes
Configure system behavior following Non-Maskable Interrupt (NMI) events
Control the configuration of the kernel bootup parameter (requires a reboot to take effect)
Acknowledgements
Special thanks to Niral Networks (https://niralnetworks.com/) for the upgrade of FRR to version 7.3.1, and thanks to the following people who submitted fixes:
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
[DSA 4667-1] linux security update
[DSA 4665-1] qemu security update
[DSA 4613-1] libidn2 security update
[DSA 4616-1] qemu security update
[DSA 4608-1] tiff security update
[DSA 4579-1] nss security update
[DSA 4566-1] qemu security update
[DSA 4564-1] linux security update
[DSA-4602-1] xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
CVE-2020-1967 [DSA-4661-1] openssl - security update
CVE-2020-11501 [DSA-4652-1] gnutls28 - security update
CVE-2020-10531 [DSA-4646-1] icu - security update
CVE-2020-8597 [DSA-4632-1] ppp - security update
CVE-2020-12243, [DSA-4666-1] openldap - security update
CVE-2019-18634, DSA-4614-1] sudo - security update
CVE-2018-19052 lighttpd package showing 1.4.45-1 as vulnerable
CVE-2019-15795, CVE-2019-15796, [DSA-4609-1] python-apt - security update
CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-16544 busybox package showing 1:1.22.0-19 vulnerable
CVE-2020-3810, [DSA-4685-1]apt - security update
CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284: [DSA 4497-1] linux security update (VRVDR-47897)
CVE-2018-20815, CVE-2019-13164, CVE-2019-14378: [DSA-4506-1] : qemu - security update (VRVDR-48074)
CVE-2019-9511 CVE-2019-9513: [DSA 4511-1] nghttp2 security update (VRVDR-48132)
CVE-2019-13164 CVE-2019-14378: [DSA 4512-1] qemu security update (VRVDR-48133)
CVE-2019-15903: [DSA-4530-1] : expat - security update (VRVDR-48389)
CVE-2019-14821, CVE-2019-14835, CVE-2019-15117, CVE-2019-15118, CVE-2019-15902: [DSA-4531-1] : linux - security update (VRVDR-48412)
CVE-2019-5094: [DSA-4535-1] : e2fsprogs - security update (VRVDR-48446)
CVE-2019-1547, CVE-2019-1549, CVE-2019-1563: [DSA-4539-1] : openssl - security update (VRVDR-48502)
CVE-2019-14287: [DSA-4543-1] : sudo - security update (VRVDR-48652)
CVE-2019-16866: [DSA 4544-1] unbound security update (VRVDR-48691)
CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166: [DSA-4547-1] : tcpdump - security update (VRVDR-48691)
CVE-2019-18218: [DSA-4550-1] : file - security update (VRVDR-48841)
CVE-2019-14818: DPDK leaking resources (VRVDR-49058)
CVE-2018-5265: Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials (VRVDR-49155)