DANOS 2005 Release Notes

Overview

Welcome to the 2005 (May 2020) version of DANOS.

The DANOS 2005 release is based upon Debian 10, with the 4.19 version of the Linux Kernel, the 18.11 version of DPDK, and the 7.3.1 version of FRR.

Important changes

Default username and password

The default LiveCD and ONIE image username and password have changed from vyatta/vyatta to tmpuser/tmppwd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

AS5916-54XKS

This release introduces support for Accton/Edgecore Qumran-MX platform AS5916-54XKS 10G/100G Edge Router.

Dataplane Pluggable (vector) architecture

The packet forwarding dataplane now supports a pluggable (vector) architecture to allow the integration of new features dynamically. The following links are a good starting point to learn more.

Commit archive credentials

To allow commit archive credentials to be kept secret, a new configuration has been added as an alternative to "system config-management commit-archive location <url>", which is now being deprecated. Users are encouraged to use the new configuration "system config-management commit-archive archive <url>" configuration, and to transition existing configurations to the new "system config-management commit-archive archive <url>" configuration, which keeps archive password credentials secret from unauthorised users. Example of deprecated configuration:

1 2 3 4 5 6 7 system { config-management {         commit-archive {             location "scp://user-fred:freds-password@192.168.1.1/home/username/archive-location"         }     } }

Example of the new configuration:

1 2 3 4 5 6 7 8 9 10 system { config-management {     commit-archive {         archive "scp://192.168.1.1/home/username/archive-location" {             password freds-password                 username user-fred             }        }     } }

For users that are not members of the secrets group, passwords will be obfuscated when listing the configuration. e.g.

1 2 3 4 5 6 7 8 9 10 system { config-management {     commit-archive {         archive "scp://192.168.1.1/home/username/archive-location" {             password "********"                 username user-fred             }         }    } }

New Features

Zone-base Firewall (ZBF)

1 2 3 4 5 6 7 security zone-policy zone <alpha-numeric> security zone-policy zone <alpha-numeric> default-action (accept|drop) security zone-policy zone <alpha-numeric> description <text> security zone-policy zone <alpha-numeric> interface <text> security zone-policy zone <alpha-numeric> local-zone security zone-policy zone <alpha-numeric> to <text> security zone-policy zone <alpha-numeric> to <text> firewall <text>

VRRP state retrieval via NETCONF

This feature allows the retrieval of the state of VRRP via NETCONF in addition to the existing mechanism of the CLI using the "show vrrp" commands

Enhancements to the configuration of QoS Burst Size

This feature will allow for the burst size for a shaper to be specified in units of milliseconds.

1 2 3 policy qos name <name> shaper burst <(1-100ms[ec])> policy qos name <name> shaper profile <name> burst <(1-100ms[ec])> policy qos profile <name> burst Time duration <(1-100ms[ec])>

Hot Fix Installation

This feature adds the support for hot-fix Debian package installation.

1 2 add system image <image name> packages <list of pkgs> show system image <image name> package

Display uptime/last clear in "show interface dataplane" output

A small change to add uptime and last-clear output to "show interface dataplane detail foo".

1 2 show interface dataplane detail show interface dataplane <if>

Link aggregation, 802.1AX-2014 (formerly 802.3ad), supports a shorter timeout for LACPDU packets and this feature adds such support. This is often called "fast periodic" or "fast rate”.

1 interfaces bonding <if> lacp-options periodic-rate (fast|slow)

IPsec Remote Access VPN server: EAP-TLS authentication support

This feature adds support for EAP-TLS (RFC 5126).

1 set security vpn ipsec remote-access-vpn-server profile <profile-name> authentication mode eap-tls

IPsec RA VPN server: DNS configuration attributes 

This feature introduces support for the configuration payloads INTERNAL_IP4_DNS and INTERNAL_IP6_DNS. These allow the IPsec RA VPN server to communicate to the IPsec RA VPN client which DNS server should be used inside the tunnel, in accordance with RFC 7296.

1 set security vpn ipsec remote-access-server pool <pool-name> attributes dns [ <IPv4/IPv6 inner DNS server addr>, ... ]

IPsec RA VPN server: Per-profile client ID authentication filtering and matching

This feature allows filters to be configured which IKE uses to match and filter remote peers

1 set security vpn ipsec remote-access-server profile <profile-name> authentication remote-id <filter>

Increase TWAMP Server Maximum Control Sessions 

This feature allows support for up to 4096 concurrent control sessions.

1 2 routing routing-instance <alpha-numeric> service twamp server maximum-connections <1..4096> service twamp server maximum-connections <1..4096>

Netconf – Confirmed Commit 

Commit confirm is a feature which is currently available on the vRouter CLI. It helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed

Yang Identity and Identityref Support

This feature will complete the support of identities in the Yang compiler, as specified in RFC 6020

TLS 1.3 Support 

TLS 1.3 support has been added for the following features:

  • vyatta-zerotouch / Phone Home Client

  • vyatta-restclient-perl

  • add system image ...

  • clone image ...

  • vyatta-openvpn / resource service-users ldap

  • strongswan / ext-fetcher

Expanded PPPoE features

PPPoE support for: tcp-mss, policy route pbr, firewall in, firewall out, firewall local, 

1 2 3 4 5 6 7 8 9 10 interfaces pppoe <if> firewall in <name> interfaces pppoe <if> firewall local <name> interfaces pppoe <if> firewall out <name> interfaces pppoe <if> ip tcp-mss limit <1..65535> interfaces pppoe <if> ip tcp-mss mtu interfaces pppoe <if> ip tcp-mss mtu-minus <1..65535> interfaces pppoe <if> ipv6 tcp-mss limit <1..65535> interfaces pppoe <if> ipv6 tcp-mss mtu interfaces pppoe <if> ipv6 tcp-mss mtu-minus <1..65535> interfaces pppoe <if> policy route pbr <name>

CGNAT

Support for PCP in CG-NAT

Port Control Protocol (PCP) support in a Carrier-Grade NAT system is a way for individual subscribers to open a public port such as to allow inbound connections to be made.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 service pcp feature-interface <name> service pcp feature-interface <name> template <name> service pcp feature-interface <name> template <name> internal-prefix <prefix> service pcp server <name> service pcp server <name> announce multicast service pcp server <name> announce unicast <address> service pcp server <name> announce unicast <address> port <value> service pcp server <name> listener <address> service pcp server <name> listener <address> port <value> service pcp server <name> log debug service pcp server <name> nonce-check <value> service pcp server <name> template <name> service pcp server <name> template <name> opcodes announce service pcp server <name> template <name> opcodes map service pcp server <name> template <name> type cgnat service pcp server <name> third-party service pcp server <name> third-party interface <name> routing routing-instance <instance-name> service pcp feature-interface <name> routing routing-instance <instance-name> service pcp feature-interface <name> template <name> routing routing-instance <instance-name> service pcp feature-interface <name> template <name> internal-prefix <prefix> routing routing-instance <instance-name> service pcp server <name> routing routing-instance <instance-name> service pcp server <name> announce multicast routing routing-instance <instance-name> service pcp server <name> announce unicast <address> routing routing-instance <instance-name> service pcp server <name> announce unicast <address> port <value> routing routing-instance <instance-name> service pcp server <name> listener <address> routing routing-instance <instance-name> service pcp server <name> listener <address> port <value> routing routing-instance <instance-name> service pcp server <name> log debug routing routing-instance <instance-name> service pcp server <name> nonce-check <value> routing routing-instance <instance-name> service pcp server <name> template <name> routing routing-instance <instance-name> service pcp server <name> template <name> opcodes announce routing routing-instance <instance-name> service pcp server <name> template <name> opcodes map routing routing-instance <instance-name> service pcp server <name> template <name> type cgnat routing routing-instance <instance-name> service pcp server <name> third-party routing routing-instance <instance-name> service pcp server <name> third-party interface <name>

CGNAT and SNAT, DNAT and/or Stateful Firewall and/or ALGs on same interface

Support independent SNAT, DNAT and ALG flows along with CGNAT on the same interface. Packets will be translated once.

CGNAT mechanism to remove selected subscribers from an active system

There is a requirement to remove select subscribers from an active CGNAT policy so that they may be moved to an alternative policy of device.

Allow the ability to configure thresholds on resource usages to generate resource constraint alerts on threshold crossings.

This feature provides the ability to configure thresholds on CGNAT resource usages. Resource constraint alerts are generated upon threshold crossing.

For each of the CGNAT resource constraints listed below, it will be possible to configure a threshold. An alert will be logged when the resource exceeds the threshold. Each threshold will be expressed as a percentage.

  • Maximum sessions

  • No available public addresses in a NAT pool

  • Mapping Table full

  • Subscriber Table full

For each threshold, it will also be possible to configure an optional rate at which the notification is generated if the resource remains constrained. The warning will not repeat if the rate is omitted; the resource must fall below the threshold before the warning can be logged again.

Log the port block allocation logs, subscriber logs and resource constraint logs to a Kafka cluster

CGNAT will be enhanced so that the logging infrastructure will have the option to send the logs off-box to managements devices in a Kafka cluster.

There are two categories of logging information: information that should not be lost and should be stored on disk (subject to a maximum size) if waiting to be sent off-box - this is called "persistent" information; information (such as session logging) which, due to the volume it creates, will not be stored on disk and will be buffered in memory (with a smaller maximum size) - this is called "non-persistent" information. Note that the "non-persistent" information will likely result in drops of logs if unable to send out for a short period or due to overloading the channels to the Kafka cluster.

Add the NatPolicy name to the port block allocation logs

Include NatPolicy Name along with the port block allocation log entries to allow correlation between the two.

Provide a way to control CGNAT session time out for DNS

This feature allows configuration of session timeout values for individual port numbers. When configured, these take precedence over any other protocol-specific timeout value or the default value. 

1 service nat cgnat session-timeout (tcp|udp) ...

Full CGNAT configuration

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 service nat cgnat service nat cgnat cpu-affinity event session <0..65535> service nat cgnat disable-hairpinning service nat cgnat export event port-block-allocation using kafka service nat cgnat export event port-block-allocation using kafka cluster <text> service nat cgnat export event port-block-allocation using kafka with field-delimiter <pattern> service nat cgnat export event port-block-allocation using kafka with key-field (cgn-instance|public-ip-address|subscriber-ip-address) service nat cgnat export event port-block-allocation using kafka with priority critical service nat cgnat export event port-block-allocation using kafka with storage-limit <1..1048576> service nat cgnat export event port-block-allocation using kafka with topic <pattern> service nat cgnat export event resource-constraint using kafka service nat cgnat export event resource-constraint using kafka cluster <text> service nat cgnat export event resource-constraint using kafka with field-delimiter <pattern> service nat cgnat export event resource-constraint using kafka with key-field cgn-instance service nat cgnat export event resource-constraint using kafka with priority critical service nat cgnat export event resource-constraint using kafka with storage-limit <1..1048576> service nat cgnat export event resource-constraint using kafka with topic <pattern> service nat cgnat export event session using kafka service nat cgnat export event session using kafka cluster <text> service nat cgnat export event session using kafka with field-delimiter <pattern> service nat cgnat export event session using kafka with key-field (cgn-instance|destination-ip-address|destination-port|interface|ip-protocol|public-ip-address|public-port|session-id|sub-session-id|subscriber-ip-address|subscriber-port) service nat cgnat export event session using kafka with priority critical service nat cgnat export event session using kafka with storage-limit <1..1048576> service nat cgnat export event session using kafka with topic <pattern> service nat cgnat export event subscriber using kafka service nat cgnat export event subscriber using kafka cluster <text> service nat cgnat export event subscriber using kafka with field-delimiter <pattern> service nat cgnat export event subscriber using kafka with key-field (cgn-instance|subscriber-ip-address) service nat cgnat export event subscriber using kafka with priority critical service nat cgnat export event subscriber using kafka with storage-limit <1..1048576> service nat cgnat export event subscriber using kafka with topic <pattern> service nat cgnat interface <text> service nat cgnat interface <text> policy <text> service nat cgnat log event port-block-allocation service nat cgnat log event resource-constraint service nat cgnat log event session service nat cgnat log event subscriber service nat cgnat max-dest-per-session <1..64> service nat cgnat max-sessions <1..33554432> service nat cgnat policy <alpha-numeric> service nat cgnat policy <alpha-numeric> log session address-group <text> service nat cgnat policy <alpha-numeric> log session all-subscribers service nat cgnat policy <alpha-numeric> log session creation service nat cgnat policy <alpha-numeric> log session deletion service nat cgnat policy <alpha-numeric> log session periodic <300..86400> service nat cgnat policy <alpha-numeric> log subscriber service nat cgnat policy <alpha-numeric> match source address-group <text> service nat cgnat policy <alpha-numeric> priority <1..9999> service nat cgnat policy <alpha-numeric> select event session address-group <text> service nat cgnat policy <alpha-numeric> select event session all-subscribers service nat cgnat policy <alpha-numeric> select event session creation service nat cgnat policy <alpha-numeric> select event session deletion service nat cgnat policy <alpha-numeric> select event session periodic <300..86400> service nat cgnat policy <alpha-numeric> select event subscriber service nat cgnat policy <alpha-numeric> translation pool <text> service nat cgnat select warning event resource-constraint mapping-table service nat cgnat select warning event resource-constraint mapping-table interval <1..4294967295> service nat cgnat select warning event resource-constraint mapping-table threshold <1..99> service nat cgnat select warning event resource-constraint public-addresses service nat cgnat select warning event resource-constraint public-addresses interval <1..4294967295> service nat cgnat select warning event resource-constraint public-addresses threshold <1..99> service nat cgnat select warning event resource-constraint session-table service nat cgnat select warning event resource-constraint session-table interval <1..4294967295> service nat cgnat select warning event resource-constraint session-table threshold <1..99> service nat cgnat select warning event resource-constraint subscriber-table service nat cgnat select warning event resource-constraint subscriber-table interval <1..4294967295> service nat cgnat select warning event resource-constraint subscriber-table threshold <1..99> service nat cgnat session-timeout other established <30..1800> service nat cgnat session-timeout other partially-open <10..240> service nat cgnat session-timeout tcp established <30..14400> service nat cgnat session-timeout tcp partially-closed <10..240> service nat cgnat session-timeout tcp partially-open <10..240> service nat cgnat session-timeout tcp port <1..65535> service nat cgnat session-timeout tcp port <1..65535> established <10..14400> service nat cgnat session-timeout udp established <30..1800> service nat cgnat session-timeout udp partially-open <10..240> service nat cgnat session-timeout udp port <1..65535> service nat cgnat session-timeout udp port <1..65535> established <10..1800> service nat cgnat snat-alg-bypass service nat pool <alpha-numeric> service nat pool <alpha-numeric> address-allocation round-robin service nat pool <alpha-numeric> address-pooling paired service nat pool <alpha-numeric> blacklist address-group <text> service nat pool <alpha-numeric> entry <alpha-numeric> service nat pool <alpha-numeric> entry <alpha-numeric> ip-address prefix <x.x.x.x/x> service nat pool <alpha-numeric> entry <alpha-numeric> ip-address range service nat pool <alpha-numeric> entry <alpha-numeric> ip-address range end <x.x.x.x> service nat pool <alpha-numeric> entry <alpha-numeric> ip-address range start <x.x.x.x> service nat pool <alpha-numeric> entry <alpha-numeric> ip-address subnet <x.x.x.x/x> service nat pool <alpha-numeric> log block-allocation service nat pool <alpha-numeric> port allocation (random|sequential) service nat pool <alpha-numeric> port dynamic-block-allocation block-size <64..4096> service nat pool <alpha-numeric> port dynamic-block-allocation max-blocks-per-subscriber <1..32> service nat pool <alpha-numeric> port range end <0..65535> service nat pool <alpha-numeric> port range start <0..65535> service nat pool <alpha-numeric> select event port-block-allocation service nat pool <alpha-numeric> type CGNAT system export kafka cluster <pattern> system export kafka cluster <pattern> bootstrap ipv4-address <x.x.x.x> system export kafka cluster <pattern> bootstrap ipv6-address <h:h:h:h:h:h:h:h> system export kafka cluster <pattern> bootstrap routing-instance (<alpha-numeric>|default)

Allow descriptions to be added to static routes and tables

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 protocols static interface-route <tagnode> description <value> protocols static interface-route6 <tagnode> description <value> protocols static route <tagnode> description <value> protocols static route6 <tagnode> description <value> protocols static table <tagnode> description <value> protocols static table <tagnode> interface-route <tagnode> description <value> protocols static table <tagnode> interface-route6 <tagnode> description <value> protocols static table <tagnode> route <tagnode> description <value> protocols static table <tagnode> route6 <tagnode> description <value> routing routing-instance <instance-name> protocols static interface-route <tagnode> description <value> routing routing-instance <instance-name> protocols static interface-route6 <tagnode> description <value> routing routing-instance <instance-name> protocols static route <tagnode> description <value> routing routing-instance <instance-name> protocols static route6 <tagnode> description <value> routing routing-instance <instance-name> protocols static table <tagnode> description <value> routing routing-instance <instance-name> protocols static table <tagnode> interface-route <tagnode> description <value> routing routing-instance <instance-name> protocols static table <tagnode> interface-route6 <tagnode> description <value> routing routing-instance <instance-name> protocols static table <tagnode> route <tagnode> description <value> routing routing-instance <instance-name> protocols static table <tagnode> route6 <tagnode> description <value>

Add CLI feature to enable rsyslog TLS

Syslog TLS config revolves around a "server certificate" and "client certificate" + "client key". These files, plus a remote hostname are the only mandatory requirements needed to configure a Syslog TLS remote logging connection.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 system syslog host <tagnode> protocol tcp system syslog host <tagnode> protocol udp system syslog host <tagnode> tls system syslog host <tagnode> tls authentication mode x509/fingerprint system syslog host <tagnode> tls authentication mode x509/name system syslog host <tagnode> tls authentication peers <peer> system syslog host <tagnode> tls authentication peers <peer> fingerprint <value> system syslog host <tagnode> tls certificate-authority <CA> system syslog host <tagnode> tls certificate-authority <CA> file <value> system syslog host <tagnode> tls cipher-suite <cipher> system syslog host <tagnode> tls local-certificate certificate <value> system syslog host <tagnode> tls local-certificate key <value> routing routing-instance <instance-name> system syslog host <tagnode> protocol tcp routing routing-instance <instance-name> system syslog host <tagnode> protocol udp routing routing-instance <instance-name> system syslog host <tagnode> tls routing routing-instance <instance-name> system syslog host <tagnode> tls authentication mode x509/fingerprint routing routing-instance <instance-name> system syslog host <tagnode> tls authentication mode x509/name routing routing-instance <instance-name> system syslog host <tagnode> tls authentication peers <peer> routing routing-instance <instance-name> system syslog host <tagnode> tls authentication peers <peer> fingerprint <value> routing routing-instance <instance-name> system syslog host <tagnode> tls certificate-authority <CA> routing routing-instance <instance-name> system syslog host <tagnode> tls certificate-authority <CA> file <value> routing routing-instance <instance-name> system syslog host <tagnode> tls cipher-suite <cipher> routing routing-instance <instance-name> system syslog host <tagnode> tls local-certificate certificate <value> routing routing-instance <instance-name> system syslog host <tagnode> tls local-certificate key <value>

SNMP config obfuscation to redact community strings

The vRouter Yang models currently model the SNMP community strings as a list key. The community string permits SNMP access to a device, so is considered as sensitive information that warrants restricted access.

Allow firewall rule logging on packets which have session state by NAT or FW without significantly affecting throughput

Customers often want connection attempts to or through any interface of the firewall logged in order to create a record of the network activity. Vyatta only offered the ability to log per-packet and this impacted the forwarding performance of the router. This feature implements per-session logging as an alternative to per-packet logging. This will greatly reduce the number of messages logged.

1 2 3 system session log creation system session log deletion system session log periodic <5..86400>

Ephemeral component support

The goal of this infrastructure is to make the transition to Vyatta components easier and to allow for some code reuse with the existing implementations. Some features will benefit from this but others are written so far outside of the recommended mechanism that they will still require significant rework to be ported and a fully developed component should be considered in those cases for performance reasons.

Tracking feature support for VRRP/Route

VRRP currently tracks interfaces. The state of these tracked objects can modify a group's priority or take it down completely. As part of the CG-NAT project as well as tracking level 1 (interface up), level 2 (ping the other side of the connection) it would be advantageous to also track the state of level 3 (has BGP converged). Rather than explicitly tracking the state of BGP tracking of when a route exists provides a more generic feature and fulfils the requirements.

For the CG-NAT use case, this feature will be used for checking of upstream routers. If BGP peering fails the MASTER ship can change to a router that hopefully has an active and relevant route.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type decrement interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type increment interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight value <value> interfaces bonding <tagnode> vrrp vrrp-group <tagnode> track route-to <route> interfaces bonding <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight interfaces bonding <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type decrement interfaces bonding <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type increment interfaces bonding <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight value <value> interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type decrement interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type increment interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight value <value> interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> track route-to <route> interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type decrement interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight type increment interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> track route-to <route> weight value <value>

IPsec RA VPN server

Make use of Virtual Feature Point (VFP) interfaces to apply firewall/DNAT/SNAT rules on the IPsec RA VPN server terminated tunnel traffic.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 security vpn ipsec remote-access-server security vpn ipsec remote-access-server pool <text> security vpn ipsec remote-access-server pool <text> attributes dns (<h:h:h:h:h:h:h:h>|<x.x.x.x>) security vpn ipsec remote-access-server pool <text> description <text> security vpn ipsec remote-access-server pool <text> subnet (<h:h:h:h:h:h:h:h/x>|<x.x.x.x/x>) security vpn ipsec remote-access-server profile <text> security vpn ipsec remote-access-server profile <text> authentication id type (keyid|rfc822) security vpn ipsec remote-access-server profile <text> authentication id value <text> security vpn ipsec remote-access-server profile <text> authentication mode (eap-tls|x509) security vpn ipsec remote-access-server profile <text> authentication reauth-time <60..86400> security vpn ipsec remote-access-server profile <text> authentication remote-id <text> security vpn ipsec remote-access-server profile <text> authentication x509 security vpn ipsec remote-access-server profile <text> authentication x509 cert-file <text> security vpn ipsec remote-access-server profile <text> authentication x509 key file <text> security vpn ipsec remote-access-server profile <text> authentication x509 key password <text> security vpn ipsec remote-access-server profile <text> authentication x509 revocation-policy (relaxed|strict) security vpn ipsec remote-access-server profile <text> description <text> security vpn ipsec remote-access-server profile <text> esp-group <text> security vpn ipsec remote-access-server profile <text> force-udp-encap security vpn ipsec remote-access-server profile <text> ike-group <text> security vpn ipsec remote-access-server profile <text> local-address (<h:h:h:h:h:h:h:h>|<x.x.x.x>|any) security vpn ipsec remote-access-server profile <text> pools <text> security vpn ipsec remote-access-server profile <text> tunnel <0..4294967295> security vpn ipsec remote-access-server profile <text> tunnel <0..4294967295> local network (<h:h:h:h:h:h:h:h/x>|<x.x.x.x/x>) security vpn ipsec remote-access-server profile <text> tunnel <0..4294967295> remote network (<h:h:h:h:h:h:h:h/x>|<x.x.x.x/x>) security vpn ipsec remote-access-server profile <text> tunnel <0..4294967295> uses <vfpN>

Configuration of Neighbor Discovery cache size

1 2 system ipv6 neighbor resolution-throttling <value> system ipv6 neighbor table-size 65536

Support configuration for the bonding interface to specify the minimum number of links that need to be up before the bonding interface comes up.

1 interfaces bonding <if> minimum-links <1..255>

Storm control can be applied to bonding interfaces

1 2 interfaces bonding <if> storm-control profile <text> interfaces bonding <if> storm-control vlan <1..4094>

Miscellaneous QoS configuration changes

1 2 3 policy qos name <name> shaper profile <name> map dscp-group <text> to <0..31> policy qos platform buffer-threshold <1..100> policy qos profile <name> map dscp-group <text> to <0..31>

Configure system behavior following Non-Maskable Interrupt (NMI) events

1 2 3 4 5 6 7 system fault-behavior panic-on-io-nmi (false|true) system fault-behavior panic-on-oom (false|true) system fault-behavior panic-on-oops (false|true) system fault-behavior panic-on-unknown-nmi (false|true) system fault-behavior panic-on-unrecovered-nmi (false|true) system fault-behavior reboot-on-panic (false|true) system fault-behavior reboot-wait-after-panic <1..2147483647>

Control the configuration of the kernel bootup parameter (requires a reboot to take effect)

1 system iommu passthrough (false|true)

Acknowledgements

Special thanks to Niral Networks (https://niralnetworks.com/) for the upgrade of FRR to version 7.3.1, and thanks to the following people who submitted fixes:

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • [DSA 4667-1] linux security update

  • [DSA 4665-1] qemu security update

  • [DSA 4613-1] libidn2 security update

  • [DSA 4616-1] qemu security update

  • [DSA 4608-1] tiff security update

  • [DSA 4579-1] nss security update

  • [DSA 4566-1] qemu security update

  • [DSA 4564-1] linux security update

  • [DSA-4602-1] xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

  • CVE-2020-1967 [DSA-4661-1] openssl - security update

  • CVE-2020-11501 [DSA-4652-1] gnutls28 - security update

  • CVE-2020-10531 [DSA-4646-1] icu - security update

  • CVE-2020-8597 [DSA-4632-1] ppp - security update

  • CVE-2020-12243, [DSA-4666-1] openldap - security update

  • CVE-2019-18634, DSA-4614-1] sudo - security update

  • CVE-2018-19052 lighttpd package showing 1.4.45-1 as vulnerable

  • CVE-2019-15795, CVE-2019-15796, [DSA-4609-1] python-apt - security update

  • CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-16544 busybox package showing 1:1.22.0-19 vulnerable

  • CVE-2020-3810, [DSA-4685-1]apt - security update

  • CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284: [DSA 4497-1] linux security update (VRVDR-47897)

  • CVE-2018-20815, CVE-2019-13164, CVE-2019-14378: [DSA-4506-1] : qemu - security update (VRVDR-48074)

  • CVE-2019-9511 CVE-2019-9513: [DSA 4511-1] nghttp2 security update (VRVDR-48132)

  • CVE-2019-13164 CVE-2019-14378: [DSA 4512-1] qemu security update (VRVDR-48133)

  • CVE-2019-15903: [DSA-4530-1] : expat - security update (VRVDR-48389)

  • CVE-2019-14821, CVE-2019-14835, CVE-2019-15117, CVE-2019-15118, CVE-2019-15902: [DSA-4531-1] : linux - security update (VRVDR-48412)

  • CVE-2019-5094: [DSA-4535-1] : e2fsprogs - security update (VRVDR-48446)

  • CVE-2019-1547, CVE-2019-1549, CVE-2019-1563: [DSA-4539-1] : openssl - security update (VRVDR-48502)

  • CVE-2019-14287: [DSA-4543-1] : sudo - security update (VRVDR-48652)

  • CVE-2019-16866: [DSA 4544-1] unbound security update (VRVDR-48691)

  • CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166: [DSA-4547-1] : tcpdump - security update (VRVDR-48691)

  • CVE-2019-18218: [DSA-4550-1] : file - security update (VRVDR-48841)

  • CVE-2019-14818: DPDK leaking resources (VRVDR-49058)

  • CVE-2018-5265: Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials (VRVDR-49155)