DANOS 2009 Release Notes

Overview

Welcome to the 2009 (September 2020) version of DANOS.

The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.

show version

user@danos2009:~$ show version Version: 2009 Description: DANOS 2009 (DANOS:Shipping:2009:20200923) Built on: Mon Oct 12 10:47:04 UTC 2020 System type: Intel 64bit Boot via: image Hypervisor: KVM HW model: Bochs HW S/N: Not Specified HW UUID: dba075fa-259e-499d-99b5-83cf71e8b767 Uptime: 13:39:04 up 2 min, 1 user, load average: 1.64, 0.47, 0.16

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Integration of ntop's nDPI engine into the match criteria for firewall rules

Full details about this feature can be found at

resources group application-group <group-name> description <value> resources group application-group <group-name> engine ndpi name <name> resources group application-group <group-name> engine ndpi protocol <protocol> resources group application-group <group-name> engine ndpi type <type> security application firewall name <ruleset-name> security application firewall name <ruleset-name> description <value> security application firewall name <ruleset-name> no-match-action accept security application firewall name <ruleset-name> no-match-action drop security application firewall name <ruleset-name> rule <rule-number> security application firewall name <ruleset-name> rule <rule-number> action accept security application firewall name <ruleset-name> rule <rule-number> action drop security application firewall name <ruleset-name> rule <rule-number> description <value> security application firewall name <ruleset-name> rule <rule-number> engine ndpi security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name> security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol> security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type> security firewall name <ruleset-name> rule <tagnode> session application firewall <value> show application engine ndpi name <value> show application engine ndpi type <value>

User-defined applications

User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.

service application rule <rule-number> service application rule <rule-number> description <value> service application rule <rule-number> destination address <value> service application rule <rule-number> destination mac-address <value> service application rule <rule-number> destination port <value> service application rule <rule-number> disable service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ] service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ] service application rule <rule-number> dscp-group <value> service application rule <rule-number> ethertype <value> service application rule <rule-number> icmp service application rule <rule-number> icmp group <value> service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ] service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ] service application rule <rule-number> icmp name [ echo-reply | echo-request | fragmentation-needed | host-precedence-violation | host-prohibited ] service application rule <rule-number> icmp name [ host-redirect | host-unknown | host-unreachable | ip-header-bad | network-prohibited ] service application rule <rule-number> icmp name [ network-redirect | network-unknown | network-unreachable | parameter-problem ] service application rule <rule-number> icmp name [ port-unreachable | precedence-cutoff | protocol-unreachable | redirect ] service application rule <rule-number> icmp name [required-option-missing | router-advertisement | router-solicitation | source-quench ] service application rule <rule-number> icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ] service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ] service application rule <rule-number> icmp type <type-number> service application rule <rule-number> icmp type <type-number> code <value> service application rule <rule-number> icmpv6 service application rule <rule-number> icmpv6 group <value> service application rule <rule-number> icmpv6 name [ address-unreachable | bad-header | communication-prohibited | destination-unreachable ] service application rule <rule-number> icmpv6 name [ echo-reply | echo-request | mobile-prefix-advertisement | mobile-prefix-solicitation ] service application rule <rule-number> icmpv6 name [ multicast-listener-done | multicast-listener-query | multicast-listener-report ] service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ] service application rule <rule-number> icmpv6 name [ parameter-problem | port-unreachable | redirect | router-advertisement ] service application rule <rule-number> icmpv6 name [ router-solicitation | time-exceeded | ttl-zero-during-reassembly | ttl-zero-during-transit ] service application rule <rule-number> icmpv6 name [ unknown-header-type | unknown-option ] service application rule <rule-number> icmpv6 type <type-number> service application rule <rule-number> icmpv6 type <type-number> code <value> service application rule <rule-number> ipv6-route service application rule <rule-number> ipv6-route type <value> service application rule <rule-number> log service application rule <rule-number> pcp <value> service application rule <rule-number> protocol <value> service application rule <rule-number> protocol-group <value> service application rule <rule-number> source address <value> service application rule <rule-number> source mac-address <value> service application rule <rule-number> source port <value> service application rule <rule-number> tcp service application rule <rule-number> tcp flags <value> service application rule <rule-number> then name <value> service application rule <rule-number> then protocol <value> service application rule <rule-number> then type <type-value> security application firewall name <ruleset-name> rule <rule-number> group <application-group-name> security application firewall name <ruleset-name> rule <rule-number> engine user security application firewall name <ruleset-name> rule <rule-number> engine user name <value> security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value> security application firewall name <ruleset-name> rule <rule-number> engine user type <value> resources group application-group <group-name> engine user name <name> resources group application-group <group-name> engine user protocol <protocol> resources group application-group <group-name> engine user type <type>

Intermediate System to Intermediate System (IS-IS) routing protocol

Operational commands are in this hierarchy:

Originate firewall

The "originate" firewall allow the filtering of all router originated traffic.

Enhanced observability into the behaviour of the stateless/stateful firewall, zone-based firewall, local firewall, NAT and NAT64

Logging Enhancements

This feature provides the ability to filter 'show log' output based on time, clear stored system logs, and to configure the amount of storage used for the system logs.

Protocol Dependent Mappings for SNAT

SNAT maps from an internal source address and ID (where ID can be a port number) to an external address and ID, by allocating these from a given pool.  This feature adds support for three separate pools (rather than a single shared pool).  One pool will be used for assigning TCP ports, another for assigning UDP ports, and the third one for ICMP and other protocols.

The following commands split out the TCP and UDP ports used.

Address-group detail

The show command displays the contents of dataplane address-group lists.

The "optimal" allows the user to determine the optimal set of subnets that may be used to represent an address-group.

NETCONF - Rollback support

Rollback is a feature that is currently available on the configuration CLI. The "rollback" command allows reverting the configuration to a previously committed configuration, perhaps to return to a known good configuration, or undo experimental configuration changes. This feature adds new NETCONF RPCs that make the rollback operation available to NETCONF clients.

Configure tech-support archive to exclude command-line history

There may be cases where the customer does not want to include the shell command history in the tech-support archive, as this might contain sensitive information.

copy file improvements

Expanded options for file copy.

policy route route-map

Following the issue identified in  https://danosproject.atlassian.net/browse/DAN-121 the following changes were made:

Reset vpn commands removed

New show commands for bonding members

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-8619, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624: Debian DSA-4752-1 : bind9 - security update

  • CVE-2018-20346, CVE-2018-20506, CVE-2018-8740, CVE-2019-16168, CVE-2019-20218, CVE-2019-5827, CVE-2019-9936, CVE-2019-9937, CVE-2020-11655, CVE-2020-13434, CVE-2020-13630, CVE-2020-13632, CVE-2020-13871:Debian DLA-2340-1 : sqlite3 security update

  • CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package

  • [DSA 4746-1] net-snmp security update

  • CVE-2020-16135: Debian DLA-2303-1 : libssh security update

  • CVE-2020-12762: Debian DLA-2301-1 : json-c security update

  • CVE-2019-5188: Debian DLA-2290-1 : e2fsprogs security update

  • CVE-2020-8177: Debian DLA-2295-1 : curl security update

  • CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707: Debian DSA-4735-1 : grub2 - security update

  • [DSA 4733-1] qemu security update

  • CVE-2019-18348 CVE-2020-8492 CVE-2020-14422: Debian DLA-2280-1 : python3.7 security update

  • [DSA 4728-1] qemu security update

  • [DSA 4723-1] xen security update

  • CVE-2018-19044 / CVE-2018-19045 / CVE-2018-19046: Insecure temporary file usage in keepalived

  • CVE-2020-3810: Debian DSA-4685-1 : apt - security update