DANOS 2012 Release Notes

Overview

Welcome to the 2012 (December 2020) version of DANOS.

The DANOS 2012 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 1911 version of DPDK, and the 7.4 version of FRR.

show version

user@danos2012:~$ show version Version: 2012 Description: DANOS 2012 (DANOS:Shipping:2012:20210114) Built on: Thu Jan 14 12:43:42 UTC 2021

Important changes

User Isolation

By default from DANOS 2012, users of "operator" and "admin" levels are logged into a restricted, isolated environment. This environment ensures these users may only interact with the underlying system via the DANOS operational and configuration infrastructure, by using separate IPC, network, mount, PID, and UTS namespaces.

For example, the "ip" utility is not installed in the restricted environment. Even if it were, the separate namespaces would prevent access to, or manipulation of, state of the underlying host system.

Users of the "superuser" level are not placed in an isolated environment. These users should observe no behaviour changes compared to earlier DANOS releases.

We strongly recommend keeping user isolation enabled to improve system security. However, it may be disabled via the configuration:

system login user-isolation disable

BGP behaviour changes

RFC 8212

By default, DANOS 2012 will no longer advertise routes to, or import routes from, eBGP peers unless import and export policies are configured. This default behaviour change is inherited from FRR 7.4 and defined by RFC 8212.

The value "(Policy)" in the output of the BGP summary show command(s) indicates that route import and/or export has been blocked due to a missing policy. For example:

$ show protocols bgp all summary IPv4 Unicast Summary: BGP router identifier 192.168.252.179, local AS number 65000 vrf-id 0 BGP table version 3 RIB entries 5, using 960 bytes of memory Peers 1, using 21 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt 10.10.2.2 4 65001 8 10 0 0 0 00:04:17 (Policy) (Policy) Total number of neighbors 1

Import/export policies can be applied on a neighbor or peer-group basis under the corresponding address-family configuration:

Alternatively, the RFC 8212 behaviour can be reverted (to that of previous DANOS/FRR releases) by setting "ebgp-requires-policy" to "disabled":

Network Advertisement

By default, DANOS 2012 will no longer advertise routes which are not present in the RIB. This default behaviour change is inherited from FRR 7.4.

This behaviour can be reverted by setting "import-check" to "disabled":

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to enter a username and password manually. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Enhancements to RSTP and spanning tree

The following configuration options have been added

which do the following:

L3 ingress and egress stateless ACLs

L3 ingress and egress stateless ACLs operate at the start and end of the packet path. They are different from the current stateless firewall rules because:

  1. The firewall is always stateful, even when only stateless rules exist.

    1. The firewall always reassembles fragments, which entails maintaining state.

    2. The firewall always attempts to match a packet against state entries, before it consults the ruleset.

  2. Reassembly can be triggered by the presence of a firewall, NAT, or PBR.

  3. By default, the presence of NAT state impacts firewall behaviour (firewall always attempts state lookup). This behaviour can be modified with the stateful firewall override functionality defined below.

  4. The firewall can never block router originated packets (which is desired for these L3 ACLs).

The filter action is only to affect L3 packets which are L3 processed. i.e. an L3 packet which is L2 forwarded between links in a VLAN will not be affected by this feature.

The L3 ingress/egress counters can be cleared and accessed using the following command hierarchies. See below for the full set of options.

So why use L3 ingress/egress ACLs?

  • Ingress ACLs are processed very early in the packet path, so the performance of drop actions will be superior compared to stateless firewall rules.

  • Egress ACLs can block router originated traffic.

  • Ingress and Egress ACLs can be expressed in named groups, making the construction and documentation of complex rules simpler.

BGP enhancements

Some default BGP behaviours have changed in DANOS 2012 (inherited from FRR 7.4). These changes can be reversed by applying the configuration. Please see the "Important Changes" section at the top of the document for further details.

IS-IS enhancements

Additional IS-IS functionality has been exposed in the DANOS configuration. Thanks to Niral Networks for their contributions here.

IPv6 Support

Topologies

Switch VIF Support

Traffic Engineering

Stateful firewall override

This feature allows SNAT/DNAT rules to be configured to not automatically install a pinhole for return traffic matching the NAT sessions.  This means a user can have a firewall configuration that affects traffic matching a NAT session.

User isolation in a restricted environment

Please see the "Important Changes" section at the top of this document for an overview of the user isolation functionality.

User isolation may be disabled using the below command.

With user-isolation enabled the underlying system's directories aren't accessible to operator and admin-level users. This causes a problem for the admin-level users that may need to retain files across system reboots and upgrades.

The shared-storage configuration can define virtual storage mounted on directories accessible to the isolated operator and admin-level users. At the time of configuration, these directories must be empty. Users should log out from all of their login sessions for these configurations to take effect.

These shared directories are created as a virtual filesystem backed up by a file in the underlying file system. The filename is derived from the shared directory name.

Allow isolated users read-only access to directories via the "copy file" and "show file" operational mode commands.

Storage block device configuration

Scheduler

I/O schedulers attempt to improve throughput by reordering request access into a linear order based on the logical addresses of the data and trying to group these together. While this may increase overall throughput, it may lead to some I/O requests waiting for too long, causing latency issues. I/O schedulers attempt to balance the need for high throughput while sharing I/O requests amongst processes fairly.

Configuration is now provided to allow particular schedulers to be used for the block devices attached to the system.

To view scheduler information for the block devices attached to the system, use the following new operational mode command:

Periodic TRIM

fstrim is used on a mounted filesystem to discard (or "trim") blocks which are not in use by the filesystem. This is useful for solid-state drives (SSDs) and thinly-provisioned storage. By default, fstrim will discard all unused blocks in the filesystem.

The configuration is now provided to enable periodic trimming of the filesystem.

A TRIM operation can also be run on-demand, using the following new operational mode command:

TACACS+

Command Accounting Start Records

When enabled, a TACACS+ command accounting record is issued, with a start_time attribute, before a modelled NOS command being executed.

In addition, command accounting stop records now also include the corresponding start_time attribute. This happens regardless of whether "command-start-records" has been enabled.

Debug Logs

TACACS+ debugging logs are no longer emitted by default in DANOS 2012. Use the below configuration to re-enable the logs.

Offline Timer

Use this command to define the minimum period during which the system will not perform any TACACS+ transactions following failure.

The offline period is triggered following a failure to connect to all TACACS+ servers. This can be due to either failed connection attempts, or because all configured servers have an active hold-down timer while attempting to connect to a server, or a combination.

When the running offline timer expires, the system will once again attempt to perform TACACS+ transactions. In most cases, the TACACS+ login provider will request a connection check immediately after the timer expires. If this succeeds the local fallback user login is once again locked (if TACACS+ login is enforced via the auth-chain configuration). Otherwise, a failure will cause the offline timer to be restarted, and the TACACS+ component will enter offline mode again.

The global offline timer, and all per-server hold down timers, maybe reset with the below operational mode command:

Disable Server

Use this command to prevent the use of a given TACACS+ server for any TACACS+ transaction.

A server which has been disabled will not appear in the output of the "show system tacplus status" operational mode command.

Global Server Parameters

Use this command to define the TCP port used for communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> port <port>" configuration.

Use this command to define the secret key used to obfuscate communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> secret <key>" configuration.

Use this command to define the timeout to be used for communications with all configured TACACS+ servers.

The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> timeout <timeout>" configuration.

Long timeouts should generally not be used, to avoid sluggish system response for users.

If long timeouts are used, it is strongly recommended to use hold-down timers and/or the offline-timer.

Obsolete features

VRRP translation scripts

Support of custom VRRP transition scripts has been removed from this release.  Transition scripts are a security issue and have been replaced with notify and DBus signals. 

Operational command changes

Dataplane sessions

These commands complement the existing show session table commands, and in the future may replace them.

It is now possible to clear sessions based on the source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).

The show commands allow sorting of the output using the "ascending" and "descending" options. Filtering of the output can be done by source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).

Note that CGNAT does not use "dataplane" sessions. The separate clear cgnat session and show cgnat session commands should be used.

L3 ingress and egress stateless ACLs

The following commands allow the viewing and clearing of the L3 ingress/egress stateless ACLs.

VRRP

The "group" keyword has been removed from the "show vrrp sync-group" command.

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • CVE-2020-27670, CVE-2020-27671, CVE-2020-27672, CVE-2020-27674, CVE-2020-28368: Debian DSA 4804-1: xen security update

  • CVE-2020-28196: Debian DSA-4795-1 : krb5 security update

  • CVE-2020-25709, CVE-2020-25710: Debian DSA-4792-1 : openldap security update

  • CVE-2020-25692: Debian DSA-4782-1 : openldap security update

  • CVE-2020-15180: Debian DSA-4776-1: mariadb-10.3 security update

  • CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604: Debian DSA-4769-1: xen security update

  • CVE-2019-3874, CVE-2019-19448, CVE-2019-19813, CVE-2019-19816, CVE-2020-10781, CVE-2020-12888, CVE-2020-14314, CVE-2020-14331, CVE-2020-14356, CVE-2020-14385, CVE-2020-14386, CVE-2020-14390, CVE-2020-16166, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-26088: Debian DLA-2385-1: linux-4.19 LTS security update

  • CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package