Virtual SD Edge 2005
Release Notes
August 14, 2020
© 2020 IP Infusion Inc. All Rights Reserved.
This documentation is subject to change without notice. The software described in this document and this documentation are furnished under a license agreement or nondisclosure agreement. The software and documentation may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of IP Infusion Inc.
IP Infusion Inc.
3965 Freedom Circle, Suite 200
Santa Clara, CA 95054
+1 408-400-1900
http://www.ipinfusion.com/
For support, questions, or comments via E-mail, contact:
support@ipinfusion.com
Trademarks:
IP Infusion, OcNOS, VirNOS, ZebM, and ZebOS-XP are trademarks or registered trademarks of IP Infusion. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Use of certain software included in this equipment is subject to the IP Infusion, Inc. End User License Agreement at http://www.ipinfusion.com/license. By using the equipment, you accept the terms of the End User License Agreement.
- 1 Release Notes
- 2 About this Release
- 2.1 Supported Solutions
- 2.2 Hardware/Platform Compatibility List
- 2.2.1 UFI Space
- 2.2.2 Virtual Machine
- 2.2.3 Azure Market Place
- 2.3 Optics and Accessories
- 3 New Features
- 3.1 Hardware BFD Support
- 3.2 Link Aggregation (LAG) Support
- 3.3 PM25 interface speed configuring auditing
- 3.4 Packet Snooping in Hardware
- 3.5 Route Variance Tracking
- 3.6 Q-AX DRAM Reclamation
- 3.7 IEEE-1588 (PTP) support for the G.8275.2 telecom profiles
- 3.8 Monitoring "No-buffer" (memory exhaustion) drops
- 3.9 Per-vlan support for L2 PCP and L3 DSCP
- 3.10 QoS queue map based on ingress port
- 3.11 VRRP configuration on switch virtual interfaces
- 3.12 Provide a way to control cgnat session time out for DNS
- 3.13 Linux Update
- 3.14 Path Monitor Enhancements
- 3.15 OSPF Stub Router Advertisement
- 3.16 VRRP state retrieval via netconf
- 3.17 Enhancements to configuration of QoS Burst Size
- 3.18 BGP Graceful Restart
- 3.19 Hot Fix Installation
- 3.20 Display uptime/last clear in "show interface dataplane" output
- 3.21 Link Aggregation fast-periodic ("fast rate") support
- 3.22 IPsec Remote Access VPN server: EAP-TLS authentication support
- 3.23 IPsec RA VPN server: DNS configuration attributes
- 3.24 IPsec RA VPN server: Per-profile client ID authentication filtering and matching
- 3.25 Increase TWAMP Server Maximum Control Sessions
- 3.26 eiBGP Multipath
- 3.27 Netconf – Confirmed Commit
- 3.28 Yang Identity and Identityref Support
- 3.29 TLS 1.3 Support
- 4 Defects
- 5 Known issues
- 6 Limitations, Restrictions or Behavior Changes
- 7 MIBs
- 8 RFCs and Standards
- 9 Licenses
- 9.1 MSTP/RSA
About this Release
These release notes document changes made for DANOS-Vyatta edition (DVE) 2005a.
Supported Solutions
DANOS-Vyatta edition supports the following two solutions with the 2005a release.
Cell-Site Router: Current and future mobile backhaul services including 5G with high bandwidth and low latencies. The cell site router solution can be deployed on qualified hardware platforms shown in table below.
Virtual SD Edge: Virtual Router to build and manage enterprise-class networking services and VPN technologies for the public and private cloud or data center. The supported hypervisors and cloud platforms are listed below.
Hardware/Platform Compatibility List
DANOS-Vyatta edition 2005a supports the platforms as shown in the following table.
Note: See the feature matrix for a complete list of features supported on each platform.
UFI Space
Model | Switching ASIC | Port configuration | Hardware Revision | DVE Solution |
---|---|---|---|---|
9500-30XS | Broadcom BCM88470_B0 | 20 port 10G, 8 port 25G and 2 ports 100G | Label Revision: 2 | Layer-3 |
Virtual Machine
Vendor | Platform | Version | DVE Solution |
LINUX | KVM | 1.5.3 | Virtual SD Edge |
VMWare | ESXI | 6.7 | Virtual SD Edge |
Azure | VHD | Cloud Marketplace | Virtual SD Edge |
Azure Market Place
Optics and Accessories
The DANOS-Vyatta editon NOS supports the following SFP and SFP+ transceivers:
Brocade/E1MG-SX-OM-1000BASE-SX
Brocade/E1MG-LX-OM-1000BASE-LX
Brocade/E1MG-LHA-OM-1000BASE-EX
Brocade/10G-SFPP-SR-10GBASE-SR
Brocade/10G-SFPP-LR-10GBASE-LR
Brocade/10G-SFPP-ER-10GBASE-ER
1GE-Copper: FCLF8522P2BTL
1GE (SFP): FTLF8519P3BNL
1GE LX (SFP): FTLF1318P3BTL
1GE (SFP): FTLF1518P1BTL
10GE SR (SFP+): FTLX8574D3BCL
10GE LR (SFP+): FTLX1475D3BCL
10GE ER (SFP+): FTLX1672D3BCL
1GE-Copper: FCLF8522P2BTL
1GE LX (SFP): FTLF1318P3BTL
1GE EX (SFP): FTLF1421P1BTL-RN
1GE ZX (SFP): FTLF1518P1BTL
10GE LR (SFP+): FTLX1475D3BTL
10GE ER (SFP+): FTLX1672D3BTL
25GE LR (SFP28): FTLF8536W4BTL
100GE LR4 (QSFP28): FTLC1154RDPL4
New Features
For a complete feature list, please refer to the Feature Matrix.
Hardware BFD Support
This feature will program BFD sessions into hardware on the Qumran-AX via a FAL API. The sessions will start in software, then move to hardware when transitioning to UP state.
Link Aggregation (LAG) Support
Link Aggregation (LAG) is a mechanism by which a network operator can group multiple interfaces together for the purposes of L2 forwarding for purposes such as resiliency or increased throughput performance. LAG is currently supported in the software forwarding path, but isn't supported for hardware switched/forwarded interfaces. This feature adds supports for LAG on devices using Broadcom Q-AX.
PM25 interface speed configuring auditing
This adds an enhancement that restricts the available options for configuring link speed for certain platform interface modules, such that incompatible NIF speeds cannot be configured on the same PM25 (ports 20-27 on the Ufi Whitebox).
Packet Snooping in Hardware
This adds an ad-hoc diagnostic tool that can be used to "peek" at the frames traversing a particular hardware interface. It is not intended as a comprehensive packet mirroring (SPAN, RSPAN, ERSPAN) feature.
Route Variance Tracking
'show ip route variance' tracks deltas between the kernel, RIB, and software dataplane. This feature extends this to include PD L3 programming.
Q-AX DRAM Reclamation
This feature allows the reclamation of external DRAM used by Q-AX which has been marked as errored. It additionally provides data which can be used in detecting faulty DRAM within the device.
IEEE-1588 (PTP) support for the G.8275.2 telecom profiles
Adds support for G.8275.2 telecom profiles with or without assisted partial timing (APTS) support.
Monitoring "No-buffer" (memory exhaustion) drops
This feature allows a packet buffer monitoring threshold value is configured by user for monitoring. Traps are generated upon exceeding the threshold.
Per-vlan support for L2 PCP and L3 DSCP
This feature adds support for adding PCP and DSCP classification at a per port or per vlan level of granularity.
QoS queue map based on ingress port
This feature adds support for setting ingress port affinity to egress QoS queue. This enables DSCP untrusted devices to be classified based on configuration. The expression of the ingress port is configurable at the port and port+vlan levels.
VRRP configuration on switch virtual interfaces
This feature adds support for configuring Virtual Router Redundancy Protocol (VRRP) on DANOS-Vyatta edition vif switch interfaces.
Provide a way to control cgnat session time out for DNS
This feature allows configuration of session timeout values for individual port numbers. When configured, these take precedence over any other protocol specific timeout value or the default value.
Linux Update
The base Linux OS is updated to Debian 10.
Path Monitor Enhancements
Various functions are added to the core Path Monitor feature:
Configurable packet count for twping (TWAMP) monitors
Configurable inter-packet delay for ping and twping (TWAMP) monitors
Configurable source address for ping monitors
Configurable randomised delay support for twping (TWAMP) monitors (in certain modes)
OSPF Stub Router Advertisement
Adds support for RFC-6987 for OSPFv2 and OSPFv3. This involves advertising the cost of transit links as MaxLinkMetric (65535) so that the router is still reachable but will not be used to forward traffic.
VRRP state retrieval via netconf
This feature allows the retrieval of the state of vrrp via netconf in addition to the existing mechanism of the cli using the show vrrp commands
Enhancements to configuration of QoS Burst Size
This feature will allow for the burst size for a shaper to be specified in units of milliseconds.
BGP Graceful Restart
BGP Graceful Restart (RFC 4724) functionality currently exists in DANOS-Vyatta edition, where bgpd process restart is also supported. This feature adds support for the BGP Notification Messages for Graceful Restart (RFC 8538) which was not provided previously.
Hot Fix Installation
This feature adds the support for hit-fix package installation.
Display uptime/last clear in "show interface dataplane" output
A small change to add uptime and last-clear output to "show interface dateplane foo.
Link Aggregation fast-periodic ("fast rate") support
Link aggregation, 802.1AX-2014 (formerly 802.3ad), supports a shorter timeout for LACPDU packets and this feature adds such support. This is often called "fast periodic" or "fast rate".
IPsec Remote Access VPN server: EAP-TLS authentication support
This feature adds support for EAP-TLS (RFC 5126).
IPsec RA VPN server: DNS configuration attributes
This feature introduces support for the configuration payloads INTERNAL_IP4_DNS and INTERNAL_IP6_DNS. These allow the IPsec RA VPN server to communicate to the IPsec RA VPN client which DNS server should be used inside the tunnel, in accordance with RFC 7296.
IPsec RA VPN server: Per-profile client ID authentication filtering and matching
This feature allows filters to be configured which IKE uses to match and filter remote peers
Increase TWAMP Server Maximum Control Sessions
This feature allows support for up to 4096 concurrent control sessions.
eiBGP Multipath
Provides eiBGP multipath functionality where both external and internal bgp routes are considered for multipath selection.
Netconf – Confirmed Commit
Commit confirm is a feature which is currently available on the vRouter CLI. It helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed
Yang Identity and Identityref Support
This feature will complete the support of identities in the Yang compiler, as specified in RFC 6020
TLS 1.3 Support
TLS 1.3 support has been added for the following features:
vyatta-zerotouch / Phone Home Client
vyatta-restclient-perl
add system image ...
clone image ...
vyatta-openvpn / resource service-users ldap
strongswan / ext-fetcher
vyatta-diamond / Cirrus
Defects
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
[DSA 4667-1] linux security update
[DSA 4665-1] qemu security update
[DSA 4613-1] libidn2 security update
[DSA 4616-1] qemu security update
[DSA 4608-1] tiff security update
[DSA 4579-1] nss security update
[DSA 4566-1] qemu security update
[DSA 4564-1] linux security update
[DSA-4602-1] xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
[CVE-2020-1967, Debian DSA-4661-1] openssl - security update
[CVE-2020-11501, Debian DSA-4652-1] gnutls28 - security update
[CVE-2020-10531, Debian DSA-4646-1] icu - security update
[CVE-2020-8597, Debian DSA-4632-1] ppp - security update
[CVE-2020-12243, DSA-4666-1] openldap - security update
[CVE-2019-18634, DSA-4614-1] sudo - security update
[CVE-2018-19052] lighttpd package showing 1.4.45-1 as vulnerable
[CVE-2019-15795, CVE-2019-15796, DSA-4609-1] python-apt - security update
[CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-16544] busybox package showing 1:1.22.0-19 vulnerable
[CVE-2020-3810, DSA-4685-1]apt - security update
[CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659]: Debian DSA 4728-1: qemu security update
[CVE-2019-17006, CVE-2019-17023, CVE-2020-12399, CVE-2020-12402]: Debian DSA 4726-1: nss security update
[CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567]: Debian DSA 4723-1: xen security update
[CVE-2020-10663, CVE-2020-10933]: Debian DSA-4721-1 : ruby2.5 - security update
[CVE-2018-19044, CVE-2018-19045, CVE-2018-19046]: Insecure temporary file usage in keepalived
[CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143]: Debian DSA-4699-1 : linux - security update
[CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143]: Debian DSA-4698-1: linux – security update
[CVE-2020-13777]: Debian DSA-4697-1 : gnutls28 - security update
[CVE-2019-6477, CVE-2020-8616, CVE-2020-8617]: Debian DSA-4689-1 : bind9 - security update
[CVE-2020-3810]: Debian DSA-4685-1 : apt - security update
[CVE-2020-10722, CVE-2020-10723, CVE-2020-10724]: Debian DSA-4688-1 : dpdk - security update
[CVE-2020-0556]: Debian DSA-4647-1 : bluez - security update
Privilege escalation in "reset ipv6 neighbors" / "reset ip arp" commands
ssh-known-hosts exposes hostname or IP addresses of remote-peers in plaintext / should be hashed
opd doesn't escape input properly when completing commands
Known issues
The following table lists the known issues in this release.
Component | Key | Summary |
---|---|---|
BGP | VRVDR-52451 | bgpd process crashed when performing snmpwalk |
OSPFv3 | VRVDR-52395 | Ospf6d crashed with 70k/128k routes when ospfv3 process reset |
Dataplane, BFD | VRVDR-52489 | Dataplane crashes after reset bgp session with SEGV signal for bfd-pluggin thread |
OSPFv3 | VRVDR-51846 | RIB table doesn't get update correctly for ospfv3 routes after primary to secondary path switchover with same area routes. |
DHCPv6 | VRVDR-51749 | DHCPv6 address not getting renewed automatically on client node after DHCP server rebooted |
Bonding | VRVDR-52097 | Shutdown bond interface or disable from its member port dropping for the other bond interface too |
Bonding | VRVDR-52349 | vyatta-snmp-vrf process crashed when run snmpwalk for the first time over bonding interface |
OSPFv3 | VRVDR-51587 | Ospf6d is crashing with 70k routes in switchover scenario |
OSPFv2, OSPFv3 | VRVDR-51189 | Interop: DR/BDR election doesn't happen as per protocol standard between DVE & Cisco |
BGP | VRVDR-51188 | BGP-3 provisioning/session Failed when existing bgp neighbour config modified with peer-group |
OSPFv3 | VRVDR-51032 | OSPFv3 session DOWN after configuring area type stub between UFI and NOKIA/CISCO |
OSPFv3 | VRVDR-50951 | Ospfv3 logs are not generated for any ospfv3 session reset or updates |
DHCPv4 | VRVDR-51452 | DHCPv4 IP Address is not received after soft reboot and works fine once system is hard rebooted |
RIB | VRVDR-50972 | Route withdrawl and installation occur in RIB table when any1 ecmp NH path deleted/added |
Limitations, Restrictions or Behavior Changes
IPsec RA VPN server Virtual-Feature-Point interfaces are only supported in a default routing-instance
Deprecation of TACACS+ local-user-name authorization argument. The local-user-name authorization argument allows TACACS+ to login as an already configured local user. Alternatively, DANOS-Vyatta editon also supports on-the-fly creation of a local user during the login process for TACACS+ users. This is done when local-user-name is not present in the session authorization reply. Support for this feature will be removed in the next DANOS-Vyatta editon release at which time presence of the local-user-name argument in authorization replies will cause an authorization failure.
While the OS does support IKEv1, IP infusion strongly recommends using IKEv2 to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.
In AWS, legacy Xen instance types will not work. The feature adds support for the modern nitro (KVM) instance types only – please use those.
L3 configuration on dataplane interface not allowed directly. SVI interface must be created to use dataplane interface for L3 configuration.
MIBs
No new MIBs ave been introduced in this release.
No MIBs have been modified in this release.
There are no deprecated MIBs in this release.
RFCs and Standards
The following standards have been added or additional parts have been implemented in this release –
RFC 7296, IKEv2 - chapter 3.15
RFC 5126, EAP TLS
RFC 968, eiBGP Multi-path
RFC 6020, YANG
RFC 6987, OSPF Stub Router Advertisement
RFC 8538, BGP Notification Message support for Graceful Restart
Licenses
MSTP/RSA
/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. Allrights reserved.
License to copy and use this software is granted provided that itis identified as the "RSA Data Security, Inc. MD5 Message-DigestAlgorithm" in all material mentioning or referencing this softwareor this function.
License is also granted to make and use derivative works providedthat such works are identified as "derived from the RSA DataSecurity, Inc. MD5 Message-Digest Algorithm" in all materialmentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning eitherthe merchantability of this software or the suitability of thissoftware for any particular purpose. It is provided "as is"without express or implied warranty of any kind.
These notices must be retained in any copies of any part of thisdocumentation and/or software.*/