Virtual SD Edge 2005

Release Notes

August 14, 2020
© 2020 IP Infusion Inc. All Rights Reserved.
This documentation is subject to change without notice. The software described in this document and this documentation are furnished under a license agreement or nondisclosure agreement. The software and documentation may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of IP Infusion Inc.


IP Infusion Inc.
3965 Freedom Circle, Suite 200
Santa Clara, CA 95054
+1 408-400-1900
http://www.ipinfusion.com/


For support, questions, or comments via E-mail, contact:
support@ipinfusion.com

Trademarks:
IP Infusion, OcNOS, VirNOS, ZebM, and ZebOS-XP are trademarks or registered trademarks of IP Infusion. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Use of certain software included in this equipment is subject to the IP Infusion, Inc. End User License Agreement at http://www.ipinfusion.com/license. By using the equipment, you accept the terms of the End User License Agreement.

 

About this Release

These release notes document changes made for DANOS-Vyatta edition (DVE) 2005a.

Supported Solutions

DANOS-Vyatta edition supports the following two solutions with the 2005a release.

  • Cell-Site Router: Current and future mobile backhaul services including 5G with high bandwidth and low latencies. The cell site router solution can be deployed on qualified hardware platforms shown in table below.

  • Virtual SD Edge: Virtual Router to build and manage enterprise-class networking services and VPN technologies for the public and private cloud or data center. The supported hypervisors and cloud platforms are listed below.

Hardware/Platform Compatibility List

DANOS-Vyatta edition 2005a supports the platforms as shown in the following table.
Note: See the feature matrix for a complete list of features supported on each platform.

UFI Space

Model

Switching ASIC

Port configuration

Hardware Revision

DVE Solution

Model

Switching ASIC

Port configuration

Hardware Revision

DVE Solution

9500-30XS

Broadcom BCM88470_B0

20 port 10G, 8 port 25G and 2 ports 100G

Label Revision: 2
CPU CPLD version: 20

Layer-3
Cell-Site Router

Virtual Machine

Vendor

Platform

Version

DVE Solution

LINUX

KVM

1.5.3

Virtual SD Edge

VMWare

ESXI

6.7

Virtual SD Edge

Azure

VHD

Cloud Marketplace

Virtual SD Edge

Azure Market Place

https://azuremarketplace.microsoft.com/en-/marketplace/apps/ipinfusion1590066770520.virtual-sd-edge-1-0?tab=Overview

Optics and Accessories

The DANOS-Vyatta editon NOS supports the following SFP and SFP+ transceivers:

  • Brocade/E1MG-SX-OM-1000BASE-SX

  • Brocade/E1MG-LX-OM-1000BASE-LX

  • Brocade/E1MG-LHA-OM-1000BASE-EX

  • Brocade/10G-SFPP-SR-10GBASE-SR

  • Brocade/10G-SFPP-LR-10GBASE-LR

  • Brocade/10G-SFPP-ER-10GBASE-ER



  • 1GE-Copper: FCLF8522P2BTL

  • 1GE (SFP): FTLF8519P3BNL

  • 1GE LX (SFP): FTLF1318P3BTL

  • 1GE (SFP): FTLF1518P1BTL

  • 10GE SR (SFP+): FTLX8574D3BCL

  • 10GE LR (SFP+): FTLX1475D3BCL

  • 10GE ER (SFP+): FTLX1672D3BCL

  • 1GE-Copper: FCLF8522P2BTL



  • 1GE LX (SFP): FTLF1318P3BTL

  • 1GE EX (SFP): FTLF1421P1BTL-RN

  • 1GE ZX (SFP): FTLF1518P1BTL

  • 10GE LR (SFP+): FTLX1475D3BTL

  • 10GE ER (SFP+): FTLX1672D3BTL

  • 25GE LR (SFP28): FTLF8536W4BTL

  • 100GE LR4 (QSFP28): FTLC1154RDPL4



New Features

For a complete feature list, please refer to the Feature Matrix.

Hardware BFD Support

This feature will program BFD sessions into hardware on the Qumran-AX via a FAL API. The sessions will start in software, then move to hardware when transitioning to UP state.

Link Aggregation (LAG) is a mechanism by which a network operator can group multiple interfaces together for the purposes of L2 forwarding for purposes such as resiliency or increased throughput performance. LAG is currently supported in the software forwarding path, but isn't supported for hardware switched/forwarded interfaces. This feature adds supports for LAG on devices using Broadcom Q-AX.

PM25 interface speed configuring auditing

This adds an enhancement that restricts the available options for configuring link speed for certain platform interface modules, such that incompatible NIF speeds cannot be configured on the same PM25 (ports 20-27 on the Ufi Whitebox).

Packet Snooping in Hardware

This adds an ad-hoc diagnostic tool that can be used to "peek" at the frames traversing a particular hardware interface. It is not intended as a comprehensive packet mirroring (SPAN, RSPAN, ERSPAN) feature.

Route Variance Tracking

'show ip route variance' tracks deltas between the kernel, RIB, and software dataplane. This feature extends this to include PD L3 programming.

Q-AX DRAM Reclamation

This feature allows the reclamation of external DRAM used by Q-AX which has been marked as errored. It additionally provides data which can be used in detecting faulty DRAM within the device.

IEEE-1588 (PTP) support for the G.8275.2 telecom profiles

Adds support for G.8275.2 telecom profiles with or without assisted partial timing (APTS) support.

Monitoring "No-buffer" (memory exhaustion) drops

This feature allows a packet buffer monitoring threshold value is configured by user for monitoring. Traps are generated upon exceeding the threshold.

Per-vlan support for L2 PCP and L3 DSCP

This feature adds support for adding PCP and DSCP classification at a per port or per vlan level of granularity.

QoS queue map based on ingress port

This feature adds support for setting ingress port affinity to egress QoS queue. This enables DSCP untrusted devices to be classified based on configuration. The expression of the ingress port is configurable at the port and port+vlan levels.

VRRP configuration on switch virtual interfaces

This feature adds support for configuring Virtual Router Redundancy Protocol (VRRP) on DANOS-Vyatta edition vif switch interfaces.

Provide a way to control cgnat session time out for DNS

This feature allows configuration of session timeout values for individual port numbers. When configured, these take precedence over any other protocol specific timeout value or the default value.

Linux Update

The base Linux OS is updated to Debian 10.

Path Monitor Enhancements

Various functions are added to the core Path Monitor feature:

  • Configurable packet count for twping (TWAMP) monitors

  • Configurable inter-packet delay for ping and twping (TWAMP) monitors

  • Configurable source address for ping monitors

  • Configurable randomised delay support for twping (TWAMP) monitors (in certain modes)

OSPF Stub Router Advertisement

Adds support for RFC-6987 for OSPFv2 and OSPFv3. This involves advertising the cost of transit links as MaxLinkMetric (65535) so that the router is still reachable but will not be used to forward traffic.

VRRP state retrieval via netconf

This feature allows the retrieval of the state of vrrp via netconf in addition to the existing mechanism of the cli using the show vrrp commands

Enhancements to configuration of QoS Burst Size

This feature will allow for the burst size for a shaper to be specified in units of milliseconds.

BGP Graceful Restart

BGP Graceful Restart (RFC 4724) functionality currently exists in DANOS-Vyatta edition, where bgpd process restart is also supported. This feature adds support for the BGP Notification Messages for Graceful Restart (RFC 8538) which was not provided previously.

Hot Fix Installation

This feature adds the support for hit-fix package installation.

Display uptime/last clear in "show interface dataplane" output

A small change to add uptime and last-clear output to "show interface dateplane foo.

Link aggregation, 802.1AX-2014 (formerly 802.3ad), supports a shorter timeout for LACPDU packets and this feature adds such support. This is often called "fast periodic" or "fast rate".

IPsec Remote Access VPN server: EAP-TLS authentication support

This feature adds support for EAP-TLS (RFC 5126).

IPsec RA VPN server: DNS configuration attributes

This feature introduces support for the configuration payloads INTERNAL_IP4_DNS and INTERNAL_IP6_DNS. These allow the IPsec RA VPN server to communicate to the IPsec RA VPN client which DNS server should be used inside the tunnel, in accordance with RFC 7296.

IPsec RA VPN server: Per-profile client ID authentication filtering and matching

This feature allows filters to be configured which IKE uses to match and filter remote peers

Increase TWAMP Server Maximum Control Sessions

This feature allows support for up to 4096 concurrent control sessions.

eiBGP Multipath

Provides eiBGP multipath functionality where both external and internal bgp routes are considered for multipath selection.

Netconf – Confirmed Commit

Commit confirm is a feature which is currently available on the vRouter CLI. It helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed

Yang Identity and Identityref Support

This feature will complete the support of identities in the Yang compiler, as specified in RFC 6020

TLS 1.3 Support

TLS 1.3 support has been added for the following features:

  • vyatta-zerotouch / Phone Home Client

  • vyatta-restclient-perl

  • add system image ...

  • clone image ...

  • vyatta-openvpn / resource service-users ldap

  • strongswan / ext-fetcher

  • vyatta-diamond / Cirrus

Defects

Resolved Security Vulnerabilities

The following security issues are resolved in this release:

  • [DSA 4667-1] linux security update

  • [DSA 4665-1] qemu security update

  • [DSA 4613-1] libidn2 security update

  • [DSA 4616-1] qemu security update

  • [DSA 4608-1] tiff security update

  • [DSA 4579-1] nss security update

  • [DSA 4566-1] qemu security update

  • [DSA 4564-1] linux security update

  • [DSA-4602-1] xen - security update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

  • [CVE-2020-1967, Debian DSA-4661-1] openssl - security update

  • [CVE-2020-11501, Debian DSA-4652-1] gnutls28 - security update

  • [CVE-2020-10531, Debian DSA-4646-1] icu - security update

  • [CVE-2020-8597, Debian DSA-4632-1] ppp - security update

  • [CVE-2020-12243, DSA-4666-1] openldap - security update

  • [CVE-2019-18634, DSA-4614-1] sudo - security update

  • [CVE-2018-19052] lighttpd package showing 1.4.45-1 as vulnerable

  • [CVE-2019-15795, CVE-2019-15796, DSA-4609-1] python-apt - security update

  • [CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-16544] busybox package showing 1:1.22.0-19 vulnerable

  • [CVE-2020-3810, DSA-4685-1]apt - security update

  • [CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659]: Debian DSA 4728-1: qemu security update

  • [CVE-2019-17006, CVE-2019-17023, CVE-2020-12399, CVE-2020-12402]: Debian DSA 4726-1: nss security update

  • [CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564, CVE-2020-15565, CVE-2020-15566, CVE-2020-15567]: Debian DSA 4723-1: xen security update

  • [CVE-2020-10663, CVE-2020-10933]: Debian DSA-4721-1 : ruby2.5 - security update

  • [CVE-2018-19044, CVE-2018-19045, CVE-2018-19046]: Insecure temporary file usage in keepalived

  • [CVE-2019-19462, CVE-2019-3016, CVE-2020-0543, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-12114, CVE-2020-12464, CVE-2020-12768, CVE-2020-12770, CVE-2020-13143]: Debian DSA-4699-1 : linux - security update

  • [CVE-2019-2182, CVE-2019-5108, CVE-2019-19319, CVE-2019-19462, CVE-2019-19768, CVE-2019-20806, CVE-2019-20811, CVE-2020-0543, CVE-2020-2732, CVE-2020-8428, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649, CVE-2020-9383, CVE-2020-10711, CVE-2020-10732, CVE-2020-10751, CVE-2020-10757, CVE-2020-10942, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-12114, CVE-2020-12464, CVE-2020-12652, CVE-2020-12653, CVE-2020-12654, CVE-2020-12770, CVE-2020-13143]: Debian DSA-4698-1: linux – security update

  • [CVE-2020-13777]: Debian DSA-4697-1 : gnutls28 - security update

  • [CVE-2019-6477, CVE-2020-8616, CVE-2020-8617]: Debian DSA-4689-1 : bind9 - security update

  • [CVE-2020-3810]: Debian DSA-4685-1 : apt - security update

  • [CVE-2020-10722, CVE-2020-10723, CVE-2020-10724]: Debian DSA-4688-1 : dpdk - security update

  • [CVE-2020-0556]: Debian DSA-4647-1 : bluez - security update

  • Privilege escalation in "reset ipv6 neighbors" / "reset ip arp" commands

  • ssh-known-hosts exposes hostname or IP addresses of remote-peers in plaintext / should be hashed

  • opd doesn't escape input properly when completing commands



Known issues

The following table lists the known issues in this release.

Component

Key

Summary

Component

Key

Summary

BGP

VRVDR-52451

bgpd process crashed when performing snmpwalk

OSPFv3

VRVDR-52395

Ospf6d crashed with 70k/128k routes when ospfv3 process reset

Dataplane, BFD

VRVDR-52489

Dataplane crashes after reset bgp session with SEGV signal for bfd-pluggin thread

OSPFv3

VRVDR-51846

RIB table doesn't get update correctly for ospfv3 routes after primary to secondary path switchover with same area routes.

DHCPv6

VRVDR-51749

DHCPv6 address not getting renewed automatically on client node after DHCP server rebooted

Bonding

VRVDR-52097

Shutdown bond interface or disable from its member port dropping for the other bond interface too

Bonding

VRVDR-52349

vyatta-snmp-vrf process crashed when run snmpwalk for the first time over bonding interface

OSPFv3

VRVDR-51587

Ospf6d is crashing with 70k routes in switchover scenario

OSPFv2, OSPFv3

VRVDR-51189

Interop: DR/BDR election doesn't happen as per protocol standard between DVE & Cisco

BGP

VRVDR-51188

BGP-3 provisioning/session Failed when existing bgp neighbour config modified with peer-group

OSPFv3

VRVDR-51032

OSPFv3 session DOWN after configuring area type stub between UFI and NOKIA/CISCO

OSPFv3

VRVDR-50951

Ospfv3 logs are not generated for any ospfv3 session reset or updates

DHCPv4

VRVDR-51452

DHCPv4 IP Address is not received after soft reboot and works fine once system is hard rebooted

RIB

VRVDR-50972

Route withdrawl and installation occur in RIB table when any1 ecmp NH path deleted/added



Limitations, Restrictions or Behavior Changes

IPsec RA VPN server Virtual-Feature-Point interfaces are only supported in a default routing-instance
Deprecation of TACACS+ local-user-name authorization argument. The local-user-name authorization argument allows TACACS+ to login as an already configured local user. Alternatively, DANOS-Vyatta editon also supports on-the-fly creation of a local user during the login process for TACACS+ users. This is done when local-user-name is not present in the session authorization reply. Support for this feature will be removed in the next DANOS-Vyatta editon release at which time presence of the local-user-name argument in authorization replies will cause an authorization failure.
While the OS does support IKEv1, IP infusion strongly recommends using IKEv2 to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.
In AWS, legacy Xen instance types will not work. The feature adds support for the modern nitro (KVM) instance types only – please use those.
L3 configuration on dataplane interface not allowed directly. SVI interface must be created to use dataplane interface for L3 configuration.

MIBs

No new MIBs ave been introduced in this release.
No MIBs have been modified in this release.
There are no deprecated MIBs in this release.

RFCs and Standards

The following standards have been added or additional parts have been implemented in this release –

  • RFC 7296, IKEv2 - chapter 3.15

  • RFC 5126, EAP TLS

  • RFC 968, eiBGP Multi-path

  • RFC 6020, YANG

  • RFC 6987, OSPF Stub Router Advertisement

  • RFC 8538, BGP Notification Message support for Graceful Restart

Licenses

MSTP/RSA

/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. Allrights reserved.
License to copy and use this software is granted provided that itis identified as the "RSA Data Security, Inc. MD5 Message-DigestAlgorithm" in all material mentioning or referencing this softwareor this function.
License is also granted to make and use derivative works providedthat such works are identified as "derived from the RSA DataSecurity, Inc. MD5 Message-Digest Algorithm" in all materialmentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning eitherthe merchantability of this software or the suitability of thissoftware for any particular purpose. It is provided "as is"without express or implied warranty of any kind.
These notices must be retained in any copies of any part of thisdocumentation and/or software.*/