Skip to content

Batfish 2020-04-23
Compare
Choose a tag to compare
@dhalperi dhalperi released this 23 Apr 21:18
v2020.04.23
a1e76e1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes

Announcements

We are excited to announce a free trial of Batfish Enterprise for AWS. To learn more, read our blog post or check out the video demos on Youtube. Sign up at https://www.intentionet.com/trial.

Noteworthy new features and improvements in this release include

  • For this release, we have overhauled and dramatically extended Batfish support for Amazon Web Services (AWS) configurations. This includes support for new constructs such as Load Balancers, NAT Gateways, and Transit Gateways, as well as improved modeling and visibility for standard constructs like VPCs, Subnets, Security Groups, Network ACLs, Internet Gateways, etc. You can try Batfish Enterprise on your AWS deployment by visiting https://www.intentionet.com/trial.

  • Batfish ISP Modeling includes many new features. Networks can now peer with their ISPs over unnumbered BGP sessions (#5641), you can customize the prefixes an ISP will advertise to the Internet (#5585), and you can control how an ISP will filter traffic between your network and the Internet (#5666). In addition, the links Batfish creates now use link-local addresses to provide a simpler network (#5640).

  • pybatfish is now distributed on pypi! (#5610)

  • For this release, we have started a new parser specifically for Arista devices. The new parser is dramatically more selective (only accepting configs that are valid on Arista) and more performant. This resolves at least one parsing-related crash (#5582), adds support for many more interface and BGP directives, and will continue to improve in ongoing releases.

  • Palo Alto Networks: Batfish now supports aggregate-ethernet interfaces and computes their bandwidths correctly based on interface liveness (#5682). Thanks @oneryalcin!

  • FRR/Cumulus: our collaborators at Amazon have contributed numerous improvements to interface definitions (#5668), BGP community-list matching (#5578), and the local-as / no-prepend BGP directives (#5684). Thanks, @raveranj and @kylehoferamzn!

  • NX-OS: new support for the route-map match route-type directive (#5590), plus minor other parsing improvements (#5589, and @agember contributed #5626 and #5646; thanks!)

  • IOS-XR: no longer crash during route policy evaluation (#5636, thanks @oneryalcin!)

  • Thanks also to @Miyoshi-Ryota for contributing improvements to Batfish documentation!

Bug fixes

  • Juniper: On some chassis, a firewall filter will not include a line matching on IP Protocol (e.g., TCP) when it is implied by another rule (such as matching on TCP Flags). For these devices, fixed behavior that could lead to nonsense packets being permitted by the filter (#5574).

  • bfq.traceroute: fixed a case where a device accepting a packet would record the wrong interface owning the destination IP in the InboundStep. (#5614)

  • bfq.testFilters: fixed a crash when run in differential mode on a filter that only existed in one snapshot. (#5619)

Behavorial changes

  • Questions like bfq.reachability or bfq.testFilters that return one flow from a space of matching packets will now choose "better" representatives. For example, public IPs like 8.8.8.8 or 1.1.1.1 are preferred over bogon or reserved IPs like 0.0.0.0; TCP and UDP flows will be biased towards known or ephemeral ports (e.g., TCP destination port 443 instead of 0); and other similar improvements.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Assets 2