Skip to content

Batfish 2020-08-11
Compare
Choose a tag to compare
@dhalperi dhalperi released this 11 Aug 08:28
v2020.08.11
8dea0bd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes

This release brings important security improvements. Everyone is recommended to update!

  • (#5740, #5718, #5792) When using the file-based storage system (the default, for Open Source Batfish), authorized users could provide arbitrary data used to generate file paths to read or write files as the Batfish process. We have completely rewritten the storage to ensure that no paths read or written contain user-provided strings.
  • Several of our Java dependencies had known security issues. We have upgraded the affected dependencies (#5736, #5742, #5918). To ensure we upgrade promptly in the future, we have added nightly scans with the OWASP dependency-check scanner (#5738).
  • (#6022) We have hardened the service against a potential regular-expression based denial of service (REDOS) by switching to the re2j regular expression library.

We continue to recommend running Batfish in a containerized environment with custom access controls, or upgrading to Batfish Enterprise.

Noteworthy new features and improvements in this release include:

  • This release brings dozens of improvements to Amazon Web Services (AWS) modeling. We focused on improved support for Transit Gateways, VPC Peering, and many more features, with a special focus on asymmetric and cross-account connectivity. Try out the Batfish Enterprise trial for your AWS account today at https://www.intentionet.com/trial!

  • Our collaborators at Amazon have contributed several features to this release (thanks, @kylehoferamzn and @raveranj!), including:

    • (#5698, #5839) FRR support for configuring attributes of static routes.
    • (#5857) BGP Routes now provides information about ClusterList and OriginatorId.
    • (#5800) FRR: Add support for "force"/"all" with next-hop-self.
    • (#5856) FRR: BGP Cluster-Id Support (#5856, thanks kylehoferamzn!)
    • (#6033) FRR: Support for setting weight in a route-map.

  • We have added support for directly building an entire Palo Alto Networks (PAN) deployment from the configuration dump from Panorama.

    To try it out, using the utilities from the pan-python library.

    1. Download the entire Panorama config backup as XML:

      panxapi.py -t <panorama_name> -sxr > active_config.xml

      Here, panorama_name comes from a device defined in .panrc.

    2. Convert the XML file to “set line” file:

      panconf.py --config active_config.xml --set > active_config.set

      Then you can upload active_config.set to Batfish and it will generate all the devices. This functionality is brand new and may still has some kinks to work out. If you do try it out, let us know (@sfraint) on Slack or GitHub!

    We have also improved NAT support for destination port translation (#5989).

  • (#5827, #5828) Parts of the code that choose arbitrary flows (e.g., traceroute and reachability) will now choose more human-friendly flows. For example, a well-known application like DNS will be preferred over an arbitrary UDP port when finding flows that match a certain criteria. Batfish will also prefer common TCP flag combinations such as SYN or SYN+ACK over others.

  • We have continued improving the Arista-focused parser with better reference tracking, a more complete and precise grammar, and other new additions. These include:

    • (#5940) Added support for BGP peer-filters.
    • (#6058) Fix handling of router bgp stanzas with dotted AS numbers. Thanks, @dannypetrov!

Bug fixes:

  • (#5723, #5726) F5: Fix structure tracking and BGP inheritance. Thanks, @brucedewald!
  • (#5747) Traceroute now correctly includes a denied-in step when dropping a packet due to policy-based routing.
  • (#5810) IOS: track support ACL references in snmp-server group v3.
  • (#5830) IOS: implement bgp confederations. Thanks @oneryalcin!
  • (#5833) IOS: added parsing for multiple VTY lines. Thanks @rickdonato!
  • (#5851) IOS: fix a crash in malformed ISAKMP profiles. Thanks @rickdonato!
  • (#5837) IOS: correct support for interface encapsulation vlan. Thanks @rickdonato!
  • (#5843) Dataplane: Fix a next-hop IP computation in uncommon cases for BGP dynamic (passive) sessions.
  • (#5860) Juniper: improve ethernet switching parsing. Thanks @rickdonato!
  • (#5956) Juniper: add support for more characters in GroupWildcard. Thanks @SivaKesava1!
  • (#5887) ASA: support service-object ip. Thanks @rickdonato!
  • (#6006) IOS-XR: fix a crash when using ACL udf statements. Thanks @SivaKesava1!
  • (#6008) IOS-XR: fix a crash when using as-path-set passes-through. Thanks @SivaKesava1!
  • (#6016) IOS-XR: update interface names. Thanks, @dgarros for contributing!
  • (#6019) IOS-XR: added support for bundle interfaces. Thanks @dgarros!
  • (#6051) JunOS: fix a crash when an interface is referenced but not defined. Thanks, Mohammed Reehan on Slack!
  • (#6043) ASA: track ACLs used in crypto map matching address (#6043, thanks @dannypetrov!)

Breaking changes:

  • During our security work, we deleted a number of deprecated APIs. Anyone using the latest pybatfish release should have no issues.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Assets 2