Skip to content

Batfish 2020-10-08
Compare
Choose a tag to compare
@progwriter progwriter released this 08 Oct 20:46
v2020.10.08
d0cbef2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes

This release brings security improvements, new analysis capabilities, major performance optimizations,
and as always a variety of miscellaneous vendor-specific improvements.

Security

This release has important security fixes, and everyone is recommended to upgrade.

  • We have fixed a potential vulnerability when ingesting (maliciously constructed) AWS data (#6094).
  • We have changed the defaults in Java so that only the coordinator listens for incoming connections. This change only affects developers: when running the batfish/batfish or batfish/allinone Docker containers as recommend the other services were not exposed.

We are phasing out the old and unmaintained security-related APIs from Batfish. Users are advised to provide their own security layer, to run the service in local-only mode, or to upgrade to Batfish Enterprise. In this release, we have removed the overly-permissive Cross-Origin-Resource-Sharing (CORS) headers from the service (#6172). Note that pybatfish is unaffected.

Performance optimizations

In this release, we focused on a number improvements to the dataplane and traceroute engines. They both use less CPU and RAM during computation.

  • The traceroute engine is now able to handle much higher degrees of EMCP, while using a fraction of the memory (#6175)
  • BGP neighbor computation is significantly faster for large networks (#6093).
  • BGP route propagation has also been improved to handle larger networks (#6251, #6226, #6123, ...).

We've also made some general memory efficiency improvements across the stack (#6249, #6253, #6245).

New features and noteworthy improvements

  • The new bfq.searchRoutePolicies question (#6224, #6180, #6168, ...) allows users to search for BGP route advertisements that would be permitted or denied by a given routing policy. This allows for exhaustive validation of routing policies and will find concrete violations of policy intent. We encourage you to try this feature out yourself! Follow this example notebook for a walkthrough on how to use searchRoutePolicies.
  • FRR support, all thanks to @kylehoferamzn
    • BGP to OSPF redistribution (#6087)
    • OSPF to BGP Redistribution with route maps (#6052)
    • Route-map support for max-med administrative metric (#6086)
  • Better filter tracing of security rules in Palo-alto firewalls.
    More detailed results are displayed in testFilters for Palo-alto devices
    (#6213, #6208, #6141)
  • NX-OS: support route-map match as-number (#6231, #6232)
  • OSPF: improvements to inter-area route propagation (#6156)
  • BGP: better reflect semantics, do not merge routes with unreachable next hops (#6274)
  • Arista, NX-OS: improved parsing for SNMP constructs (#6227, #6220, #6219, #6205, #6204)
  • Arista: support for route-map set distance (#6126)
  • Arista: more complete support for logging servers (#6090)

Bug fixes

  • FRR: fix a bug in BGP best-path selection (#6057), add support for interface shutdown command(#6169) Thanks, @kylehoferamzn!
  • Cisco IOS: parsing improvements for EIGRP (#6276, #6275, #6271, #6269) Thanks, @AlexLardschneider!
  • Cisco IOS: fix redistribution of non-classful networks (#6192) Thanks, @brotobia!
  • Cisco IOS: fix some interface names during parsing (#6199, #6198, #6104)
  • Arista, Cisco: Fix handling of large (32-bit) local-preference values (#6089) Thanks, @brotobia!
  • Arista: Fix a crash when using source nat on an interface with no IP address (#6107)
    and with nat pools where the broadcast IP is the only pool address (#6108) Thanks, @dannypetrov!
  • AWS: handle route table entries pointing at NAT gateways (#6263)
  • Juniper: process sub-interface Vlan config (#6184) Thanks, Sharon Saadon on Slack!
  • Batfish: Better error message when a snapshot has no files (#6139)

Breaking changes

During our optimization work we removed an experimental feature called Prefix Tracer. It was not widely used but contributed a lot of overhead. Developers can re-enable this feature by changing the PrefixSet to be traced in PrefixTracer.java.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Assets 2