Batfish 2020-10-08
Release notes
This release brings security improvements, new analysis capabilities, major performance optimizations,
and as always a variety of miscellaneous vendor-specific improvements.
Security
This release has important security fixes, and everyone is recommended to upgrade.
- We have fixed a potential vulnerability when ingesting (maliciously constructed) AWS data (#6094).
- We have changed the defaults in Java so that only the coordinator listens for incoming connections. This change only affects developers: when running the
batfish/batfish
orbatfish/allinone
Docker containers as recommend the other services were not exposed.
We are phasing out the old and unmaintained security-related APIs from Batfish. Users are advised to provide their own security layer, to run the service in local-only mode, or to upgrade to Batfish Enterprise. In this release, we have removed the overly-permissive Cross-Origin-Resource-Sharing (CORS) headers from the service (#6172). Note that pybatfish
is unaffected.
Performance optimizations
In this release, we focused on a number improvements to the dataplane and traceroute engines. They both use less CPU and RAM during computation.
- The traceroute engine is now able to handle much higher degrees of EMCP, while using a fraction of the memory (#6175)
- BGP neighbor computation is significantly faster for large networks (#6093).
- BGP route propagation has also been improved to handle larger networks (#6251, #6226, #6123, ...).
We've also made some general memory efficiency improvements across the stack (#6249, #6253, #6245).
New features and noteworthy improvements
- The new
bfq.searchRoutePolicies
question (#6224, #6180, #6168, ...) allows users to search for BGP route advertisements that would be permitted or denied by a given routing policy. This allows for exhaustive validation of routing policies and will find concrete violations of policy intent. We encourage you to try this feature out yourself! Follow this example notebook for a walkthrough on how to usesearchRoutePolicies
. - FRR support, all thanks to @kylehoferamzn
- Better filter tracing of security rules in Palo-alto firewalls.
More detailed results are displayed intestFilters
for Palo-alto devices
(#6213, #6208, #6141) - NX-OS: support route-map match as-number (#6231, #6232)
- OSPF: improvements to inter-area route propagation (#6156)
- BGP: better reflect semantics, do not merge routes with unreachable next hops (#6274)
- Arista, NX-OS: improved parsing for SNMP constructs (#6227, #6220, #6219, #6205, #6204)
- Arista: support for route-map
set distance
(#6126) - Arista: more complete support for logging servers (#6090)
Bug fixes
- FRR: fix a bug in BGP best-path selection (#6057), add support for interface shutdown command(#6169) Thanks, @kylehoferamzn!
- Cisco IOS: parsing improvements for EIGRP (#6276, #6275, #6271, #6269) Thanks, @AlexLardschneider!
- Cisco IOS: fix redistribution of non-classful networks (#6192) Thanks, @brotobia!
- Cisco IOS: fix some interface names during parsing (#6199, #6198, #6104)
- Arista, Cisco: Fix handling of large (32-bit) local-preference values (#6089) Thanks, @brotobia!
- Arista: Fix a crash when using source nat on an interface with no IP address (#6107)
and with nat pools where the broadcast IP is the only pool address (#6108) Thanks, @dannypetrov! - AWS: handle route table entries pointing at NAT gateways (#6263)
- Juniper: process sub-interface Vlan config (#6184) Thanks,
Sharon Saadon
on Slack! - Batfish: Better error message when a snapshot has no files (#6139)
Breaking changes
During our optimization work we removed an experimental feature called Prefix Tracer. It was not widely used but contributed a lot of overhead. Developers can re-enable this feature by changing the PrefixSet
to be traced in PrefixTracer.java
.
Installation
To upgrade your local Docker image, run docker pull batfish/allinone
then follow the standard instructions to get started.