Batfish 2020-04-23

Release notes

Announcements

We are excited to announce a free trial of Batfish Enterprise for AWS. To learn more, read our blog post or check out the video demos on Youtube. Sign up at https://www.intentionet.com/trial.

Noteworthy new features and improvements in this release include

• For this release, we have overhauled and dramatically extended Batfish support for Amazon Web Services (AWS) configurations. This includes support for new constructs such as Load Balancers, NAT Gateways, and Transit Gateways, as well as improved modeling and visibility for standard constructs like VPCs, Subnets, Security Groups, Network ACLs, Internet Gateways, etc. You can try Batfish Enterprise on your AWS deployment by visiting https://www.intentionet.com/trial.

• Batfish ISP Modeling includes many new features. Networks can now peer with their ISPs over unnumbered BGP sessions (#5641), you can customize the prefixes an ISP will advertise to the Internet (#5585), and you can control how an ISP will filter traffic between your network and the Internet (#5666). In addition, the links Batfish creates now use link-local addresses to provide a simpler network (#5640).

• pybatfish is now distributed on pypi! (#5610)

• For this release, we have started a new parser specifically for Arista devices. The new parser is dramatically more selective (only accepting configs that are valid on Arista) and more performant. This resolves at least one parsing-related crash (#5582), adds support for many more interface and BGP directives, and will continue to improve in ongoing releases.

• Palo Alto Networks: Batfish now supports aggregate-ethernet interfaces and computes their bandwidths correctly based on interface liveness (#5682). Thanks @oneryalcin!

• FRR/Cumulus: our collaborators at Amazon have contributed numerous improvements to interface definitions (#5668), BGP community-list matching (#5578), and the local-as / no-prepend BGP directives (#5684). Thanks, @raveranj and @kylehoferamzn!

• NX-OS: new support for the route-map match route-type directive (#5590), plus minor other parsing improvements (#5589, and @agember contributed #5626 and #5646; thanks!)

• IOS-XR: no longer crash during route policy evaluation (#5636, thanks @oneryalcin!)

• Thanks also to @Miyoshi-Ryota for contributing improvements to Batfish documentation!

Bug fixes

• Juniper: On some chassis, a firewall filter will not include a line matching on IP Protocol (e.g., TCP) when it is implied by another rule (such as matching on TCP Flags). For these devices, fixed behavior that could lead to nonsense packets being permitted by the filter (#5574).

• bfq.traceroute: fixed a case where a device accepting a packet would record the wrong interface owning the destination IP in the InboundStep. (#5614)

• bfq.testFilters: fixed a crash when run in differential mode on a filter that only existed in one snapshot. (#5619)

Behavorial changes

• Questions like bfq.reachability or bfq.testFilters that return one flow from a space of matching packets will now choose "better" representatives. For example, public IPs like 8.8.8.8 or 1.1.1.1 are preferred over bogon or reserved IPs like 0.0.0.0; TCP and UDP flows will be biased towards known or ephemeral ports (e.g., TCP destination port 443 instead of 0); and other similar improvements.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2020-02-19

Release notes

Noteworthy new features and improvements in this release include:

• FRR: improved support for community lists and set comm-list delete (#5517, #5549, contributed by @raveranj!)
• Cisco ASA: redundant interface support (#5542, thanks Chris A. Evans on Slack!)
• Cisco NX-OS: support for overriding OSPF admin distance (#5515)
• Test Filters: improve performance on networks with tens of thousands of filters (#5543)
• Palo Alto Networks: Batfish now ignores show config lines that may be accidentally left in the configuration in hierarchical nested formats (#5529)

Bug fixes:

• Reachability and related questions: fix a bug where the engine could miss flows that should be DENIED_OUT. This issue manifested on SRX firewalls not also running NAT. (#5573, thanks @jsimonetti on Slack!)
• Search Filters: Fix a bug preventing displaying the answer returned in differential mode (#5545, thanks @ishan on Slack!)

Breaking changes:

• None known.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2020-02-03

Release notes

Noteworthy new features and improvements in this release include:

• Batfish now produces detailed filter traces for TestFilters and SearchFilters questions. Most improvements can be seen in filter on Juniper SRX, Amazon Web Services (AWS), Cisco ASA and Palo Alto Networks devices.
  See the Analyzing public and hybrid cloud networks notebook for an example. When tracing an AWS instance's security groups, the following trace is produced:
  • Matched security group launch-wizard-1
    • Matched rule with description Connectivity test
      • Matched protocol TCP
      • Matched destination port 3306
      • Matched source address CIDR IP 0.0.0.0/0
• SearchFilters: more comprehensive search of flows on firewalls (#5406)
• Cumulus FRR: better support for labs from Dinesh Dutt (@ddutt) (#5397, #5443, #5454)
• Cumulus FRR: better support for set community additive (#5327) and set metric (#5441) (Thanks, @raveranj!)
• BGP: better support no-export community in all vendors (#5408)

Bug fixes:

• Arista BGP: fix two small bugs introduced in the last release (#5434, #5463)
• Juniper: fix BGP router-id inference when not explicitly configured (#5503)
• NXOS: parsing enhancements for BGP template-peer (#5511)

Breaking changes:

• None known.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2020-01-10

Release notes

Noteworthy new features and improvements in this release include:

Cumulus

This release brings major improvements to Cumulus based on user feedback, new reference configs from Pete Crocker (@petercrocker), and the labs from Dinesh Dutt's (@ddutt) new book on Cloud Native Data Center Networking. The changes focus on BGP, OSPF, and VXLAN/EVPN. We would like to thank users @kaminek and @raveranj, as well as Pete and Dinesh.

• support BGP "set community additive". (#5327, contributed by @raveranj!)
• better support for VXLAN and EVPN. (#5262,#5293)
• parsing gaps in Pete Crocker's configs. (#5347)
• many improvements for OSPF. (#5295,#5297)
• various improvements to parsing properties of interface, BGP configuration, and routes. (#5167, #5186, #5184, and many more)

Arista

This release includes a rewritten BGP parser for Arista devices. The new parser is more accurate, supports the new Arista syntax in versions 4.23+, and brings specific improvements to VXLAN/EVPN integration.

• new Arista-specific BGP parser. Users can try the old parser by supplying the noaristabgp debug flag during snapshot creation (Pybatfish: extra_args={"debugflags": "noaristabgp"}). (#5172, #5174, #5376 and more)
• improve support for VXLAN/EVPN. (#5178, #5180, #5268, #5365, #5366, #5367)

VXLAN/EVPN

Batfish now better models L2 and L3 VNIs separately, with support in Cumulus and Arista. Configuration properties can be examined with vxlanVniProperties (L2 VNIs) and evpnL3VniProperties (L3 VNIs). (#5256 and more)

AWS

We've made major improvements to AWS including new support for VPC peering and transit gateways, more features in security-groups, ISP modeling, and more. (#5173, #5168, #5171, and many more)

And more

We have improved the output or semantics to many questions:

• bgpSessionCompatibility and bgpSessionStatus questions now both report the negotiated address families for each session. (#5213,#5214)
• Questions that produce the trace of a flow through the network, such as traceroute and reachability, now include much more information about the steps of the forwarding pipeline. For example, MatchSessionStep now reports the conditions for matching the session in a return flow and the packet transformations applied on the reverse path. (#5229, #5237, #5240, and more)
• differentialReachability now only considers flows starting at locations present and active in both snapshots. (#5236)

As always, our open source users have contributed reports that have led to many small distributed improvements:

• Cisco IOS: add prefixes for some less common interfaces. (#5264, thanks @ancker on Slack!)
• Ruckus ICX: though not supported, these files are now recognized and skipped. (#5257, thanks @ancker!)
• Cisco ASA: support for firewall sessions and examining reverse traffic. (#5331, thanks @eidorb!)
• Cisco ASA: prevent a crash when parsing built-in service objects. (#5225, thanks @eidorb!)
• Palo Alto Networks: interpret application any with service application-default as match all. (#5310, thanks @3kn on Slack!)
• Palo Alto Networks: handle multiline tokens better during flattening. (#5292, thanks @3kn!)
• Palo Alto Networks: Support quoted values containing quotes. (#5273, thanks @3kn!)
• Batfish host modeling: interfaces can now be specified in a list instead of a map to eliminate inconsistent data. (#5291, thanks @raveranj!)

And we have improved ISP modeling:

• Batfish ISPs: users can now supply custom names for each ISP instead of the default isp_<ASN>. (#5280)

Breaking changes:

• We have dropped the HeaderConstraint parameter flowStates (firewallClassifications in Pybatfish). This functionality was not used and has been subsumed by the firewall sessions used in bidirectional path questions such as bidirectionalTraceroute.
• Now that Python 2.x is officially end-of-life, Pybatfish no longer works in Python 2.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-11-20

Release notes

Noteworthy new features and improvements in this release include:

• This Batfish release accompanies the AnsibleFest 2019 demo network and Ansible playbooks showing how to build network CI pipelines with Batfish. See the code and data and the video: Building network CI pipelines with Batfish
  
• (#5139) Improved support for Amazon Web Services (AWS) networks.
• (#5148) NX-OS: improved parsing and handling for EVPN (thanks, Slack user)

Bug fixes:

• (#5141) JunOS: Improvements to handling for aggregate routes.
• (#5136) IOS-XR: fix community mutation for BGP routes with mixed standard and extended communities
• (#5151) ASA: fix a parsing crash in some failover configuration (thanks @eidorb on Slack!)

Breaking changes:

• None known.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-11-05

Release notes

Noteworthy new features and improvements in this release include:

• (#5000) ospfEdges: Better filtering on the reported edges. (Thanks, @pfeiffermj and @kokasha!)
• (#5020, #5042, #5055) Core support for OSPF NBMA in Batfish plus support across a range of vendors.
• (#5086) Data-plane: Support redistribution into IS-IS.
• (#4994, many more) Palo Alto: Improved support for BGP including redistribution and confederations.
• (#5009, #5040, many more) Palo Alto: Support for NAT including both source and destination NAT.
• (#5001, ) F5: Improved support for BGP.

Bug fixes:

• (#5110) Fix a regression in v2019.10.14 where JunOS community was ignoring the invert-match directive.
• (#5033) Fix a regression in NX-OS, F5, and Cumulus where prefix-lists declared without a lower or upper bound were interpreted incorrectly.
• (#4999) JunOS: support another way of configuring interface vlan IDs. (Thanks, @minitriga!)
• (#5008, various) Batfish: general confederation improvement fixes and improvements.
• (#5021) OSPF sessions properly configured when interface has multiple addresses.
• (various) minor improvements to OSPF and IS-IS route attributes (networks, loopback handling, default costs on various vendors).
• (#5124) IOS-XR: fix a crash when parsing certain BGP stanzas with multiple complex neighbors. Thanks, batfish-diagnostics user!

Breaking changes:

• None known.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-10-14

Release notes

Noteworthy new features and improvements in this release include:

• (#4813, #4961, #4960, #4956, #4990) Batfish now has initial support for BGP confederations on many vendors, including Cumulus, F5, and Juniper.
• (#4812, #4819, #4824) F5: added support for OSPF and BGP routing.
• (#4821, #4827, #4831) Cumulus/FRR: added support for OSPF.
• (#4854, #4868, #4880, #4884, and more) Palo Alto: added support for BGP and OSPF routing protocols
• (#4951 and more) Palo Alto: added support for dynamic address-groups
• (#4806, #4835, #4883) We have completely overhauled BGP Community support in Batfish. This resolves issues such as #4190 (thanks @Volcanon-!) across all vendors.
• (#4895, #4906, #4889) Cumulus/FRR: improved support for route-maps and AS-Path matching.
• (#4803) routes now shows next-hop interface changes when asked in differential mode

Bug fixes:

• (#4809, #4811) Ensure hostnames are lowercase canonically everywhere throughout Batfish
• (#4832) IOS: fix inference of OSPF network-type
• (#4842) Palo Alto: support subinterfaces of interfaces in no virtual-router. Before, the subinterfaces were deactivated, preventing them from routing
• (#4844, #4858) Fix properties of OSPF loopback routes
• (#4900) JunOS: improved handling of family ethernet-switching interface-mode. Thanks, @vanyasvl!
• (#4851) Overhaul parsing of banner in Cisco-like languages. Thanks, @eidorb!

Breaking changes:

• The ability to use the old NX-OS parser (see release v2019.09.20) has been removed.
• Pybatfish no longer supports Python 2.x.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-09-20

Release notes

Noteworthy new features and improvements in this release include:

• (#4718 and many more) New NX-OS parser!

  We have completely rewritten the parser for Cisco NX-OS. The new parser is faster and more accurate, supports many no commands, and adds new features like VXLAN and EVPN.

  There may be some minor regressions that we have not yet detected. Please file issues here on GitHub or chat about them on the Batfish Slack channel. To temporarily revert to the old parser, supply the oldnxos debug flag during snapshot initialization:

  bf_init_snapshot('/path/to/snapshot', name='name', extra_args={'debugflags': 'oldnxos'})

  The old parser will be removed once any regressions have been resolved.

• (#4760,#4762) Cumulus: Improved support for BGP.

• (#4802) Added comparison of next-hop interface to routes in differential mode.

• (#4692,#4694) Rewrote ospfSessionCompatibility. It now reports both correctly configured and mismatched OSPF sessions.

• (#4722) NX-OS: Added support for BGP next-hop-unchanged.

Bug fixes:

• (#4763) Resolved a crash with BGP unnumbered peers when next-hop interface was configured incorrectly in distributed routes.

• (#4790) Improved reference tracking of interfaces in Cumulus.

Breaking changes:

• None known.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-08-29

Release notes

Noteworthy new features and improvements in this release include:

• (#4431, #4452, #4553, and many more) Added support for Cumulus FRR! See documentation for how to package configs here.
• (#4656) Support for EVPN type 5 routes.
• (#4404, #4434, #4549) Improved EIGRP filtering and metric computation.
• (#4430, #4481, and more) More accurate OSPF representation.
• (#4659) Additional information in ospfInterfaceConfiguration question.

Bug fixes:

• (#4421) Cisco IOS: Fix parsing bug caused by EIGRP hello/hold timers (thanks @Tachashi!).

Breaking changes:

• (#4418) viModel question: Removed edges field. Edge information should be procured using the edges question.
• (#4655) interfaceProperties question: Removed OSPF interface settings. This information should be procured using the ospfInterfaceConfiguration question.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Batfish 2019-07-31

Release notes

Noteworthy new features and improvements in this release include:

• (#4296, #4322, and more) Support EIGRP running atop overlay links.
• (#4368) Support for EIGRP distribute lists (thanks @Tachashi!).
• (#4192, #4201, #4256, and more) Cumulus: Improved interface parsing.
• (#4185, #4193) BGP: Support for extended communities and per address family route reflector settings.
• (#4229) IOS-XR: Correctly identify configurations extracted using RANCID.
• (#4265) New WILL_NOT_COMMIT status for invalid configurations.
• (#4186, #4371, #4375) Cisco: Improved interface parsing.
• (#4277, #4280, #4282) Cisco: Enhanced support for GRE tunnels.
• (#4286, #4287) Cisco IOS: Extended support for ISAKMP keys.
• (#4274, #4278) Cisco ASA: Improved parsing for service object destination ports and network object ranges.
• (#4197, #4279, #4289) Juniper: Support for integer OSPF area IDs (thanks @kokasha!), range-address in address books, and named ports in applications.
• (#4349) AWS: Improved interface parsing.
• (#4378) Palo Alto Networks: Better support for application-matching rules (thanks @jotong!).

Bug fixes:

• (#4237) IOS-XR: Reference tracking for routing policies referenced with apply (thanks @supertylerc!).

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.