batfish v2023.12.16 releases: network configuration analysis tool
What is Batfish?
Batfish is a network validation tool that provides correctness guarantees for security, reliability, and compliance by analyzing the configuration of network devices. It builds complete models of network behavior from device configurations and finds violations of network policies (built-in, user-defined, and best practices).
A primary use case for Batfish is to validate configuration changes before deployment (though it can be used to validate deployed configurations as well). Pre-deployment validation is a critical gap in existing network automation workflows. By including Batfish in automation workflows, network engineers can close this gap and ensure that only correct changes are deployed.
Batfish does NOT require direct access to network devices. The core analysis requires only the configuration of network devices. This analysis may be enhanced using additional information from the network such as:
- BGP routes received from external peers
- Topology information represented by LLDP/CDP
What kinds of correctness checks does Batfish support?
Configuration Compliance
- Flag undefined-but-referenced or defined-but-unreferenced structures (e.g., ACLs, route maps)
- Configuration settings for MTUs, AAA, NTP, logging, etc. match templates
- Devices can only be accessed using SSHv2 and the password is not null
Reliability
- End-to-end reachability is not impacted for any flow after any single-link or single-device failure
- Certain services (e.g., DNS) are globally reachable
Security
- Sensitive services can be reached only from specific subnets or devices
- Paths between endpoints are as expected (e.g., traverse a firewall, have at least 2 way ECMP, etc…)
Change Analysis
- End-to-end reachability is identical across the current and a planned configuration
- Planned ACL or firewall changes are provably correct and causes no collateral damage for other traffic
- Two configurations, potentially from different vendors, are functionally equivalent
Supported Network Device and Operating System List
Batfish supports configurations for a large and growing set of (physical and virtual) devices, including:
- A10 Networks
- Arista
- AWS (VPCs, Network ACLs, VPN GW, NAT GW, Internet GW, Security Groups, etc…)
- Cisco (All Cisco NX-OS, IOS, IOS-XE, IOS-XR, and ASA devices)
- Check Point
- Cumulus
- F5 BIG-IP
- Fortinet
- Free-Range Routing (FRR)
- iptables (on hosts)
- Juniper (All JunOS platforms: MX, EX, QFX, SRX, T-series, PTX)
- Palo Alto Networks
- SONiC
Batfish has limited support for the following platforms:
- Aruba
- Dell Force10
- Foundry
Changelog v2023.12.16
As usual, this release includes many performance improvements and dependency upgrades for security. It also includes support for several new and noteworthy features:
- Symbolic routing policy analysis via
bf.q.searchRoutePolicies
supports many new route attributes including next-hop changes, and it is much faster and more scalable. It also accepts input via named community-lists, new constraints on AS Path, and improved output such as picking sensible default values. - A new question
bf.q.snmpCommunityClients
to check if an SNMP community permits specified client IPs. - Routing policy can match on the cluster-list length or number of communities in a BGP advertisement.
Track
statements can now check for routes in the BGP RIB in addition to the Main RIB.- BGP, IBGP, confederation, and route reflection have been substantially improved for advanced use cases.
- OSPF supports vendors like FRR that can apply filtering specific to LSA type.
- OSPF area has been expanded from a signed 32-bit number to a signed 64-bit number to support areas >= 2^31.
- Administrative distance expanded from 8-bit (0-255) up to 32-bit administrative distances.
This release contains many bug fixes to many vendors, including:
- Arista: improved robustness to invalid configurations.
- Junos syntax improvements, especially relating to names, apply-groups, and hierarchical configuration. Improved support for conditional filtering, and the addition of small new features such as per-BGP-neighbor preference.
- Cisco IOS syntax for HSRP and interfaces, plus EIGRP improvements by @NobutakaNiiya.
- FRR: miscellaneous BGP improvements, especially regarding non-standard
network
statement androute-map
behavior prior to FRR 7.1. - Palo Alto Networks
App-ID
support. - SONiC YAML better tolerates extra unused whitespace.