batfish v2022.09.08 releases: network configuration analysis tool
What is Batfish?
Batfish is a network validation tool that provides correctness guarantees for security, reliability, and compliance by analyzing the configuration of network devices. It builds complete models of network behavior from device configurations and finds violations of network policies (built-in, user-defined, and best practices).
A primary use case for Batfish is to validate configuration changes before deployment (though it can be used to validate deployed configurations as well). Pre-deployment validation is a critical gap in existing network automation workflows. By including Batfish in automation workflows, network engineers can close this gap and ensure that only correct changes are deployed.
Batfish does NOT require direct access to network devices. The core analysis requires only the configuration of network devices. This analysis may be enhanced using additional information from the network such as:
- BGP routes received from external peers
- Topology information represented by LLDP/CDP
What kinds of correctness checks does Batfish support?
Configuration Compliance
- Flag undefined-but-referenced or defined-but-unreferenced structures (e.g., ACLs, route maps)
- Configuration settings for MTUs, AAA, NTP, logging, etc. match templates
- Devices can only be accessed using SSHv2 and the password is not null
Reliability
- End-to-end reachability is not impacted for any flow after any single-link or single-device failure
- Certain services (e.g., DNS) are globally reachable
Security
- Sensitive services can be reached only from specific subnets or devices
- Paths between endpoints are as expected (e.g., traverse a firewall, have at least 2 way ECMP, etc…)
Change Analysis
- End-to-end reachability is identical across the current and a planned configuration
- Planned ACL or firewall changes are provably correct and causes no collateral damage for other traffic
- Two configurations, potentially from different vendors, are functionally equivalent
Supported Network Device and Operating System List
Batfish supports configurations for a large and growing set of (physical and virtual) devices, including:
- A10 Networks
- Arista
- AWS (VPCs, Network ACLs, VPN GW, NAT GW, Internet GW, Security Groups, etc…)
- Cisco (All Cisco NX-OS, IOS, IOS-XE, IOS-XR, and ASA devices)
- Check Point
- Cumulus
- F5 BIG-IP
- Fortinet
- Free-Range Routing (FRR)
- iptables (on hosts)
- Juniper (All JunOS platforms: MX, EX, QFX, SRX, T-series, PTX)
- Palo Alto Networks
- SONiC
Batfish has limited support for the following platforms:
- Aruba
- Dell Force10
- Foundry
Changelog v2022.09.08
- Batfish now has support for BGP additional-paths, focusing on simple configurations in Cisco IOS and Juniper.
bf.q.bgpRibwill showReceived_Path_Idfor such routes. (#8369, #8370, #8397, #8424, and many more) bf.q.bgpRibandbf.q.evpnRibhave improved output when comparing two different snapshots (#8348, #8419)- When Batfish ISP Modeling fails to generate an ISP or its connection into the snapshot, Batfish will now log helpful error messages about the problem(s) (#8303). ISP Modeling also works in more configuration scenarios (#8307).
- BGP: we are very early in the process of adding support for extended tunnel encapsulation attributes. As of this release, some attributes can be applied in Juniper import policies and they will be reflected in the output of
bf.q.bgpRib(#8352, #8359) - Cisco NX-OS: support for redistributing EIGRP into EIGRP (#8364, contributed by @Katsuya414!)
- PAN: added support for template variables (#8361)
We continue to focus on validating incremental changes to configurations:
- Arista: support deleting BGP neighbors (#8260)
- Arista: support deleting BGP peer groups (#8257)
- Arista: support deleting individual prefix-list seqs (#8259)
- Cisco NX-OS: support removing BGP
aggregate-address(#8280) - Cisco IOS: support for interfaces defined in incremental changes after router OSPF (#8414)
- Cisco IOS-XR: support removing BGP
aggregate-address(#8269)
Other noteworthy enhancements include:
- universal: better warning for the use of ttl in ACLs (#8324, thanks @jhammond-git!)
- Arista: fix a crash when using an undefined ACL in dynamic source nat (#8310)
- Arista: better MLAG parsing peer-address heartbeat VRF (#8426)
Cisco IOS: a variety of parser fixes and reference tracking improvements (#8293 and more, thanks @network-dave!) - Cisco NX-OS: handle permitting or anying all ICMP traffic in an ACL (#8267, thanks @Katsuya414 and @leopoul!)
- FRR/SONiC: improvements to BGP parsing and inheritance (#8301, #8320)
- JunOS: fixed handling of static routes with qualified-next-hops (#8323, thanks @pawelhaj!)
- JunOS: fix a crash when using OSPF area interface all (#8325)
- JunOS: improve parser support for dotted BGP ASNs (#8227)
- JunOS: support for filtering source interfaces in firewall filters (#8282)
- JunOS: @jeffkala has continued his work on VXLAN and EVPN support (#8283, others)
- PAN: improved reference tracking for addresses used in NAT (#8367)
- This release also brings many miscellaneous performance fixes and we have upgraded dependencies to the latest secure releases.
