====== Version 8.0 Brugge ====== {{indexmenu_n>9}} Changes in version 8.0 Brugge((Brugge is the most picturesque city in Belgium, the country with the highest deployment of IPv6 (75%) in the world. Brugge as well as our St. Petersburg is called "Northern Venice", so we recommend to feel the unique atmosphere of the city by watching the movie "In Bruges (2008)")) - [[dpi:dpi_components:platform:dpi_ipv6|IPv6 support]] is added to the Subscriber Management : traffic policing and services control item - Zello protocol recognition and its metadata export are added - Output of control commands is added [[dpi:dpi_components:platform:subscriber_management:subsman_json|using the JSON format]] is added - The feature to set the policing options using the JSON format is added - Service 12 intended to record subscriber traffic using the PCAP format is added Changes in patch 8.0.5\\ - Further IPv6 support improvements - Bug fixes and improvements in the CGNAT and NAT 1:1 - Compatibility with different equipment in PPPoE termination mode (L2 BRAS) is improved - Stability of the operation within the multicluster mode is increased - Asynchronous tasks prioritizing feature is added. This has led to improvement in BRAS and SORM puller interaction Changes in patch 8.0.6\\ - Counting of links to user profiles is fixed, so it allows to delete unused profiles - NAT assignment to a subscriber with multiple addresses (including the white ones) is fixed :!: Before upgrading please make sure that the ''udr=1'' configuration option is set in the /etc/dpi/fastdpi.conf configuration file Changes in 8.1.1 version\\ - Full IPv6 support in L3 and L2 BRAS is added along with integration with DHCP/Radius/Billing and IPv6 prefixes delegation on the CPEs (Customer Premises Equipment) - WhatsApp, Viber, OpenVPN protocols detection is added - Service 13 - [[dpi:dpi_options:opt_firewall|mini Firewall]] is added in order to protect subscribers who use public network addresses - UDP traffic blocking according to the black lists is added - IPFIX/Netflow export of the 1)RTT(round—trip time) and 2)the number of retransmissions QoE metrics is added - Cipher Suite export for SSL/HTTPS within SORM (Russian lawful interception system) metadata is added - Authorization by ARP request is added - Billing data export using IPFIX protocol is added - Further improvements of Radius Accounting sessions compatibility with various billing systems - Improvements of NAT ports reusing - Issue with --bind request is fixed - The '=' sign is deleted in ip and login json tags Changes in 8.1.2 version\\ :!: fastradius upgrade to 8.1.2 version is needed in response to changing of protocol version\\ - Maximux login(user-name) size is increased up to 96 bytes - Fixed bug in mini Firewall (Service 13) - Fixed bug in setting Session-Timeout when getting the CoA: if it is not specified, then corresponding value will be taken from the configutation parameter Changes in 8.1.4 version\\ :!: If you haven't already installed 8.1.3 VAS Experts DPI and you are using BRAS+NAT, then you have to upgrade\\ - Fixed bug in defining of autonomous system when IPv6 addresses are used - ascheckip utility is added - New ''enable_auth_ipv6=0'' configuration option is added. It allows to disable authorization for IPv6 addresses when the RADIUS server of billing system doesn't support it - Fixed the procedure for calling subscriber authorization Changes in 8.1.5 version\\ :!: fastradius upgrade to 8.1.5 version is needed in response to changing of protocol version\\ - Fixed HTTP redirect in case of PPPoE termination - Escaping (quoting) for a number of characters to be used in json and fdpi_ctrl (in login profile names) is added Changes in 8.2 version\\ :!: fastradius upgrade to 8.2 version is needed in response to changing of protocol version\\ - Fixed issues in CG-NAT : session reusing is improved, transit of fragmented ICMP is added - Fixes in L2 BRAS as a result of implementation - Fixed transmission of 32 bits AS in IPFIX - Added [[dpi:dpi_options:opt_statistics:statistics_troubleshooting#flow_sending_is_configured_today_but_an_issue_emerges_-_not_all_the_information_are_transmitted_how_to_fix_the_problem|statistics output for IPFIX/Netflow]] - Added [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa#accounting_session_request_using_coa|command for checking session using CoA]] - Improved support for the VAS Experts DPI-200 - Alerts log output when starting/shutting down dpi using CLI is added (it can be disabled by the following command: ''touch /etc/dpi/nocolor'' ) Changes in 8.3.1 version\\ :!: Due to the change in the protocol version, it is required to update fastradius along with fastpcrf and fdpi_ctrl installed on individual servers up to 8.3.1 version\\ - [[dpi:bras_bng:replication|UDR database replication]] is added in order to be used in dpi/pcrf redundancy schemes - Support for [[dpi:bras_bng:cli|CLI interface]] is added - The following protocol signatures: Telegram, Viber, WhatsApp, VyprVPN with Chameleon technology (included in OpenVPN) are added - Recovery/backup of internal UDR database [[dpi:dpi_components:platform:dpi_admin:admin_db|to the fdpi_ctrl command format]] is added - Commands [[dpi:opt_cgnat:сgnat_info|to view statistics on the usage of NAT pool addresses and external subscriber's addresses]] are added - A new feature allowing to specify or add comma-separated subnets when setting the NAT profile is added: example of format to use '1.2.3.0/24,5.6.7.0/24' - A new feature allowing to consider only IPv4 CIDR-specified host addresses and when setting CIDR parameters: example of format to use '1.2.3.0/30~' - Added to BRAS auth: ability to specify within the RADIUS response that this response should be ignored silently. Attribute value ''VasExperts-Restrict-User=255'' indicates that [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:radius_auth_access_reject|the RADIUS response should be ignored]]; - Fixed in BRAS L3 auth: if a subscriber has already been associated with a policing profile, and the policing was not specified in the authorization response, than the existing profile was not untied from the subsciber, which did not allow to delete the subscriber's policing through authorization; - Fixed in BRAS DHCP: identification of obsolete BOOTP protocol. BRAS doesn't handle BOOTP, but sending BOOTP-packet by some CPEs caused to the situation when the further DHCP packets from given subscriber are not identified as as a consequence aren't intercepted; - Added to BRAS DHCP: unqualified DHCP packets are now stored in the pcap having ''ajb_save_invlen'' parameter enabled; - Improved in BRAS DHCP: when [[dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy:bras_l2_vlan_dhcp_proxy_secondary_keys|secondary keys control]] mode is enabled and when subscriber's key (Opt82 или QinQ) is changed, its DHCP Request is sent to the RADIUS instead of applying cached response; - Changed in BRAS DHCPv6: the subscriber’s unique key is now the subscriber’s MAC address instead of the Client DUID. This is associated with the fact that some home routers quite freely use DUIDs and can change it at any time despite that Client DUID is an immutable option according to RFC; - Added to BRAS DHCPv6: periodic sending of ICMPv6 RA with a DHCPv6 response; - Added to BRAS DHCPv6: periodic sending of Unsolicited RA; - Added tp BRAS DHCPv6: fastdpi.conf parameter, ''bras_dhcp6_nak_lifetime'' - lifetime of RADIUS Reject response - Fixed in BRAS PPPoE: rarely manifested, but critical error leading to system malfunction and associated with incomplete control of the packet length specified in the PPPoE/PPP headers and the actual length of the received packet (broken or specially incorrectly formed packet); - Fixed in BRAS PPPoE: when starting fastDPI and restoring PPPoE sessions, accounting did not start; - Added to BRAS PPPoE: the ability to prohibit the recovery of PPPoE sessions when restarting the VAS Experts DPI, see [[dpi:bras_bng:bras_pppoe#Restoring of PPPoE sessions when restarting the VAS Experts DPI]] - Added to BRAS PPPoE: control of the issued IP address overlapping when creating a session. If an active PPPoE session of another subscriber with that IP address already exists, the session will be closed. - Fixed in BRAS ARP: in the [[dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_as|term by AS]] mode BRAS passes ARP Reply for non-term AS (previously it abides by the rule: requests are passed but responses aren't); - Fixed in BRAS ARP: checking for session expiration should not apply to [[dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_arp_proxy:bras_l2_vlan_arp_auth|ARP authorization]], otherwise, after the time has elapsed, all packets coming from inet will be dropped, which will cause the ARP subscriber inability to reauthorize since essentially without an external circumstances, the subscriber does not need to send the ARP to his gateway; - Improved in BRAS CoA: CoA-Request changes the authorization status only when it is explicitly specified that the subscriber is unauthorized (if the attribute '' VasExperts-Restrict-User=1 '' is present). CoA-Request itself does not cause the subscriber's authorization status to become ''authorized'' (previously, the subscriber erroneously became authorized); - Changed in BRAS CoA: behaviour of [[dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa#accounting_session_request_using_coa|command to check the acct-session]] has been changed for the case "one fastPCRF -> multiple fastDPI" due to implementation of multisession; - Improved in BRAS Accounting: BRAS accounting has been significantly improved due to support of [[dpi:bras_bng:radius_integration:radius_accounting:multisession|multisession]], so the NAS attributes have become more significant: if previously they actually identified a fastpcrf server, now they identifies multiple fastDPI servers; it makes sense when the "one fastPCRF -> multiple fastDPI" scheme is used; - Added to BRAS Accounting: the ability to exclude some classes from radius accounting by using ''acct_disable_traffic_class'' and ''acct_include_traffic_class'' fastpcrf.conf parameters, see details [[dpi:bras_bng:radius_integration:radius_accounting:radius_attr|here]] - Added to BRAS Accounting: ''acct_swap_dir'' parameter which is responsible for [[dpi:bras_bng:radius_integration:radius_accounting|swaping the traffic direction]] - Added to BRAS Accounting: ''Event-Timestamp'' attribute is added to Radius Acct-Request; - Improved in BRAS Accounting: now when fastDPI starts/stops it sends a special message to fastPCRF which causes all active accounting sessions from this fastDPI to be closed (Accounting Stop); - Added to fastpcrf: improved support for the case when multiple fastdpi communicate with one fastpcrf server: now fastpcrf can communicate with fastdpi servers located on different interfaces, [[dpi:bras_bng:radius_integration:radius_auth_fastpcrf_setup|added parameter]] ''fdpi_server'' instead of the former ''fdpi_server_list'', parameter ''auth_server_dev'' declared obsolete: instead of using ''fdpi_server_list'' and ''auth_server_dev'' fastdpi servers now should be specified by ''fdpi_server'' parameters; - Changed in fastpcrf: principle of forming Radius attributes ''NAS-IP-Address'' and ''NAS-Identifier'': now these attributes are taken from the [[dpi:bras_bng:radius_integration:radius_auth_fastpcrf_setup|fdpi_server]] option, that is, they actually identify the fastDPI server from which the authorization request was received. ''radius_attr_nas_ip_address'' and ''radius_attr_nas_id'' parameters are now obsolete and are used only in "one fastdpi - one fastpcrf" configurations. If your fastpcrf server communicates with multiple fastDPI, we recommend you to adjust your fastpcrf.conf and billing settings properly; - Changed in fastpcrf: due to implementation of [[dpi:bras_bng:radius_integration:radius_auth_fastpcrf_setup:persistent_queue|persistent queues]] the fastpcrf <-> fastdpi internal exchange protocol has been completely revised to provide scalability while maintaining backward compatibility, since the queue may contain data from previous versions; - Changed in fastpcrf: ''CUI'' attribute takes into account in CoA Request only if fastpcrf.conf contains ''radius_attr_cui=1'' (standardizing of Access-Request and CoA); - Added support for up to 5 nested MPLS tags in blocking, notification, and other services - The outgoing connection buffer is increased, this will smooth out the peaks and reduce the likelihood of packet loss when delivering ipfix/netflow - Other beta fixes Changes in 8.3.2 version - Fixed removal of service 4 (blacklist) with profile You can check the current installed version using the following command yum info fastdpi Downgrade to 8.2 version: yum downgrade fastdpi-8.2 fastpcrf-8.2 Service restart is required after upgrading or downgrading: service fastdpi restart :!: Do not upgrade the Linux kernel. In newer versions of the kernel binary compatibility with Kernel ABI may be broken and the network driver will not boot after the update. If you did update, then temporarily (during solving the problem) configure the grub boot loader to load the previous kernel version (in the /etc/grub.conf file please set the following option: ''default = 1''). To check what's new in the [[dpi:update:previous:ver_7_0|previous version]].