VAS Experts documentation VAS Experts documentation-mobile
in

Settings

  • Show pagesource
  • Old revisions
  • Add to book
  • Export to PDF
  • ODT export
  • Backlinks
  • Show pagesource
  • Old revisions
  • Add to book
  • Export to PDF
  • ODT export
  • Backlinks
    • Stingray Service Gateway by VAS ExpertsSSG changelog and updateList of versionsVersion 14.0 Shooting Stars

    Table of Contents

    Book Creator
     Add this page to your book
    Book Creator
     Remove this page from your book  

     Manage book(0 page(s))
     Help

    Version 14.0 Shooting Stars

    Changes in version 14.0

    1. [BRAS] DHCP-Dual support. Description
    2. [BRAS] Support for L2TP termination. Description
    3. [DPI] Migration to DPDK 24.11, support for new NICs (Intel E830 200G, Intel E610, Napatech SmartNIC). Description
    4. [CLI] Added support for subs_id in commands: dhcp show, dhcp reauth, dhcp6 show, dhcp6 reauth, and dhcp disconnect. Description
    5. [DPI] New protocols added: AGORA_STREAMS(49314), AZAR_CALL(49315), WECHAT_CALL(49316), TEAMS_CALL(49317). List of protocols
    6. [DPI] Improved support for LINE_CALL, VYKE_CALL protocols. List of protocols
    7. [DPI] Fixed smartdrop behavior
    8. [DPI] Added validation for complex protocols. List of protocols
    9. [DPDK] Increased the maximum number of dispatchers to 32. Description
    10. [IPFIX/Netflow] Added the ability to change IPFIX/Netflow parameters without restarting fastDPI using the ipfix_reserved parameter. Description
    11. [FastRadius] It is now possible to set both bind_ipv6_address and bind_ipv6_subnet. If the Framed-IPv6-Prefix has a /128 mask, it is not checked against the bind_ipv6_subnet restriction. Description
    12. CLI command dev info now includes the name of the LAG that the port belongs to. Description
    13. [PCRF][PPP][Framed-pool] Added: DHCP option Client-Id now includes tunnel-IP as part of the subscriber ID. For more details, see sections IPv4 Pools Support and IPv6 pools support
    14. [IPFIX] Message aggregation added for IPFIX streams: FullFlow/DNS/META/NAT
    15. [IPFIX] Added parameter ipfix_mtu_limit to restrict maximum message size for IPFIX UDP packets. Description: ClickStream export Setup, Configuring Full NetFlow Export in IPFIX Format
    16. [IPFIX DNS] New elements added to IPFIX DNS: 224 (ipTotalLength) and 43823:3206 (DNS transaction id). Description
    17. [VRRP] Fixed proper handling of the vrrp_enable option change
    18. [BRAS][PPP] PPP session key is now compound: l2subs_id + tunnel-IP. For PPPoE sessions, tunnel IP = 0. CLI commands that use subs_id as a key (subs prop show, l2tp show session, l2tp term, etc.) may now return multiple entries with the same l2subs_id. Description
    19. [DPI] Added cloud protocols with identifiers 55296..58367
    20. [IPFIX] Fixed IPFIX exporter reinitialization bugs
    21. [BRAS][subs_grooming] Fixed potential crash due to race condition during fastDPI shutdown
    22. [CLI] Added commands to display mempool properties and statistics
          hal mempool props
    hal mempool stat

      DPDK must be built with statistics collection enabled to display mempool stats

    23. [BRAS][DHCP] Fixed crash when parsing Framed-Pool Renew response if it contains no DHCP options
    24. [PCRF][Acct] Fixed: Interim-Update sending is now disabled when Acct-Interim-Interval = 0 is explicitly set in the RADIUS response. For more details, see sections acct-interim-interval, PPPoE Radius Access-Request
    25. [VASE_CLI] Created a unified CLI for managing DPI, BRAS, DHCP (KEA), ROUTER (BIRD) with support for authorization and command logging via TACACS (VEOS 8.x required). Description
    26. [SNMP] Created a module for monitoring system components via SNMP
    27. [DPI] Added DOQ 49318 protocol (DNS-over-QUIC)
    28. [Router] Announcing subscriber white addresses for 1:1 NAT individually and after authentication. Description
    29. [PCRF] Added support for service 19 "DNS spoofing", profile required. Description
    30. [DPDK] Added dpdk_engine=6 (mqrx-bridge) — number of RSS dispatchers per bridge. Description
    31. [DPDK] Removed dedicated mempools. The fastdpi.conf option dpdk_emit_mempool_size is deprecated and no longer used.
    32. [VLAN-Rule] Moved vlan group data from UDR to SDR. Global rules for vlan drop/pass/hide/permit set by the previous CLI command vlan group were converted and moved from UDR to SDR, with removal from UDR. Description
    33. Up to version 14, only one built-in database UDR (User Data Repository) is used, intended for permanent storage of data about services, policings, and other FastDPI settings.
      Starting from Version 14, UDR is split into UDR and SDR. The split occurs automatically during version update.
      SDR (System Data Repository) is intended for storing FastDPI settings not related to subscribers. It can be considered that SDR is an extension of fastdpi.conf. No special activation of SDR is required — the necessary .mdb files are created automatically when the corresponding mode is enabled in fastdpi.conf.
    34. [VLAN] VLAN rules — added CLI commands. Description
    35. [IPv6] Added direction detection in combined traffic (IN+OUT on one port) based on the local flag for IP addresses. Enabled via combined_io_direction_mode option
    36. [BRAS] Fixed compatibility with the old format of service 18, where there were fewer protocols and both fields in the profile needed to be filled
    37. [DPI] Lowered detection priority for telegram_tls
    38. [DPI] Improved detection of WECHAT and WECHAT_CALL
    39. [BRAS][Framed-Route] Fixed: possible crash when freeing memory
    40. [BRAS] Refactored PCRF connectivity: in the new implementation, all connections are equal; an error on any triggers reconnection of all connections and a switch to another PCRF. Added CLI commands:
      1. pcrf connect show — show current status and accumulated statistics for PCRF connections.
      2. Force connection to the specified PCRF pcrf connect switch [<pcrf_index>], where <pcrf_indxed> is the index of the connection line in the auth_server parameter. If <pcrf_indxed> is not specified — defaults to 0.
        Description
    41. [IPFIX DNS] Added the ability to send DNS MX responses via IPFIX. Enabled by setting bit 3 (4) of the ajb_save_dns parameter. Description
    42. [DPI] Added FakeTLS protocol (49319) with validation
    43. [BRAS][DHCP] Changed: sliding window algorithm for rate limit
    44. [BRAS] Fixed: time comparison error when loading ip_prop from UDR
    45. [VLAN-Rule] Added support for 'any' instead of '*' when describing VLAN range. Description
    46. [DPI][LOG] Messages about insufficient SSL parsers are written to the slave log not for every event, but at a frequency of 1/50000.
    47. [DPI] Added protocols ZALO_CALL(49320) and VK_CALL(49321)
    48. [DPI] Fixed blocking in hard mode for SSL
    49. [Acct] Added attribute VASExperts-Service-Type. Radius acct start/interim/stop sends the authorization type in the VASExperts-Service-Type attribute. Description
    50. [CLI] Added: stat flow ip6 command to display IPv6 flow statistics. Description
    51. [CLI] Added: stat flow ip4 command to display IPv4 flow statistics. Analogous to the output in fastdpi_stat.log. Description
    52. [IPFIX] Fixed ExportTime formation error in IPFIX Fullflow
    53. [CLI] Added stat netflow command. Displays general statistics for Netflow/IPFIX (same as in fastdpi_stat.log under the "Statistics on NFLW_export" section). Description
    54. [DNS] Added support for substitution/blocking/dropping of DNS requests A, AAAA, MX, HTTPS. Description
    55. [CLI] Added stat firewall command. Description
    56. [DPI] Added BIGO_CDN protocol (49324)
    57. [DPI] Added UDP support for BIGOTV
    58. [PCRF][L2TP] Fixed: NAS attributes for L2TP during authorization
    59. [BRAS][L2TP] Fixed: data race when closing sessions
    60. [DPDK] Removed deprecated rx channels settings and related checks
    61. [IPFIX] Added configurable sending of drop octets/packets counters when generating IPFIX fullflow. Description
    62. [PCAP] Added capability to save traffic of a specified vlan using the ajb_save_vlan parameter. Description
    63. [DPIUTILS] Updated checknat utility. Description
    64. [DPIUTILS] Updated dns2dic utility with domain blocking support. Description
    65. [BRAS][L2TP] Fixed: data race during tunnel creation
    66. [Router] Fixed: interception and diversion of IPv6 packets to tap interfaces. Link-local addresses were not diverted to tap, even if explicitly specified in the router.subnet6 settings.
    67. [BRAS][L2TP] Fixed: length field in L2TP header for data packets. According to RFC, the len field in L2TP header is optional for data packets. Some L2TP client implementations do not understand data packets with the len field in the L2TP header. This fix adjusts FastDPI's behavior: if data packets from the subscriber arrive without the len field, then SSG will also send data packets without this field. If data packets from the subscriber contain the len field, SSG will include it as well.
    68. [BRAS] Fixed: sending commands from the pending_queue. In some cases (e.g., during state transitions of the pcrf monitor initial → connected), sending commands from the pending_queue was not triggered, which caused commands to "hang" in the queue indefinitely (until reconnection due to a socket error).
    69. Fixed a recently introduced error (affecting betas 4.6 and 4.7) in the session lifecycle that leads to resource exhaustion over time; an operational update from these versions (or rollback) is recommended.

    Changes in version 14.1

    DPI

    1. [DPI][ajb_save_vlan] Fixed an error when the engine operates in read-only mode
    2. [DPDK][tap_device] Fixed: setting the tx queue length using the dpdk_tx_queue_size option. Previously, the tx queue length of the TAP device was always set to 256, which caused errors on the VMware VMXNET3 Ethernet Controller: ETHDEV: Invalid value for nb_tx_desc(=256), should be: <= 4096, >= 512, and a product of 1
    3. [LAG] Fixed: added load balancing for pass packets
    4. [DPI][ip_node stg] Added statistics on bucket occupancy. The new CLI command stat storage ip4 detail outputs statistics on bucket filling in the IPv4 node storage
    5. [DPI] Added validation for the MULTIPROXY_STRONG protocol
    6. [DPI] Improved scalability on 128-core systems
    7. [DPI][log] Improved the logging subsystem in cases of log file overflow
    8. [DPI][tethering] Added tethering detection. The parameter tethering_ttl_allowed = 128:64 [hot] defines the list of allowed TTL values for subscriber traffic that are not considered tethering. Values are separated by ':'. The number of values is up to 256 (0–255). Description

    BNG

    1. [BNG][framed-route] Fixed: Framed-Route delivery when a subscriber login is changed. Previously, when the login was changed, Framed-Route subnets remained attached to the old login, and all services and policing for Framed-Route subnets were taken from the old login.
    2. [BNG] Added the bras_disable_l3_auth option — an explicit prohibition of L3 auth in L2 BNG mode for all subscribers. For example, only DHCP authorization will work for subscribers with the AS local meta. Default value: off (L3 auth allowed) bras_disable_l3_auth=off. This option is meaningful only if enable_auth=1. The option is incompatible with the bras_dhcp_auth_mix=0 mode: if bras_dhcp_auth_mix=0 is set, bras_disable_l3_auth is forced to off (L3 auth allowed) and a warning is logged to the alert log.
    3. [BNG] Added a new subscriber flag — prohibition of L3 auth for a specific subscriber. This flag can be set or cleared only via CLI: a new parameter disable_l3_auth=[1:0] has been added to the subs prop set command (1 — disable L3 auth, 0 — enable). By default, L3 auth is enabled.
    4. [BNG][srcIP spoofing] Added filtering by source AS flags on the subs→inet path before packet processing to block operator-originated DDoS attacks with IP address spoofing.
      Added a new fastdpi.conf option ip_filter_source_as_flags (hot)[hot] — filtering subs traffic by AS. Bit mask of AS (autonomous system) flags for the source IP on the subs side.
      Only packets whose source IP AS contains at least one of the specified flags are allowed for processing. Otherwise, the packet is dropped. AS flag values (bit mask):
      • 0 — filtering disabled (default) — ip_filter_source_as_flags=0x0
      • 0x0100 — pass
      • 0x0200 — local
      • 0x0400 — peer
      • 0x0800 — term
      • 0x1000 — mark1
      • 0x2000 — mark2
      • 0x4000 — mark3
    5. [BNG][PPP] Added database session utilization statistics to the ppp show stat command
    6. [BNG][PCEF][Policing] Added configuration of common policing from parameters passed in the VasExperts-Policing-Profile attribute with the BR## prefix
    7. [BNG][PCEF][Services] Added configuration of a personal (noname) user profile for services from parameters passed in the VasExperts-Service-Profile attribute with the BP## prefix
    8. [BNG][PCEF][rating-group] New options (cold, fastDPI restart required):
      • rating_group_count — number of rating groups, 0 — RG disabled. Default value: 0
      • rating_group_max_subs — maximum number of subscribers with RG. Default value: 0 (RG disabled)
        RG storage is initialized only if billing statistics are enabled. Memory calculation for RG statistics: counter size per RG = 32 bytes. Total required memory:
        32 * rating_group_count * rating_group_max_subs * num_thread

        For example, for 10k subscribers, 256 RGs, and 8 processing threads, 625M of memory is required: 

        rating_group_count = 256
rating_group_max_subs  = 10000
num_thread = 8
memory_required = 32 * 256 * 10000 * 8 = 625M
    9. [BNG][PCEF][rating-group][RADIUS Accounting] Output of RG statistics in RADIUS Accounting. RG statistics are transmitted in separate Interim-Update packets. Only non-zero RG data are sent. Due to the 4096-byte RADIUS packet size limit, RG data may be split across multiple Interim-Update packets.
      To distinguish Interim-Updates containing RG data, a new VSA VasExperts-Acct-Type (id=28, vendor 43823, integer type) is used with the following values:
      • 0 — standard Interim Update Accounting
      • 1 — RG data
        Each rating group and its counters are transmitted in *one* VSA containing the following attributes:
      • VasExperts-Acct-Rating-Group (new attribute of type short, 16-bit integer) — RG number;
      • VasExperts-Acct-Input-Octets-64
      • VasExperts-Acct-Output-Octets-64
      • VasExperts-Acct-Input-Packets-64
      • VasExperts-Acct-Output-Packets-64
        Packet/byte counters by direction are output according to the acct_swap_dir option (as in Accounting).
        RG transmission specifics:
      • RGs are optional data and may be absent for a subscriber; accordingly, no RG accounting data will be transmitted for such a subscriber;
      • if receipt of an RG packet by the RADIUS server is not confirmed, it is not retransmitted — fresh data will be sent in the subscriber’s next Interim-Update;
      • if a subscriber has RG statistics, current RG data are sent in Interim-Update packets before sending Acct-Stop at session termination.
    10. [BNG][PCEF][rating-group][CLI] Added the subs traffic stat CLI command. The command outputs billing statistics and rating group statistics for the specified subscriber, if enabled.
    11. [BNG][PCEF][rating-group][RADIUS Accept] Added configuration of the RG service during authorization. RG statistics accumulation can be enabled only if service 9 (bill stat) is enabled for the subscriber. RG is assigned at the subscriber level during authorization by specifying a special service 9 profile named 'RG': 
      VasExperts-Service-Profile :="9:RG"

      When service 9 is disabled, RG accumulation is also disabled.
      Examples of configuring service 9 and RG: 

      # service 9 enabled, RG disabled. Standard RADIUS Accounting is sent.
VasExperts-Enable-Service :="9:on"
      # service 9 enabled, RG enabled. RG data are sent in RADIUS Accounting.
VasExperts-Service-Profile :="9:RG"
      # service 9 disabled, RG disabled. Standard RADIUS Accounting and RG are not sent.
VasExperts-Enable-Service :="9:off"
    12. [BNG][SHCV][hot] Added activity monitoring for static IP L2 subscribers (subscribers for whom RADIUS returned the VasExperts-L2-User=1 flag during L3 authorization).
      New options (all hot):
      • bras_subs_shcv_interval — inactivity interval, seconds; 0 — SHCV disabled
      • bras_subs_shcv_retry_timeout — ARP request response wait time, seconds; default = 3
      • bras_subs_shcv_retry_count — number of ARP requests; default = 3
      • bras_shcv_trace — SHCV tracing; default = off

        If no traffic is received from the subscriber for bras_subs_shcv_interval seconds, fastDPI starts pinging the subscriber by sending unicast ARP requests on behalf of the subscriber gateway. The ARP response wait time is bras_subs_shcv_retry_timeout seconds. If no response is received to bras_subs_shcv_retry_count consecutive ARP requests, or the ARP response contains a different MAC address, the subscriber is considered inactive, its authorization status is reset, and the accounting session is stopped.
    13. [BNG][DHCP][hot] New values 2 and 4 are available for the bras_dhcp_check_secondary_keys option. Full option description:

      bras_dhcp_check_secondary_keys — control of secondary unique keys (opt82/QinQ) [hot]
      In DHCP, the primary keys are ClientId (opt61) or, if ClientId is not specified, the client MAC address. In secondary key control mode, if another DHCP session is found by at least one secondary key, it will be closed (Acct Stop is sent).
      • 0 (default) — do not control secondary keys
      • 1 — control all secondary keys — QinQ and opt82
      • 2 — control only opt82
      • 4 — control only QinQ
    14. [BNG][L2TP] Fixed: crash when receiving a duplicate out-of-order ctl packet
    15. [BNG][dhcp-relay] Added the ability to preserve the siaddr field value.
      New flag in the bras_dhcp_server option: keep_siaddr=1 — preserve the DHCP packet siaddr field. Example:
      bras_dhcp_server=188.227.73.42%eth0;arp_proxy=1;reply_port=67;keep_siaddr=1

      By default, the siaddr field may be modified to hide the real DHCP server address.

    16. [BNG][CLI] Added the `subs db stat` command to display L2 BNG database statistics
    17. [BNG][DHCP6] Fixed: crash when processing DHCPv6 with an invalid UDP header length

    NAT

    1. [CG-NAT] Added rx_dispatcher=3 — a method with uniform load balancing across an arbitrary number of threads with support for NAT 1:1 and the requirement to assign specific addresses
    2. [CG-NAT] Accounting of translation lifetime in the fdpi_ctrl list status --service 11 --login UserName (--ip IP) command. Additional fields were added to the command output: active_sess_tcp — number of active NAT translations for TCP and active_sess_udp — number of active NAT translations for UDP.
      Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options.
    3. [CG-NAT][CLI] Accounting of translation lifetime in the nat show <internal_ip> [<lifetime>] command. Displays a list of all NAT translations for the specified gray IP. A translation record looks as follows:
      • nat_type — NAT type (0 — CGNAT, 1 — NAT 1:1)
      • protocol — L4 protocol (0 — TCP, 1 — UDP)
      • internal_ip — gray IP
      • internal_port — gray port
      • dest_ip — destination IP
      • dest_port — destination port
      • external_ip — white IP
      • external_port — white port
      • active — translation activity flag (true if active)
        Translation activity is determined by the time of its last use and the lifetime parameter configured in the cluster options. If <lifetime> (in seconds) is specified, its value is used as the translation lifetime.

    CLI

    1. [CLI] Added the subs bind show command to view the list of IP addresses bound to the login <login>:
      subs bind show <login> [memory|udr]

      Two modes:

      • memory (default) displays IP-to-login bindings as currently configured in fastDPI
      • udr — displays IP-to-login bindings from UDR
        The output of these two modes may differ: not all IP↔login bindings are stored in UDR; for example, for Framed-Route subnets, the login binding is created only in memory, while the framed-route subnets themselves are stored in UDR in a separate table; see the cli framed route ? CLI command group
    2. [CLI] Added the stat http CLI command. This command outputs internal statistics similar to those in fastdpi_stat.log:
      • Detailed statistics on HTTP
      • Detailed statistics on SSL_SAVEBL
      • Detailed statistics on QUIC_IETF_SAVEBL
      • Detailed statistics on BitTorrent
    3. [CLI] Fixed the list status --service 11 (NAT) and nat show commands

    IPFIX

    1. [IPFIX] Storage of TTL information from the IP packet header. Description
      TTL statistics added to Full NetFlow in IPFIX format:
      • Packet TTL, id 192. The field is used for both directions: subs2inet and inet2subs
      • Rating group, id 2020
    2. [IPFIX] Fixed an error in time conversion to unix format
    3. [IPFIX] New 64-bit fields added to Full NetFlow IPFIX. Description
      service_flags — information about the tags assigned to the flow in DPI. Detected tethering is reported via IPFIX in bit 1 of the service_flags field. 63 bits are available for further use.
      detection_flags — reserved for detection methods.
      action_flags — reserved for transmitting actions applied to the flow.
    4. [IPFIX] Fixed TTL transmission in Full NetFlow IPFIX in a single field with identifier 192 depending on direction. Description

    Utilities

    1. [utils] Added the name2custom utility to view the list of protocols loaded from the cloud (as opposed to built-in ones)

    RADIUS

    1. [FastRADIUS] Added support for logging to syslog. New parameter syslog_level in fdpi_radius.conf — the level of logging messages from the alert log to syslog. 0 — syslog logging disabled (default).
    2. [FastRADIUS] Added extraction of the 3GPP User Location Info RADIUS attribute and its export to IPFIX

    Was this information helpful?