Version 8.0 Brugge

Changes in version 8.0 Brugge1)

  1. IPv6 support is added to the Subscriber Management : traffic policing and services control item
  2. Zello protocol recognition and its metadata export are added
  3. Output of control commands is added using the JSON format is added
  4. The feature to set the policing options using the JSON format is added
  5. Service 12 intended to record subscriber traffic using the PCAP format is added

Changes in patch 8.0.5

  1. Further IPv6 support improvements
  2. Bug fixes and improvements in the CGNAT and NAT 1:1
  3. Compatibility with different equipment in PPPoE termination mode (L2 BRAS) is improved
  4. Stability of the operation within the multicluster mode is increased
  5. Asynchronous tasks prioritizing feature is added. This has led to improvement in BRAS and SORM puller interaction

Changes in patch 8.0.6

  1. Counting of links to user profiles is fixed, so it allows to delete unused profiles
  2. NAT assignment to a subscriber with multiple addresses (including the white ones) is fixed

:!: Before upgrading please make sure that the udr=1 configuration option is set in the /etc/dpi/fastdpi.conf configuration file

Changes in 8.1.1 version

  1. Full IPv6 support in L3 and L2 BRAS is added along with integration with DHCP/Radius/Billing and IPv6 prefixes delegation on the CPEs (Customer Premises Equipment)
  2. WhatsApp, Viber, OpenVPN protocols detection is added
  3. Service 13 - mini Firewall is added in order to protect subscribers who use public network addresses
  4. UDP traffic blocking according to the black lists is added
  5. IPFIX/Netflow export of the 1)RTT(round—trip time) and 2)the number of retransmissions QoE metrics is added
  6. Cipher Suite export for SSL/HTTPS within SORM (Russian lawful interception system) metadata is added
  7. Authorization by ARP request is added
  8. Billing data export using IPFIX protocol is added
  9. Further improvements of Radius Accounting sessions compatibility with various billing systems
  10. Improvements of NAT ports reusing
  11. Issue with --bind request is fixed
  12. The '=' sign is deleted in ip and login json tags

Changes in 8.1.2 version
:!: fastradius upgrade to 8.1.2 version is needed in response to changing of protocol version

  1. Maximux login(user-name) size is increased up to 96 bytes
  2. Fixed bug in mini Firewall (Service 13)
  3. Fixed bug in setting Session-Timeout when getting the CoA: if it is not specified, then corresponding value will be taken from the configutation parameter

Changes in 8.1.4 version
:!: If you haven't already installed 8.1.3 VAS Experts DPI and you are using BRAS+NAT, then you have to upgrade

  1. Fixed bug in defining of autonomous system when IPv6 addresses are used
  2. ascheckip utility is added
  3. New enable_auth_ipv6=0 configuration option is added. It allows to disable authorization for IPv6 addresses when the RADIUS server of billing system doesn't support it
  4. Fixed the procedure for calling subscriber authorization

Changes in 8.1.5 version
:!: fastradius upgrade to 8.1.5 version is needed in response to changing of protocol version

  1. Fixed HTTP redirect in case of PPPoE termination
  2. Escaping (quoting) for a number of characters to be used in json and fdpi_ctrl (in login profile names) is added

Changes in 8.2 version
:!: fastradius upgrade to 8.2 version is needed in response to changing of protocol version

  1. Fixed issues in CG-NAT : session reusing is improved, transit of fragmented ICMP is added
  2. Fixes in L2 BRAS as a result of implementation
  3. Fixed transmission of 32 bits AS in IPFIX
  4. Added statistics output for IPFIX/Netflow
  5. Added command for checking session using CoA
  6. Improved support for the VAS Experts DPI-200
  7. Alerts log output when starting/shutting down dpi using CLI is added (it can be disabled by the following command: touch /etc/dpi/nocolor )

Changes in 8.3.1 version
:!: Due to the change in the protocol version, it is required to update fastradius along with fastpcrf and fdpi_ctrl installed on individual servers up to 8.3.1 version

  1. UDR database replication is added in order to be used in dpi/pcrf redundancy schemes
  2. Support for CLI interface is added
  3. The following protocol signatures: Telegram, Viber, WhatsApp, VyprVPN with Chameleon technology (included in OpenVPN) are added
  4. Recovery/backup of internal UDR database to the fdpi_ctrl command format is added
  5. Commands to view statistics on the usage of NAT pool addresses and external subscriber's addresses are added
  6. A new feature allowing to specify or add comma-separated subnets when setting the NAT profile is added: example of format to use '1.2.3.0/24,5.6.7.0/24'
  7. A new feature allowing to consider only IPv4 CIDR-specified host addresses and when setting CIDR parameters: example of format to use '1.2.3.0/30~'
  8. Added to BRAS auth: ability to specify within the RADIUS response that this response should be ignored silently. Attribute value VasExperts-Restrict-User=255 indicates that the RADIUS response should be ignored;
  9. Fixed in BRAS L3 auth: if a subscriber has already been associated with a policing profile, and the policing was not specified in the authorization response, than the existing profile was not untied from the subsciber, which did not allow to delete the subscriber's policing through authorization;
  10. Fixed in BRAS DHCP: identification of obsolete BOOTP protocol. BRAS doesn't handle BOOTP, but sending BOOTP-packet by some CPEs caused to the situation when the further DHCP packets from given subscriber are not identified as as a consequence aren't intercepted;
  11. Added to BRAS DHCP: unqualified DHCP packets are now stored in the pcap having ajb_save_invlen parameter enabled;
  12. Improved in BRAS DHCP: when secondary keys control mode is enabled and when subscriber's key (Opt82 или QinQ) is changed, its DHCP Request is sent to the RADIUS instead of applying cached response;
  13. Changed in BRAS DHCPv6: the subscriber’s unique key is now the subscriber’s MAC address instead of the Client DUID. This is associated with the fact that some home routers quite freely use DUIDs and can change it at any time despite that Client DUID is an immutable option according to RFC;
  14. Added to BRAS DHCPv6: periodic sending of ICMPv6 RA with a DHCPv6 response;
  15. Added to BRAS DHCPv6: periodic sending of Unsolicited RA;
  16. Added tp BRAS DHCPv6: fastdpi.conf parameter, bras_dhcp6_nak_lifetime - lifetime of RADIUS Reject response
  17. Fixed in BRAS PPPoE: rarely manifested, but critical error leading to system malfunction and associated with incomplete control of the packet length specified in the PPPoE/PPP headers and the actual length of the received packet (broken or specially incorrectly formed packet);
  18. Fixed in BRAS PPPoE: when starting fastDPI and restoring PPPoE sessions, accounting did not start;
  19. Added to BRAS PPPoE: the ability to prohibit the recovery of PPPoE sessions when restarting the VAS Experts DPI, see Restoring of PPPoE sessions when restarting the VAS Experts DPI
  20. Added to BRAS PPPoE: control of the issued IP address overlapping when creating a session. If an active PPPoE session of another subscriber with that IP address already exists, the session will be closed.
  21. Fixed in BRAS ARP: in the term by AS mode BRAS passes ARP Reply for non-term AS (previously it abides by the rule: requests are passed but responses aren't);
  22. Fixed in BRAS ARP: checking for session expiration should not apply to ARP authorization, otherwise, after the time has elapsed, all packets coming from inet will be dropped, which will cause the ARP subscriber inability to reauthorize since essentially without an external circumstances, the subscriber does not need to send the ARP to his gateway;
  23. Improved in BRAS CoA: CoA-Request changes the authorization status only when it is explicitly specified that the subscriber is unauthorized (if the attribute VasExperts-Restrict-User=1 is present). CoA-Request itself does not cause the subscriber's authorization status to become authorized (previously, the subscriber erroneously became authorized);
  24. Changed in BRAS CoA: behaviour of command to check the acct-session has been changed for the case "one fastPCRF → multiple fastDPI" due to implementation of multisession;
  25. Improved in BRAS Accounting: BRAS accounting has been significantly improved due to support of multisession, so the NAS attributes have become more significant: if previously they actually identified a fastpcrf server, now they identifies multiple fastDPI servers; it makes sense when the "one fastPCRF → multiple fastDPI" scheme is used;
  26. Added to BRAS Accounting: the ability to exclude some classes from radius accounting by using acct_disable_traffic_class and acct_include_traffic_class fastpcrf.conf parameters, see details here
  27. Added to BRAS Accounting: acct_swap_dir parameter which is responsible for swaping the traffic direction
  28. Added to BRAS Accounting: Event-Timestamp attribute is added to Radius Acct-Request;
  29. Improved in BRAS Accounting: now when fastDPI starts/stops it sends a special message to fastPCRF which causes all active accounting sessions from this fastDPI to be closed (Accounting Stop);
  30. Added to fastpcrf: improved support for the case when multiple fastdpi communicate with one fastpcrf server: now fastpcrf can communicate with fastdpi servers located on different interfaces, added parameter fdpi_server instead of the former fdpi_server_list, parameter auth_server_dev declared obsolete: instead of using fdpi_server_list and auth_server_dev fastdpi servers now should be specified by fdpi_server parameters;
  31. Changed in fastpcrf: principle of forming Radius attributes NAS-IP-Address and NAS-Identifier: now these attributes are taken from the fdpi_server option, that is, they actually identify the fastDPI server from which the authorization request was received. radius_attr_nas_ip_address and radius_attr_nas_id parameters are now obsolete and are used only in "one fastdpi - one fastpcrf" configurations. If your fastpcrf server communicates with multiple fastDPI, we recommend you to adjust your fastpcrf.conf and billing settings properly;
  32. Changed in fastpcrf: due to implementation of persistent queues the fastpcrf ↔ fastdpi internal exchange protocol has been completely revised to provide scalability while maintaining backward compatibility, since the queue may contain data from previous versions;
  33. Changed in fastpcrf: CUI attribute takes into account in CoA Request only if fastpcrf.conf contains radius_attr_cui=1 (standardizing of Access-Request and CoA);
  34. Added support for up to 5 nested MPLS tags in blocking, notification, and other services
  35. The outgoing connection buffer is increased, this will smooth out the peaks and reduce the likelihood of packet loss when delivering ipfix/netflow
  36. Other beta fixes

Changes in 8.3.2 version

  1. Fixed removal of service 4 (blacklist) with profile

You can check the current installed version using the following command 

yum info fastdpi

Downgrade to 8.2 version: 

yum downgrade fastdpi-8.2 fastpcrf-8.2

Service restart is required after upgrading or downgrading: 

service fastdpi restart

:!: Do not upgrade the Linux kernel. In newer versions of the kernel binary compatibility with Kernel ABI may be broken and the network driver will not boot after the update. If you did update, then temporarily (during solving the problem) configure the grub boot loader to load the previous kernel version (in the /etc/grub.conf file please set the following option: default = 1).

To check what's new in the previous version.

1)
Brugge is the most picturesque city in Belgium, the country with the highest deployment of IPv6 (75%) in the world. Brugge as well as our St. Petersburg is called "Northern Venice", so we recommend to feel the unique atmosphere of the city by watching the movie "In Bruges (2008)"