==================================
SD-WAN 6.5 release notes
==================================

We are pleased to announce the release of SD-WAN 6.5. This release
introduces a new private WAN design along with several new features for network configuration.

Major Features
--------------

- New private WAN design, introducing two new modes of private WAN that allow direct integration with aggregators, removing the need for private WAN routers.

- Aggregators now have configurable networking similar to bonders.

- Bonders and aggregators can now have dynamic routing configured
  through the management interface.

- Bonders and aggregators can now create VXLAN interfaces.

- Aggregators can associate interfaces with private WAN spaces.

- Replify WAN optimization can be enabled to improve the performance of certain applications through caching, compression and various other optimizations.

- Nodes now support both Debian 9 Stretch and Debian 10 Buster.

Errata
------

.. warning::

    The primary address and gateway of an aggregator must still be manually configured in the node's */etc/network/interfaces* file
    and added to the aggregator node configuration, as described in `changing a host IP address <../administration/changing-host-ip-address.html>`__.

    **Do not** also add this address as an interface address on the aggregator or it will conflict with the primary IP and
    **prevent the aggregator from coming back online after bonding is restarted**.


.. warning::

    IPv6 private WAN is not compatible between 6.4 bonders and 6.5 aggregators.
    To maintain IPv6 private WAN connectivity between a bonder and an aggregator when upgrading to 6.5, both nodes must be upgraded.

    IPv4 private WAN is fully compatible between versions.


.. note::

    Aggregators must have their kernel upgraded as part of the upgrade to 6.5.
    This will require a reboot of the aggregator server.


.. note::

    The `bgpenable` script is no longer supported and has been removed from version 6.5.


Deprecations
------------

- TCP proxy support for bonds running bonding 2015.4 or earlier will be removed in a future version.

Bondingadmin
------------

.. note::
    Bondingadmin now runs on Debian 10 Buster.

.. note::
    The /api/v4/settings/ and /api/v3/settings API have had some fields removed and
    others added since most aggregator failover settings are now managed per-aggregator.

.. note::
    Source address verification is now disabled by default on new bonds. Existing
    bonds will remain the same.

.. note::
    Only the Administrator default user group is created on new bondingadmin servers.
    Existing bondingadmin servers are unaffected by this change.

.. warning::
    Bonders in a private WAN space running in one of the new private WAN modes
    must be on an aggregator running version 6.5, or they will be isolated from the WAN.

Additions:

- New private WAN system bypassing the need for private WAN routers.

  - Private WAN spaces now have **managed mesh** and **unmanaged** modes that do not require private WAN routers and allow many custom routing scenarios that were previously impossible or difficult.

  - Private WAN spaces can also continue to work as before in the 'With private WAN routers' mode.

- The aggregator page now has a networking configuration section and addresses can be statically
  configured to interfaces.

- Aggregators and bonders can be configured to use VXLAN interfaces.

- Aggregators and bonders can be configured to use dynamic routing protocols and filters.
  Each node page now has *protocols* and *filters* panels added to
  their networking configuration interfaces for configuring dynamic routing.

- Aggregator interfaces can be associated with private WAN spaces to ensure routing isolation.

- A new method of defining per-space VLAN interfaces and protocols has been
  added, allowing automatic configuration of aggregators hosting bonds in a given
  space. This is similar to existing private WAN router integrations, but more
  customizable.

- Aggregators and private WAN routers only receive configuration related to
  spaces containing a bond or gateway necessary for communication. In private
  WAN setups that contain many spaces, this can greatly reduce resource usage on
  aggregators and private WAN routers.

    .. note::
        This change does not require a bonding upgrade on private WAN routers or
        aggregators, but does require that the bonding service be restarted on
        those nodes.

- Spaces can be nested arbitrarily deep (formerly, nesting was limited to 5 levels).

- Aggregator failover settings are now managed on aggregators directly,
  allowing certain aggregators to have more or less tolerance to issues than
  others.

- SSH keys can now be added to users, automatically adding or removing the keys from nodes
  according to the user's permissions.

- Each bond has a tunings list page at `/bonds/<ID>/tunings/`, listing all bond and leg tunings,
  and each tuning has a details page showing all logs, errors, and results for that tuning.

- Aggregators now support edit-multiple functionality similar to bonds.

- Significantly sped up retrieval of node configuration updates in the management interface.

- The default minimum path MTU for legs is now 1383
  (the IPv6 minimum MTU of 1280 bytes plus the worst case tunnel overhead of 103 bytes).

- Leg speed tests keep track of the leg's configuration at run time for later auditing.

- All options are now displayed by default on the bond and aggregator pages.

- IPv4 and IPv6 private WAN routing protocols are consolidated, significantly reducing overhead for running spaces.

    .. note::
        If you have any private WAN that utilizes IPv6 before 6.5; there will be
        an outage for the IPv6 private WAN until all relevant nodes are upgraded
        to 6.5 if any related nodes are upgraded.

- Certificates for encryption are now signed with SHA256.

- Salt states are applied to new nodes faster.

- Replify WAN optimization can be enabled on bonds.

Fixes:

- Fixed configuration updates being generated for offline nodes.

- Fixed an issue causing superfluous queries to `/bonds/X/config_updates/`.

- Fixed disabled legs sometimes reporting as flapping.

- Fixed an issue with packet loss counts being reset to zero every time a leg flapped.

- Fixed a bug where it was sometimes possible to define a DHCPv6-NA service with a prefix
  pool outside of the associated connected IP network.

- Fixed management web server not being properly reloaded after renewing a lets-encrypt certificate.

- Fixed several issues allowing the speed test queue to occasionally get stuck.

- Fixed tunnel bypass configuration not being applied after starting.

- Fixed display of `API URIs
  <../extending-bonded-internet/api/uris/index.html>`__.

Bonding Node
------------

.. note::
   Bonding now supports Debian 9 Stretch and Debian 10 Buster. A new ISO is
   available which provisions bonding on Debian 10. This new ISO is faster and
   more reliable than the previous ISO as it has bonding and its dependencies
   preinstalled. The previous ISO is still available for legacy purposes.

.. warning::
   Debian 8 Jessie will lose :abbr:`LTS (Long Term Support)` support as of June
   30, 2020. After this point, there will be no future security updates for the
   operating system, but bonding will continue to run after this date. We
   recommend that all new nodes are provisioned with Debian 10.

.. warning::
   Due to the migration to predictable interface names (e.g., enp1s0 over
   eth0), we strongly suggest **not** upgrading the Debian distribution on
   remote nodes. If a remote distribution upgrade is required, we recommend
   that an alternative access method (i.e., serial or IPMI) be utilized instead
   of relying on remote networking for access. Without such access, there is an
   extremely high chance that the remote node will be orphaned after the
   distribution upgrade and reboot. See :ref:`upgrading-to-debian-9-and-above` for
   more details.

Additions:

- Debian 9 and 10 support.

- Kernel upgraded to 5.4.15.

- Various updates to consume new configuration.

- Nodeconfig timeout is now configurable, and the default is longer (1 minute).

Removals:

- Debian 7 is no longer supported in this release. Bonding version 6.4 is the
  latest version to support that operating system.

Fixes:

- Fixed a bug where tunnel bypass and CPE NAT IPs could conflict.

- Fixed a bug allowing large config updates to bog down the config update queue.

- Fixed aggregators not working behind NAT (this worked in 6.3).

- Fixed rate-limits not working after a bond is moved to a different aggregator.

- Fixed an issue with DHCP addressing hooks running before the address is actually applied to interface.

- Fixed the INTERFACE variable not being properly set for connected IP hooks.

- Fixed an issue causing slow failover times on bonds with encryption enabled.
