Skip to main content

Release Notes

version 2.9.0 (2024-11-28)​

  • default preferences (see docs), of which there are four at this time, can now be stored in a Secret named DiscrimiNAT_<deployment_id> (case-sensitive) in Secret Manager:
    • wildcard_exposure: control whether * is accepted in FQDNs or not, and if accepted, with prohibit public suffix safeguard or not. Please familiarise yourself with operation and caveats on the behaviour of wildcard rules before using them.
    • flow_log_verbosity: control whether all logs are emitted, just disallowed or none at all
    • see_thru: set non-blocking, monitoring see-thru mode as a default (useful with new deployments so traffic is not blocked upon deployment)
    • x509_crls: whether to automatically allow CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted. This was a feature introduced in v2.7.0
  • list of FQDNs for allowlisting, in JSON format, can now be read in from a Secret
    • format is {"addrs": ["fqdn1.com", "*.github.com", ...]}
    • a symbolic reference of the Secret, using its full path, will need to be added to the Firewall Rules' description field instead of comma-separated FQDNs. For example, discriminat:tls:projects/000000000000/secrets/service-foo-allowed-fqdns
    • DiscrimiNAT's Service Account will need Secret Manager Secret Accessor Role for the Secret paths referred (see docs)
    • previous method of storing comma-separated FQDNs in Firewall Rules' description fields is preserved and will continue to work
  • version of bundled Public Suffix List: 931546b
  • improvement in startup time with a large allowlist (>500 FQDNs)
  • new config log reason: rejected. This is emitted in case a wildcard FQDN is specified but the wildcard_exposure preference value does not allow its inclusion. For example, {addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}
  • raw packet captures (PCAP) for ~10 seconds may be included in telemetry data if Automated System Health Reporting is not opted out of
  • fixed a bug where wildcard matched FQDNs would not be allowed, until the cache for them was warmed up, in spite of see-thru mode being set
  • fixed occassional "spoofing detected" flow logs disallowing connections to Cloudinary and Azure Cloud CDN FQDNs
  • TLS and SSH connectivity improvements to some hosts that would not acknowledge trailing zeroes in padding bytes of a handshake
  • absence of leading zeroes in month and date components of a see-thru date now works. For example, previously, 2024-9-1 would not have worked, however, 2024-09-01 would have. Both work now.
  • wildcard matched connections are now timed out on first attempt, instead of connection reset, until the cache has warmed up for them. This reduces the number of attempts made by an app/client when accessing a wildcarded FQDN for the first time.

Breaking Changes

  • plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted are no longer allowed automatically. Set the preference x509_crls to auto_allow to restore previous behaviour. If you did not know about this, you are likely not affected. We have proactively informed the customers we definitely knew were relying on this.

Terraform Updates

  • preferences' defaults in JSON format are deployed automatically from v2.9.0 of our Terraform module, in a Secret named DiscrimiNAT<deploymentid>, to serve as a starting point. Can be overriden from the new preferences variable.
  • option to disable automatic updates to the Instance Template when a new DiscrimiNAT image version is available with the image_auto_update boolean variable
  • full diff between previous version and this can be found here for the -ilb module, and here for the -ntag module

version 2.8.0 (2024-08-20)​

  • wildcard support is now in preview:
    • they are supported for the TLS protocol only
    • the character ? (or _) may be used to substitute one wild character in an FQDN to be allowed
    • the set of wild characters is from a to z, 0 to 9 and the - (hyphen or minus) only; the . (period, dot or fullstop) character is not included
    • you may use any number of wildcards in a single FQDN address (in the allowlist)
    • see our dedicated page on using wildcards with examples and the caveats expected in this preview; ensure you've read the Operation section as well
    • further improvements are expected in the next version of DiscrimiNAT; please write to us with your experience on using this feature
  • suppressed repetitive warning log messages no ip addresses resolved about CRL endpoint crl.comodo.net
  • improved compatibility with proprietary SSH server-side implementations, such as GoAnywhere, that send a larger than normal list of ciphers during the initial handshake
  • Terraform module source includes a script rmig-update-maxUnavailable-1.sh that could be run in Cloud Shell or as part of your CI/CD pipeline to update DiscrimiNAT instances separately from a version update of the instance template for their Managed Instance Group. This has the added advantage of keeping under the number of allocated External IPs during a rolling update
    • the script will need setting of GOOGLE_CLOUD_PROJECT, MIG_NAME, MIG_EXPECTED_SIZE and MIG_REGION environment variables. Examples are provided within the script
    • variable mig_update_policy_type should be set to OPPORTUNISTIC for this to be useful

version 2.7.1 (2024-02-12)​

  • warning type messages in -config logs now do not repeat before 10 minutes. This will reduce the frequency of no ip addresses resolved, etc. log messages significantly.
  • disabling Automated System Health Reporting can now be done by setting variable ashr to false from Terraform module v2.7.1 onwards. The earlier method will continue to work.
  • automated system health reporting, if left enabled, now runs at shutdown too.
  • automatically allowed CRL Endpoints of x509 SSL certificates now emit the name of the otherwise allowed FQDN and the issuing CA in the certificate chain, from which the CRL Endpoint was determined, in the reason field of the -config log. For example, crl endpoint from issuer GTS Root R1 in certificate chain of trends.google.com.
  • syslog is no longer sent from DiscrimiNAT VMs to StackDriver (Logs Explorer). This will reduce the level of logging from the operating system.
  • resolved an issue where large Microsoft updates over plaintext HTTP, while in see-thru mode, could cause DiscrimiNAT to drop packets after a few weeks of passing such traffic through – needing a restart.

version 2.7.0 (2024-01-03)​

  • HTTP -flow Logs: additional log fields of http_method, http_user_agent and http_path will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the message insecure protocol, use https, though.

  • CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

  • Alias IP Ranges assigned to VM Instances now get recognised and functionally work the same way as a VM's primary IP address. Firewall Rules get applied to the ranges as well, just as they do to the primary IP address of a VM, based on Network Tags.

  • no ip addresses resolved warning message in -config log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.

  • Terraform module v2.7.0 update: user_data_base64 supersedes startup_script_base64. See diff here.

  • Automated System Health Reporting: 10 minutes after boot and then at around 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.

    Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.

    We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path /etc/chaser/disable_automated-system-health-reporting should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:

    user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="

    The base64 value above decodes to:

    #cloud-config
    write_files:
    - path: /etc/chaser/disable_automated-system-health-reporting

    Which is a cloud-init way of creating that file in the instance.

version 2.6.1 (2023-10-10)​

  • operating system kernel tuning parameters tweaked (to match with the AWS build) resulting in improved performance of the see-thru mode
  • health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
  • fixed a bug where a certain configuration of a Firewall Rule would have DiscrimiNAT drop all rules
  • two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
    • for example test for TLS on 203.0.113.5:80 failed – port 80 was not listening with TLS
    • and for example timed out testing connection to 203.0.113.6:443 – port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)
  • minor update to Terraform modules increasing the health check initial delay from 120 seconds to 360 seconds

version 2.6.0 (2023-07-11)​

  • the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example discriminat:tls:203.0.113.9
  • the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Firewall Rules. Previously, it had required IP addresses to be set to 0.0.0.0/0 and Ports & Protocols to be to set to all.
  • two new -flow log reason messages when a network packet is disallowed have been introduced:
    • cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)
    • spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
  • enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
  • enabled ciphers without Forward Secrecy for TLS 1.2

Breaking Changes

  • the -config log has its fqdn field name changed to addr. Field names have not changed in the -flow log.
  • in the -config log, association of a public IP for egress from the firewall had its category (cat field) set to static-ip. This is now set to egress-ip.

version 2.5.3 (2023-05-22)​

  • increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them

version 2.5.2 (2023-03-16)​

  • change of base OS from Ubuntu 18.04 to Ubuntu 20.04
The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.

version 2.5.1 (2023-01-29)​

  • External IPs can now be pinned to specific deployments. If the value of a DiscrimiNAT instance VM label discriminat matches the label-key & value of an External IP, that External IP will be preferred for self-attaching. Fallback behaviour remains to self-attaching any allocated but unassociated External IPs with the label-key discriminat set to any value.
  • Terraform module updated to support custom deployment IDs (see variable custom_deployment_id), to optionally override the randomly generated ones. This allows fine-grained control over naming and can also be used for matching allocated External IPs to a specific fleet of DiscrimiNAT instances.
  • replaced google-fluentd with ops-agent. Ops Agent requires the Monitoring Metric Writer predefined role to be added to the service account. See our Service Account page for more details.

version 2.4.2 (2022-10-05)​

  • added support for Network Tags in Cloud Composer v2 GKE Clusters
  • improved audit (config) logging for subnets
  • improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)

version 2.4.1 (2022-05-05)​

  • fixed an excessive retries issue with automatic config building where the service account's role allowed querying of Service Projects but the Host Project did not have shared VPC setup enabled
  • fixed a sporadic connection reset issue, that emitted unexpected response in the logs, and which only occurred in the see-thru monitoring mode while connecting to a destination at very high latency

version 2.4.0 (2022-03-13)​

  • new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
  • serverless support introduced; VPC connectors from Cloud Functions etc. will have their outbound traffic filtered
  • added support for self-attaching an allocated External IP
  • change of one of the default scopes, when the service account is not overridden,from compute-ro to compute-rw; this is to support self-assignment of labelled external IPs
  • discrimiNAT's own instance ID added to every log line under the key instance, indicating which instance the log line was emitted from
  • updated TLS ECH draft extension identifiers

version 2.3.0 (2021-11-02)​

  • added support for shared VPC; now Service Projects can use a discrimiNAT instance deployed in their Host Project

version 2.2.0 (2021-08-31)​

  • see-thru mode introduced; build allowlists super-quick by putting a Firewall Rule in monitor mode first
  • improved handling for a large number of FQDNs in the allowlists
  • full bypass hook added; please reach out to support for instructions on this
  • updated TLS ECH draft extension identifiers

version 2.0.5 (2021-05-03)​

  • restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in

version 2.0.4 (2021-04-03)​

version 2.0.3 (2020-11-05)​

  • v2 launch
  • completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
  • rewritten in Rust

version 20200529 (2020-05-29)​

available on request; v1 is now deprecated; please upgrade to v2

version 20200524 (2020-05-24)​

available on request; v1 is now deprecated; please upgrade to v2

version 20200516 (2020-05-16)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191207 (2019-12-07)​

available on request; v1 is now deprecated; please upgrade to v2

version 20191107 (2019-11-07)​

  • v1 launch