===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/70.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -c -r1.38 -r1.39
*** www/70.html	2021/10/02 14:25:54	1.38
--- www/70.html	2021/10/02 14:38:53	1.39
***************
*** 386,403 ****
  	<li>Fully implemented RFC 6286 by checking for BGP ID collisions.
  	<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error
  		behaviour from prefix witdraw to attribute discard.
! 	<li>In bgpctl(8) print out both the sent "Neighbor capabilities" and the
  		"Negotiated capabilities" for a session. 
  	<li>Print timestamps both as a formatted and a pure time in seconds
  		filed in various JSON objects.
! 	<li>Fixed a bug, where during bgpd(8) config reloads prefixes of the
  		wrong address family could leak to peers resulting in session resets.
  	<li>Added support for RFC 7313 - Enhanced Route Refresh
  		Disabled by default, to enable use 'announce enhanced refresh yes'.
  	<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
  		adding the prefix to the RIB. This improves `bgpctl show rib out`
  		output.
! 	<li>Added command line option to both bgpd(8) and bgpctl(8) to show the version
  	<li>Added support for RFC 9072 - Extended Optional Parameters Lenght for
  		BGP OPEN Message
  	<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
--- 386,403 ----
  	<li>Fully implemented RFC 6286 by checking for BGP ID collisions.
  	<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error
  		behaviour from prefix witdraw to attribute discard.
! 	<li>In <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> print out both the sent "Neighbor capabilities" and the
  		"Negotiated capabilities" for a session. 
  	<li>Print timestamps both as a formatted and a pure time in seconds
  		filed in various JSON objects.
! 	<li>Fixed a bug, where during <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> config reloads prefixes of the
  		wrong address family could leak to peers resulting in session resets.
  	<li>Added support for RFC 7313 - Enhanced Route Refresh
  		Disabled by default, to enable use 'announce enhanced refresh yes'.
  	<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
  		adding the prefix to the RIB. This improves `bgpctl show rib out`
  		output.
! 	<li>Added command line option to both <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> to show the version
  	<li>Added support for RFC 9072 - Extended Optional Parameters Lenght for
  		BGP OPEN Message
  	<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
***************
*** 408,422 ****
  		mitigate BGP route decision making based on outdated RPKI data.
  		OpenBGPD's companion rpki-client(8) produces roa-sets with the
  		new 'expires' property
- 
- 	<!-- check against and use rpki-client release notes instead? -->
- 	<li>Fixed a memory leak in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
- 	<li>Set the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> x509 validation depth limit to 12 or double the current depth.
- 	<li>Limited <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> to 300 deltas to sync an RRDP repository rather than fetching a snapshot.
- 	<li>Added http_proxy support to <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> http handler.
- 	<li>Defaulted to attempting RRDP first in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> -r.
- 	<li>Added an 'expires' column to CSV & JSON output of <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
- 	<li>Added keep-alive support to the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> HTTP module.
      </ul>
  
      <li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility:
--- 408,413 ----
***************
*** 434,444 ****
  	<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
  	<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
  	<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
- 	<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput.
  	<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool.
  	<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured.
  	<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519.
! 	<li>Fixed <a href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>.
      </ul>
  
      <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
--- 425,435 ----
  	<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
  	<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
  	<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
  	<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool.
  	<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured.
  	<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519.
! 	<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput.
! 	<li>Fixed <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>.
      </ul>
  
      <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
***************
*** 450,456 ****
  	href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
  	received the following new features and bugfixes:
      <ul>
! 	<li>...
      </ul>
  
      <li><span style="color:red;">add blurp about awesome traceroute changes!</span>
--- 441,480 ----
  	href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
  	received the following new features and bugfixes:
      <ul>
! 	<li>Added keep-alive support to the HTTP client code for RRDP.
! 	<li>Reference-count and delete unused files synced via RRDP, as far as
! 	   possible.
! 	<li>In the JSON output, changed the AS Number from a string ("AS123") to
! 	   an integer ("123") to make processing of the output easier,
! 	<li>Added an 'expires' column to CSV & JSON output, based on certificate
! 	   and CRL validity times. The 'expires' value can be used to avoid route
! 	   selection based on stale data when generating VRP sets, when faced
! 	   with loss of communication between consumer and valdiator, or
! 	   validator and CA repository,
! 	<li>Made the runtime timeout (-s option) also trigger in
! 	   child proecesses.
! 	<li>Improved RRDP support and make RRDP as default protocol for
! 	   syncronizing the RPKI repository data, with <a
!         href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> used as secondary.
! 	<li>At startup, warn if the filesystem containing the cache directory
! 	   is probably too small.
! 	<li>Handle running out of disk space more gracefully, including cleanup
! 	   of temporary and old files before exiting.
! 	<li>Improved the HTTP/1.1 request headers being sent.
! 	<li>Improved validation checks for ROA and MFT objects.
! 	<li>Improved the HTTP client code (status code handling, http proxy
! 	   support, keep-alive).
! 	<li>In RRDP, do not access URI with userinfo (@-sign)
! 	<li>Improved RRDP syncing by considering a notification file serial
! 	   jumping backwards as synced repository.
! 	<li>Made -R (rsync only) also apply to the fetching of TA files.
! 	<li>Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
! 	<li>When producing output for <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, make use of the 'roa-set
! 	   expires' attribute to prevent machines from loading outdated roa-sets.
! 	<li>In RRDP, limited the number of deltas to 300 per repo. If more deltas
! 	   exist, downloading a full snapshot is faster.
! 	<li>Limited the validation depth of X509 certificate chains to 12, double
! 	   the current depth seen in RPKI.
      </ul>
  
      <li><span style="color:red;">add blurp about awesome traceroute changes!</span>