===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/70.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -c -r1.38 -r1.39
*** www/70.html 2021/10/02 14:25:54 1.38
--- www/70.html 2021/10/02 14:38:53 1.39
***************
*** 386,403 ****
Fully implemented RFC 6286 by checking for BGP ID collisions.
Adjusted the 4-byte AS number handling to RFC 6793 by changing error
behaviour from prefix witdraw to attribute discard.
! In bgpctl(8) print out both the sent "Neighbor capabilities" and the
"Negotiated capabilities" for a session.
Print timestamps both as a formatted and a pure time in seconds
filed in various JSON objects.
! Fixed a bug, where during bgpd(8) config reloads prefixes of the
wrong address family could leak to peers resulting in session resets.
Added support for RFC 7313 - Enhanced Route Refresh
Disabled by default, to enable use 'announce enhanced refresh yes'.
Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
adding the prefix to the RIB. This improves `bgpctl show rib out`
output.
! Added command line option to both bgpd(8) and bgpctl(8) to show the version
Added support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message
Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
--- 386,403 ----
Fully implemented RFC 6286 by checking for BGP ID collisions.
Adjusted the 4-byte AS number handling to RFC 6793 by changing error
behaviour from prefix witdraw to attribute discard.
! In bgpctl(8) print out both the sent "Neighbor capabilities" and the
"Negotiated capabilities" for a session.
Print timestamps both as a formatted and a pure time in seconds
filed in various JSON objects.
! Fixed a bug, where during bgpd(8) config reloads prefixes of the
wrong address family could leak to peers resulting in session resets.
Added support for RFC 7313 - Enhanced Route Refresh
Disabled by default, to enable use 'announce enhanced refresh yes'.
Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
adding the prefix to the RIB. This improves `bgpctl show rib out`
output.
! Added command line option to both bgpd(8) and bgpctl(8) to show the version
Added support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message
Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
***************
*** 408,422 ****
mitigate BGP route decision making based on outdated RPKI data.
OpenBGPD's companion rpki-client(8) produces roa-sets with the
new 'expires' property
-
-
- Fixed a memory leak in rpki-client(8).
- Set the rpki-client(8) x509 validation depth limit to 12 or double the current depth.
- Limited rpki-client(8) to 300 deltas to sync an RRDP repository rather than fetching a snapshot.
- Added http_proxy support to rpki-client(8) http handler.
- Defaulted to attempting RRDP first in rpki-client(8) -r.
- Added an 'expires' column to CSV & JSON output of rpki-client(8).
- Added keep-alive support to the rpki-client(8) HTTP module.
The pf(4) packet filter and its userland utility:
--- 408,413 ----
***************
*** 434,444 ****
Zeroed out potential passwords when freeing memory or handling parsing errors in iked(8).
Added client-side support for DNS configuration to iked(8).
Increased iked(8) default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
- Fixed races which were slowing ipsec(4) throughput.
Fixed an iked(8) bug where no flows are added if a single address is configured in the config address instead of a pool.
Fixed a problem in iked(8) where no flows are loaded when a single config address without pool is configured.
Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to iked(8) as sntrup761x25519.
! Fixed IPsec(4) NAT-T to work with pipex(4).
The httpd(8) webserver saw numerous improvements:
--- 425,435 ----
Zeroed out potential passwords when freeing memory or handling parsing errors in iked(8).
Added client-side support for DNS configuration to iked(8).
Increased iked(8) default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
Fixed an iked(8) bug where no flows are added if a single address is configured in the config address instead of a pool.
Fixed a problem in iked(8) where no flows are loaded when a single config address without pool is configured.
Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to iked(8) as sntrup761x25519.
! Fixed races which were slowing ipsec(4) throughput.
! Fixed ipsec(4) NAT-T to work with pipex(4).
The httpd(8) webserver saw numerous improvements:
***************
*** 450,456 ****
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)
received the following new features and bugfixes:
add blurp about awesome traceroute changes!
--- 441,480 ----
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)
received the following new features and bugfixes:
! - Added keep-alive support to the HTTP client code for RRDP.
!
- Reference-count and delete unused files synced via RRDP, as far as
! possible.
!
- In the JSON output, changed the AS Number from a string ("AS123") to
! an integer ("123") to make processing of the output easier,
!
- Added an 'expires' column to CSV & JSON output, based on certificate
! and CRL validity times. The 'expires' value can be used to avoid route
! selection based on stale data when generating VRP sets, when faced
! with loss of communication between consumer and valdiator, or
! validator and CA repository,
!
- Made the runtime timeout (-s option) also trigger in
! child proecesses.
!
- Improved RRDP support and make RRDP as default protocol for
! syncronizing the RPKI repository data, with openrsync(1) used as secondary.
!
- At startup, warn if the filesystem containing the cache directory
! is probably too small.
!
- Handle running out of disk space more gracefully, including cleanup
! of temporary and old files before exiting.
!
- Improved the HTTP/1.1 request headers being sent.
!
- Improved validation checks for ROA and MFT objects.
!
- Improved the HTTP client code (status code handling, http proxy
! support, keep-alive).
!
- In RRDP, do not access URI with userinfo (@-sign)
!
- Improved RRDP syncing by considering a notification file serial
! jumping backwards as synced repository.
!
- Made -R (rsync only) also apply to the fetching of TA files.
!
- Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
!
- When producing output for bgpd(8), make use of the 'roa-set
! expires' attribute to prevent machines from loading outdated roa-sets.
!
- In RRDP, limited the number of deltas to 300 per repo. If more deltas
! exist, downloading a full snapshot is faster.
!
- Limited the validation depth of X509 certificate chains to 12, double
! the current depth seen in RPKI.
add blurp about awesome traceroute changes!