| version 1.38, 2021/10/02 14:25:54 |
version 1.39, 2021/10/02 14:38:53 |
|
|
| <li>Fully implemented RFC 6286 by checking for BGP ID collisions. |
<li>Fully implemented RFC 6286 by checking for BGP ID collisions. |
| <li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error |
<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error |
| behaviour from prefix witdraw to attribute discard. |
behaviour from prefix witdraw to attribute discard. |
| <li>In bgpctl(8) print out both the sent "Neighbor capabilities" and the |
<li>In <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> print out both the sent "Neighbor capabilities" and the |
| "Negotiated capabilities" for a session. |
"Negotiated capabilities" for a session. |
| <li>Print timestamps both as a formatted and a pure time in seconds |
<li>Print timestamps both as a formatted and a pure time in seconds |
| filed in various JSON objects. |
filed in various JSON objects. |
| <li>Fixed a bug, where during bgpd(8) config reloads prefixes of the |
<li>Fixed a bug, where during <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> config reloads prefixes of the |
| wrong address family could leak to peers resulting in session resets. |
wrong address family could leak to peers resulting in session resets. |
| <li>Added support for RFC 7313 - Enhanced Route Refresh |
<li>Added support for RFC 7313 - Enhanced Route Refresh |
| Disabled by default, to enable use 'announce enhanced refresh yes'. |
Disabled by default, to enable use 'announce enhanced refresh yes'. |
| <li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before |
<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before |
| adding the prefix to the RIB. This improves `bgpctl show rib out` |
adding the prefix to the RIB. This improves `bgpctl show rib out` |
| output. |
output. |
| <li>Added command line option to both bgpd(8) and bgpctl(8) to show the version |
<li>Added command line option to both <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> to show the version |
| <li>Added support for RFC 9072 - Extended Optional Parameters Lenght for |
<li>Added support for RFC 9072 - Extended Optional Parameters Lenght for |
| BGP OPEN Message |
BGP OPEN Message |
| <li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions |
<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions |
|
|
| mitigate BGP route decision making based on outdated RPKI data. |
mitigate BGP route decision making based on outdated RPKI data. |
| OpenBGPD's companion rpki-client(8) produces roa-sets with the |
OpenBGPD's companion rpki-client(8) produces roa-sets with the |
| new 'expires' property |
new 'expires' property |
| |
|
| <!-- check against and use rpki-client release notes instead? --> |
|
| <li>Fixed a memory leak in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>. |
|
| <li>Set the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> x509 validation depth limit to 12 or double the current depth. |
|
| <li>Limited <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> to 300 deltas to sync an RRDP repository rather than fetching a snapshot. |
|
| <li>Added http_proxy support to <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> http handler. |
|
| <li>Defaulted to attempting RRDP first in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> -r. |
|
| <li>Added an 'expires' column to CSV & JSON output of <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>. |
|
| <li>Added keep-alive support to the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> HTTP module. |
|
| </ul> |
</ul> |
| |
|
| <li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility: |
<li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility: |
|
|
| <li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
| <li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
| <li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups. |
<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups. |
| <li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput. |
|
| <li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool. |
<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool. |
| <li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured. |
<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured. |
| <li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519. |
<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519. |
| <li>Fixed <a href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>. |
<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput. |
| |
<li>Fixed <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>. |
| </ul> |
</ul> |
| |
|
| <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements: |
<li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements: |
|
|
| href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
| received the following new features and bugfixes: |
received the following new features and bugfixes: |
| <ul> |
<ul> |
| <li>... |
<li>Added keep-alive support to the HTTP client code for RRDP. |
| |
<li>Reference-count and delete unused files synced via RRDP, as far as |
| |
possible. |
| |
<li>In the JSON output, changed the AS Number from a string ("AS123") to |
| |
an integer ("123") to make processing of the output easier, |
| |
<li>Added an 'expires' column to CSV & JSON output, based on certificate |
| |
and CRL validity times. The 'expires' value can be used to avoid route |
| |
selection based on stale data when generating VRP sets, when faced |
| |
with loss of communication between consumer and valdiator, or |
| |
validator and CA repository, |
| |
<li>Made the runtime timeout (-s option) also trigger in |
| |
child proecesses. |
| |
<li>Improved RRDP support and make RRDP as default protocol for |
| |
syncronizing the RPKI repository data, with <a |
| |
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> used as secondary. |
| |
<li>At startup, warn if the filesystem containing the cache directory |
| |
is probably too small. |
| |
<li>Handle running out of disk space more gracefully, including cleanup |
| |
of temporary and old files before exiting. |
| |
<li>Improved the HTTP/1.1 request headers being sent. |
| |
<li>Improved validation checks for ROA and MFT objects. |
| |
<li>Improved the HTTP client code (status code handling, http proxy |
| |
support, keep-alive). |
| |
<li>In RRDP, do not access URI with userinfo (@-sign) |
| |
<li>Improved RRDP syncing by considering a notification file serial |
| |
jumping backwards as synced repository. |
| |
<li>Made -R (rsync only) also apply to the fetching of TA files. |
| |
<li>Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others. |
| |
<li>When producing output for <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, make use of the 'roa-set |
| |
expires' attribute to prevent machines from loading outdated roa-sets. |
| |
<li>In RRDP, limited the number of deltas to 300 per repo. If more deltas |
| |
exist, downloading a full snapshot is faster. |
| |
<li>Limited the validation depth of X509 certificate chains to 12, double |
| |
the current depth seen in RPKI. |
| </ul> |
</ul> |
| |
|
| <li><span style="color:red;">add blurp about awesome traceroute changes!</span> |
<li><span style="color:red;">add blurp about awesome traceroute changes!</span> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 70.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www