version 1.38, 2021/10/02 14:25:54 |
version 1.39, 2021/10/02 14:38:53 |
|
|
<li>Fully implemented RFC 6286 by checking for BGP ID collisions. |
<li>Fully implemented RFC 6286 by checking for BGP ID collisions. |
<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error |
<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error |
behaviour from prefix witdraw to attribute discard. |
behaviour from prefix witdraw to attribute discard. |
<li>In bgpctl(8) print out both the sent "Neighbor capabilities" and the |
<li>In <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> print out both the sent "Neighbor capabilities" and the |
"Negotiated capabilities" for a session. |
"Negotiated capabilities" for a session. |
<li>Print timestamps both as a formatted and a pure time in seconds |
<li>Print timestamps both as a formatted and a pure time in seconds |
filed in various JSON objects. |
filed in various JSON objects. |
<li>Fixed a bug, where during bgpd(8) config reloads prefixes of the |
<li>Fixed a bug, where during <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> config reloads prefixes of the |
wrong address family could leak to peers resulting in session resets. |
wrong address family could leak to peers resulting in session resets. |
<li>Added support for RFC 7313 - Enhanced Route Refresh |
<li>Added support for RFC 7313 - Enhanced Route Refresh |
Disabled by default, to enable use 'announce enhanced refresh yes'. |
Disabled by default, to enable use 'announce enhanced refresh yes'. |
<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before |
<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before |
adding the prefix to the RIB. This improves `bgpctl show rib out` |
adding the prefix to the RIB. This improves `bgpctl show rib out` |
output. |
output. |
<li>Added command line option to both bgpd(8) and bgpctl(8) to show the version |
<li>Added command line option to both <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> to show the version |
<li>Added support for RFC 9072 - Extended Optional Parameters Lenght for |
<li>Added support for RFC 9072 - Extended Optional Parameters Lenght for |
BGP OPEN Message |
BGP OPEN Message |
<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions |
<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions |
|
|
mitigate BGP route decision making based on outdated RPKI data. |
mitigate BGP route decision making based on outdated RPKI data. |
OpenBGPD's companion rpki-client(8) produces roa-sets with the |
OpenBGPD's companion rpki-client(8) produces roa-sets with the |
new 'expires' property |
new 'expires' property |
|
|
<!-- check against and use rpki-client release notes instead? --> |
|
<li>Fixed a memory leak in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>. |
|
<li>Set the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> x509 validation depth limit to 12 or double the current depth. |
|
<li>Limited <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> to 300 deltas to sync an RRDP repository rather than fetching a snapshot. |
|
<li>Added http_proxy support to <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> http handler. |
|
<li>Defaulted to attempting RRDP first in <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> -r. |
|
<li>Added an 'expires' column to CSV & JSON output of <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>. |
|
<li>Added keep-alive support to the <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> HTTP module. |
|
</ul> |
</ul> |
|
|
<li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility: |
<li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility: |
|
|
<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>. |
<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups. |
<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups. |
<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput. |
|
<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool. |
<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool. |
<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured. |
<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured. |
<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519. |
<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519. |
<li>Fixed <a href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>. |
<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput. |
|
<li>Fixed <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>. |
</ul> |
</ul> |
|
|
<li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements: |
<li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements: |
|
|
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> |
received the following new features and bugfixes: |
received the following new features and bugfixes: |
<ul> |
<ul> |
<li>... |
<li>Added keep-alive support to the HTTP client code for RRDP. |
|
<li>Reference-count and delete unused files synced via RRDP, as far as |
|
possible. |
|
<li>In the JSON output, changed the AS Number from a string ("AS123") to |
|
an integer ("123") to make processing of the output easier, |
|
<li>Added an 'expires' column to CSV & JSON output, based on certificate |
|
and CRL validity times. The 'expires' value can be used to avoid route |
|
selection based on stale data when generating VRP sets, when faced |
|
with loss of communication between consumer and valdiator, or |
|
validator and CA repository, |
|
<li>Made the runtime timeout (-s option) also trigger in |
|
child proecesses. |
|
<li>Improved RRDP support and make RRDP as default protocol for |
|
syncronizing the RPKI repository data, with <a |
|
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> used as secondary. |
|
<li>At startup, warn if the filesystem containing the cache directory |
|
is probably too small. |
|
<li>Handle running out of disk space more gracefully, including cleanup |
|
of temporary and old files before exiting. |
|
<li>Improved the HTTP/1.1 request headers being sent. |
|
<li>Improved validation checks for ROA and MFT objects. |
|
<li>Improved the HTTP client code (status code handling, http proxy |
|
support, keep-alive). |
|
<li>In RRDP, do not access URI with userinfo (@-sign) |
|
<li>Improved RRDP syncing by considering a notification file serial |
|
jumping backwards as synced repository. |
|
<li>Made -R (rsync only) also apply to the fetching of TA files. |
|
<li>Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others. |
|
<li>When producing output for <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, make use of the 'roa-set |
|
expires' attribute to prevent machines from loading outdated roa-sets. |
|
<li>In RRDP, limited the number of deltas to 300 per repo. If more deltas |
|
exist, downloading a full snapshot is faster. |
|
<li>Limited the validation depth of X509 certificate chains to 12, double |
|
the current depth seen in RPKI. |
</ul> |
</ul> |
|
|
<li><span style="color:red;">add blurp about awesome traceroute changes!</span> |
<li><span style="color:red;">add blurp about awesome traceroute changes!</span> |