===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/70.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- www/70.html 2021/10/02 14:25:54 1.38
+++ www/70.html 2021/10/02 14:38:53 1.39
@@ -386,18 +386,18 @@
Fully implemented RFC 6286 by checking for BGP ID collisions.
Adjusted the 4-byte AS number handling to RFC 6793 by changing error
behaviour from prefix witdraw to attribute discard.
- In bgpctl(8) print out both the sent "Neighbor capabilities" and the
+ In bgpctl(8) print out both the sent "Neighbor capabilities" and the
"Negotiated capabilities" for a session.
Print timestamps both as a formatted and a pure time in seconds
filed in various JSON objects.
- Fixed a bug, where during bgpd(8) config reloads prefixes of the
+ Fixed a bug, where during bgpd(8) config reloads prefixes of the
wrong address family could leak to peers resulting in session resets.
Added support for RFC 7313 - Enhanced Route Refresh
Disabled by default, to enable use 'announce enhanced refresh yes'.
Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
adding the prefix to the RIB. This improves `bgpctl show rib out`
output.
- Added command line option to both bgpd(8) and bgpctl(8) to show the version
+ Added command line option to both bgpd(8) and bgpctl(8) to show the version
Added support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message
Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
@@ -408,15 +408,6 @@
mitigate BGP route decision making based on outdated RPKI data.
OpenBGPD's companion rpki-client(8) produces roa-sets with the
new 'expires' property
-
-
- Fixed a memory leak in rpki-client(8).
- Set the rpki-client(8) x509 validation depth limit to 12 or double the current depth.
- Limited rpki-client(8) to 300 deltas to sync an RRDP repository rather than fetching a snapshot.
- Added http_proxy support to rpki-client(8) http handler.
- Defaulted to attempting RRDP first in rpki-client(8) -r.
- Added an 'expires' column to CSV & JSON output of rpki-client(8).
- Added keep-alive support to the rpki-client(8) HTTP module.
The pf(4) packet filter and its userland utility:
@@ -434,11 +425,11 @@
Zeroed out potential passwords when freeing memory or handling parsing errors in iked(8).
Added client-side support for DNS configuration to iked(8).
Increased iked(8) default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
- Fixed races which were slowing ipsec(4) throughput.
Fixed an iked(8) bug where no flows are added if a single address is configured in the config address instead of a pool.
Fixed a problem in iked(8) where no flows are loaded when a single config address without pool is configured.
Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to iked(8) as sntrup761x25519.
- Fixed IPsec(4) NAT-T to work with pipex(4).
+ Fixed races which were slowing ipsec(4) throughput.
+ Fixed ipsec(4) NAT-T to work with pipex(4).
The httpd(8) webserver saw numerous improvements:
@@ -450,7 +441,40 @@
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)
received the following new features and bugfixes:
- - ...
+
- Added keep-alive support to the HTTP client code for RRDP.
+
- Reference-count and delete unused files synced via RRDP, as far as
+ possible.
+
- In the JSON output, changed the AS Number from a string ("AS123") to
+ an integer ("123") to make processing of the output easier,
+
- Added an 'expires' column to CSV & JSON output, based on certificate
+ and CRL validity times. The 'expires' value can be used to avoid route
+ selection based on stale data when generating VRP sets, when faced
+ with loss of communication between consumer and valdiator, or
+ validator and CA repository,
+
- Made the runtime timeout (-s option) also trigger in
+ child proecesses.
+
- Improved RRDP support and make RRDP as default protocol for
+ syncronizing the RPKI repository data, with openrsync(1) used as secondary.
+
- At startup, warn if the filesystem containing the cache directory
+ is probably too small.
+
- Handle running out of disk space more gracefully, including cleanup
+ of temporary and old files before exiting.
+
- Improved the HTTP/1.1 request headers being sent.
+
- Improved validation checks for ROA and MFT objects.
+
- Improved the HTTP client code (status code handling, http proxy
+ support, keep-alive).
+
- In RRDP, do not access URI with userinfo (@-sign)
+
- Improved RRDP syncing by considering a notification file serial
+ jumping backwards as synced repository.
+
- Made -R (rsync only) also apply to the fetching of TA files.
+
- Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
+
- When producing output for bgpd(8), make use of the 'roa-set
+ expires' attribute to prevent machines from loading outdated roa-sets.
+
- In RRDP, limited the number of deltas to 300 per repo. If more deltas
+ exist, downloading a full snapshot is faster.
+
- Limited the validation depth of X509 certificate chains to 12, double
+ the current depth seen in RPKI.
add blurp about awesome traceroute changes!