rpki-client stricter aging policy for Trust Anchor certificates commited to -current
Today Job Snijders (
The commit message reads,
job@) commited code to
rpki-client(8)
to implement a gradual phase in of a stricter policy on TA certificates lifetimes.
Subject: CVS: cvs.openbsd.org: src
From: Job Snijders <job () cvs ! openbsd ! org>
Date: 2024-12-18 16:38:40
CVSROOT: /cvs
Module name: src
Changes by: job@cvs.openbsd.org 2024/12/18 09:38:40
Modified files:
usr.sbin/rpki-client: cert.c
Log message:
Schedule future rejection of ultra long-lived TA certificates
The RPKI ecosystem suffers from a partially unmitigated risk related to
long-lived Trust Anchor certificate issuances.
undeadly rss
FRAME sockets added to OpenBSD Thanks to
work
by David Gwynne ( There's been a related change to
dlg@),
OpenBSD -current now has a new
"AF_FRAME"
socket domain:
CVSROOT: /cvs
Module name: src
Changes by: dlg@cvs.openbsd.org 2024/12/15 04:00:05
Modified files:
sys/conf : files
sys/kern : uipc_domain.c uipc_socket.c
sys/net : if_ethersubr.c
sys/sys : socket.h
Added files:
sys/net : af_frame.c frame.h
Log message:
add an AF_FRAME socket domain and an IFT_ETHER protocol family under it.
this allows userland to use sockets to send and receive Ethernet
frames. as per the upcoming frame.4 man page:
frame protocol family sockets are designed as an alternative to bpf(4)
for handling low data and packet rate communication protocols. Rather
than filtering every frame entering the system before the network stack
like bpf(4), the frame protocol family processing avoids this overhead by
running after the built in protocol handlers in the kernel. For this
reason, it is not possible to handle IPv4 or IPv6 packets with frame
protocol sockets because the kernel network stack consumes them before
the receive handling for frame sockets is run.
if you've used udp sockets then these should feel much the same.
my main motivation is to implement an lldp agent in userland, but
without having to have bpf look at every packet when lldp happens
every minute or two.
the only feedback i had was positive, so i'm putting it in
ok claudio@
aggr(4).
Claudio Jeker (
claudio@)
announced
the release of version 8.7 of
OpenBGPD,
the OpenBSD project's
Border Gateway Protocol (BGP) daemon:
We have released OpenBGPD 8.7, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Cache the Adj-RIB-Out for sessions that have not been down for
more than 1h. This significantly improves synchronisation time
of peers that flap.
* Implement RFC 8538: Notification Message Support for
BGP Graceful Restart.
* Add support for RFC 8654, extended messages.
* In bgplgd add additional endpoints to query the Adj-RIB-In and
Adj-RIB-Out.
* Bump internal message size limit to 128k and handle up to 10 000
ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile.
* Various improvements to the ibuf API including a new reader API
which is used to make all message parsing in bgpd memory safe.
* Added support for IPsec and TCP MD5 to RTR sessions.
OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the
Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE,
and Ubuntu. It is our hope that packagers take interest and help adapt
OpenBGPD-portable to more distributions.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.