Recent Releases
8.717 Dec 2024 21:58
major feature:
Cache the Adj-RIB-Out for sessions that have not been down for more than 1h. This significantly improves synchronisation time of peers that flap. Implement RFC 8538: Notification Message Support for BGP Graceful Restart. Add support for RFC 8654, extended messages. In bgplgd add additional endpoints to query the Adj-RIB-In and Adj-RIB-Out. Bump internal message size limit to 128k and handle up to 10 000 ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile. Various improvements to the ibuf API including a new reader API which is used to make all message parsing in bgpd memory safe. Added support for IPsec and TCP MD5 to RTR sessions.
8.622 Sep 2024 20:55
major bugfix:
Filtered prefixes are now included in the Local-RIB if the config option 'rde rib Loc-RIB include filtered' is set. Add 'bgpctl show rib filtered' to show filtered prefixes. Add 'min-version' RTR config option and default to RTR version 1. Set min-version to 2 to enable draft-ietf-sidrops-8210bis-14 and ASPA support or better define the ASPA table in the config. Adjust RTR ASPA pdu parser to follow draft-ietf-sidrops-8210bis-14. Check the max_prefix and max_out_prefix limits on config reload. Fix race condition between TCP-MD5 key removal and session closure to ensure all messages are sent with the proper TCP-MD5 signature. Fix 'nexthop qualify via bgp' by re-evaluating the nexthops when a BGP route is added to the FIB. Handle the CLUSTER_LIST attribute according to RFC7606. Fix some undefined or non-portable behaviour when handling NULL / 0-sized objects.
8.527 Jun 2024 22:53
major bugfix:
Include OpenBSD 7.5 errata 004: Repair a withdraw desyncronization problem in bgpd(8). Affected are OpenBGPD 8.2, 8.3 and 8.4. Fix Linux TCP MD5 autoconf detection and improve the code to work in all cases. Double peer description length to 64 characters. Improve handling of bgpd AFI IPv4 sessions over IPv6 only links. Sessions over IPv6 link-local addresses are now always considered to be connected. Allow operators to enforce the presence of certain capabilities. Improve capability negotiation and remove 'announce capabilities'. The 'announce capabilities yes no ' neighbor config option needs to be removed from configuration files. Instead individual capabilities need to be disabled. Improve negotiation of the multi-protocol capability and the fallback to IPv4 only mode. Mark RTR and IPv6 BGP packets with DSCP CS6 (network control). Increase RTR PDU limit to 48k and limit number of SPAS to 10'000. Convert the remaining session engine parsers to the new ibuf API. Various changes to autoconf and portable headers for NetBSD support.
8.408 Mar 2024 20:47
minor feature:
Rewrite the internal message passing mechanism to use a new memory-safe API. Rewrite most protocol parsers to use the new memory-safe API. Convert the UPDATE parser, all of RTR, as well as both the MRT dump code in bgpd and the parser in bgpctl. Improve RTR logging, error handling and version negotiation. Switch to autoconf 2.71 to generate the supplied configure scripts.
8.315 Oct 2023 21:36
major bugfix:
bgpd 8.1 and 8.2 could send a bad COMMUNITY attribute when non-transitive ext-communities are present. A workaround is to add a filter rule to clear non-transitive ext-communities: "match to ebgp set ext-community delete ovs *". Fix a possible fatal error in the RDE when "announce add-path send all" is used. The error is triggered by an ineligible path which is wrongly distributed. Fix selection of the local nexthop for the alternate address family. This is used by 'announce IPv6 unicast' over an IPv4 session or vice-versa.
8.203 Oct 2023 16:31
major bugfix:
Update ASPA support to follow draft-ietf-sidrops-aspa-verification-16 and draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup tables AFI-agnostic. Fix a fatal error in the Linux netlink parser which was triggered because of a mismatched netlink message size. Rework UPDATE message generation to use the new ibuf API instead of the hand-rolled solution before. Improve error message in bgpctl for features not supported by the portable version of OpenBGPD. Adjusted example GRACEFUL_SHUTDOWN filter rule in the example config to only match on ebgp sessions.
8.112 Jul 2023 18:41
major bugfix:
Include OpenBSD 7.3 errata 002: Avoid fatal errors in bgpd(8) due to incorrect refcounting and mishandling of ASPA objects. Fix bgpctl(8) 'show rib in' by renaming 'invalid' into 'disqualified'. Include OpenBSD 7.3 errata 006: Incorrect length handling of path attributes in bgpd(8) can lead to a session reset. Include OpenBSD 7.3 errata 009: When tracking nexthops over IPv6 multipath routes, or when receiving a NOTIFICATION while reaching an internal limit, bgpd(8) could crash; when checking the next hop for IPv6 multipath routes, or when receiving a NOTIFICATION while reaching an internal limit, bgpd(8) could crash. Add configure options to adjust WWW_USER and wwwrunstatedir. Fix 'ext-community * *' matching which also affects filters removing all ext-communities. Limit the socket buffer size to 64k for all sessions. Limiting the buffer size to a reasonable size ensures that not too many updates end up queued in the TCP stack.
8.004 May 2023 22:43
minor feature:
Include OpenBSD 7.3 errata 001: A new ASPA object appeared in the RPKI ecosystem and exposed bugs in bgpd(8) and rpki-client(8). Introduce a semaphore to protect intermittent RTR session data from being published to the RDE. Add first version of flowspec support. Right now only announcement of flowspec rules is possible. Improve and extend the bgpctl parser to handle commands like 'bgpctl show rib 192.0.2.0/24 detail'. Also add various flowspec specific commands.
7.923 Mar 2023 13:27
security:
Include OpenBSD 7.2 errata 023: Incorrect length checks allow an out-of-bounds read in bgpd(8).
7.818 Mar 2023 00:06
major feature:
Improved performance by optimising the output filters. Add Autonomous System Provider Authorization (ASPA) validaton based on draft-ietf-sidrops-aspa-verification-12. Introduce avs (ASPA validation state) filter and bgpctl filter argument. Add ASPA support for the RTR protocol based on draft-ietf-sidrops-8210bis-10. Improve open policy (RFC 9234) support and enable the capability automatically if a role is specified for the peer. Introduce a per neighbor 'role' configuration option to specify the session role used by ASPA verification and the open policy capability. The 'announce policy' statement was simplified at the same time. Improve startup behaviour by introducing a small delay before opening the connection to a new peer. Support for aspa-set table config which can be provided by rpki-client. Make it possible to filter the RIB by invalid and leaked prefixes in bgpctl and bgplgd. Add OpenMetrics output to bgpctl for various BGP statistics and add /metrics endpoint to bgplgd. Support the pftable attribute set on FreeBSD systems.
7.706 Oct 2022 21:29
major feature:
Adjust pathid_assign() to be much faster for the common case. Improve performance for generating updates for sessions using add-path send all. Implement proper routing table sync in the kroute-linux.c code. Enable linux netlink integration by default. Add a --disable-fib-support config option to disable FIB sync on OpenBSD, FreeBSD and Linux systems.
7.615 Sep 2022 22:45
major bugfix:
Include OpenBSD 7.1 errata 008: bgpd(8) could fail to invalidate nexthops and incorrectly leave them in the FIB or Adj-RIB-Out. Speedup bgpctl show rib 10/8 or-longer and show rib 10/8 or-shorter. Switch various static hash tables to RB trees improving performance on large systems. Export per neighbor pending update and withdraw statistics. Fix race between a neighbor session reset and its update message backlog. Improve handling of nexthop reachability state changes. Further improve portability of the FIB handling code.
7.505 Aug 2022 01:50
minor feature:
Implement RFC 9234 - Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages. Full support for RFC 7911 - Advertisement of Multiple Paths in BGP. Include bgplgd(8) - a fastcgi server providing a REST API of bgpctl. Built by default but can be excluded with --disable-bgplgd. Add FIB and TCP MD5 support for FreeBSD. Disable Linux FIB support by default, add an --enable-netlink configure option to enable it for testing and development. Improve bgpd FIB code, make it more portable and properly handle IPv6 scoped addresses.
7.414 Jun 2022 21:09
minor feature:
Implement max-communities filter to limit the number of allowed communities, ext-communities and large-communities. Fix TCP-MD5 support on Linux systems. The TCP-MD5 keys were not correctly loaded on the listening sockets, which allowed unprotected connections in. Fix insertion of additional non-transitive extended communities when sending out prefixes. Relax IP address limitation by allowing prefixes in 240/4.
7.313 Apr 2022 20:29
major feature:
Macro expansion in the config file is improved. It is now possible to expand 'set large-community myAS: location: transit'. Add initial FIB support for Linux. Routes can be added and removed. Nexthop tracking and dynamic interface detection are not yet implemented. Major refactoring in the RIB codebase to add multipath support in an upcoming release.
7.223 Sep 2021 22:54
major feature:
Support for RFC 9072 - Extended Optional Parameters Length for BGP OPEN Message. Support for RFC 8050 - MRT Format with BGP Additional Path Extensions. Implement receive side of RFC 7911 - Advertisement of Multiple Paths in BGP. OpenBGPD is currently not able to send multiple paths out. Improve checks of VRPs loaded via RTR or from the roa-set table. Allow to optionally specify an expiry time for roa-set entries to mitigate BGP route decision making based on outdated RPKI data. OpenBGPD's companion rpki-client(8) produces roa-sets with the new 'expires' property.
7.125 Jun 2021 19:45
minor bugfix:
OpenBSD 6.9 errata 009: During bgpd(8) config reloads prefixes of the wrong address family could leak to peers resulting in session resets. Support for RFC 7313 - Enhanced Route Refresh: Disabled by default, to enable use 'announce enhanced refresh yes'. Improve output of Adj-RIB-Out by updating nexthop and ASPATH before adding the prefix to the RIB. This improves 'bgpctl show rib out' output. Add command line option to show the version.
7.005 Jun 2021 11:34
major feature:
Stop processing queued UPDATES when the max-prefix limit was reached. Improve negotiation for route refresh, graceful restart and multi-protocol capabilities. Correctly track 'rde evaluate all' and 'export' settings during reload. Properly withdraw prefixes when 'rde evaluate all' is used. Fix MRT handling on initial startup for message dump types. Fix and use non-blocking connect for RTR sessions. Fully implement RFC 6286 by checking for BGP ID collisions. Adjust the 4-byte AS number handling to RFC 6793 by changing error behaviour from prefix witdraw to attribute discard. In bgpctl print out both the sent "Neighbor capabilities" and the "Negotiated capabilities" for a session. Print timestamps both as a formatted and a pure time in seconds filed in various JSON objects.
6.9p001 May 2021 11:54
major feature:
Introduced bgpd(8) 'rde evaluate all' to reduce path hiding in IXP route-server environments. Added RTR support to OpenBGPD. Added bgpctl(8) 'show rtr' to display basic information about RTR sessions. Added bgpctl(8) 'show sets' to display information about the roa-set, as-sets and prefix-sets loaded into bgpd(8). Properly implemented 'rde med compare strict' in bgpd(8) and ensured that the order of prefixes is always correct. Introduced the bgpd.conf(5) per neighbor and global config option 'reject as-set yes/no' to allow rejection of received UPDATES with AS_SET segments. These rejected prefixes can be viewed with 'bgpctl show rib in error'. No longer allow configuration of the same neighbor multiple times. Introduced a send hold timer in bgpd(8) to detect stalls on the sending side of a TCP connection, acting as a last resort to detect faulty peers. pf(4) tables track now prefixes correctly even when received by multiple sessions.
6.8p105 Nov 2020 23:51
major bugfix:
Include OpenBSD 6.8 errata 001: In bgpd, the roa-set parser could leak memory.
6.8p020 Oct 2020 21:35
major feature:
In bgpctl(8), the 'reload' command now takes a 'reason' argument to use as Administrative Shutdown Communication to its neighbors. Added bgpctl(8) support for VPNv6 in the family option of the 'show rib' command. Added bgpctl(8) support for JSON formatted output in various 'show' commands. Support to build OpenBGPD on Alpine Linux added.