There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.

Today Job Snijders (job@) commited code to rpki-client(8) to implement a gradual phase in of a stricter policy on TA certificates lifetimes.

The commit message reads,

Subject:    CVS: cvs.openbsd.org: src
From:       Job Snijders <job () cvs ! openbsd ! org>
Date:       2024-12-18 16:38:40


CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2024/12/18 09:38:40

Modified files:
	usr.sbin/rpki-client: cert.c 

Log message:
Schedule future rejection of ultra long-lived TA certificates

The RPKI ecosystem suffers from a partially unmitigated risk related to
long-lived Trust Anchor certificate issuances.

Thanks to work by David Gwynne (dlg@), OpenBSD -current now has a new "AF_FRAME" socket domain:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2024/12/15 04:00:05

Modified files:
	sys/conf       : files 
	sys/kern       : uipc_domain.c uipc_socket.c 
	sys/net        : if_ethersubr.c 
	sys/sys        : socket.h 
Added files:
	sys/net        : af_frame.c frame.h 

Log message:
add an AF_FRAME socket domain and an IFT_ETHER protocol family under it.

this allows userland to use sockets to send and receive Ethernet
frames. as per the upcoming frame.4 man page:

frame protocol family sockets are designed as an alternative to bpf(4)
for handling low data and packet rate communication protocols.  Rather
than filtering every frame entering the system before the network stack
like bpf(4), the frame protocol family processing avoids this overhead by
running after the built in protocol handlers in the kernel.  For this
reason, it is not possible to handle IPv4 or IPv6 packets with frame
protocol sockets because the kernel network stack consumes them before
the receive handling for frame sockets is run.

if you've used udp sockets then these should feel much the same.

my main motivation is to implement an lldp agent in userland, but
without having to have bpf look at every packet when lldp happens
every minute or two.

the only feedback i had was positive, so i'm putting it in
ok claudio@

There's been a related change to aggr(4).

Claudio Jeker (claudio@) announced the release of version 8.7 of OpenBGPD, the OpenBSD project's Border Gateway Protocol (BGP) daemon:

We have released OpenBGPD 8.7, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

    * Cache the Adj-RIB-Out for sessions that have not been down for
      more than 1h. This significantly improves synchronisation time
      of peers that flap.

    * Implement RFC 8538: Notification Message Support for
      BGP Graceful Restart.

    * Add support for RFC 8654, extended messages.

    * In bgplgd add additional endpoints to query the Adj-RIB-In and
      Adj-RIB-Out.

    * Bump internal message size limit to 128k and handle up to 10 000
      ASPA SPAS entries as suggested in draft-ietf-sidrops-aspa-profile.

    * Various improvements to the ibuf API including a new reader API
      which is used to make all message parsing in bgpd memory safe.

    * Added support for IPsec and TCP MD5 to RTR sessions.

OpenBGPD-portable is known to compile and run on FreeBSD, NetBSD and the
Linux distributions Alpine, Debian, CentOS/RHEL/Rocky, Fedora, openSUSE/SLE,
and Ubuntu. It is our hope that packagers take interest and help adapt
OpenBGPD-portable to more distributions.

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

The initial list of 21 'low hanging fruit' videos from EuroBSDcon 2024 has been released with more to follow:

Here is the EuroBSDcon 2024 playlist.

The OpenBSD highlights include:

Confidential Computing with OpenBSD - Hans Jörg Höxer

Building a SD-WAN appliance suitable for Australian Health Sector NFP/NGO - Jason Tubnor

A Packet's Journey Through the OpenBSD Network Stack - Alexander Bluhm

OpenBSD vs. IPv6 - Florian Obser

Global anycast using OpenBSD on a budget - Rob Keizer

Why rewrite fw_update(8)? - Andrew Hewus Fresh<br>

vmd's multi-process device emulation: 2 releases later - Dave Voutila

Puffy does Realtime Hypermedia - Patrick Marchand

The rest (see the conference schedule) will appear soon, pending some necessary post-processing.

Enjoy this bunch, and do come back for the rest soon!

(As noted in his toot,) Rafael Sadowski (radowski@) has written a blog entry entitled dpb - distributed ports builder, which describes his dpb(1) setup.
It is likely to be of interest to those getting started with porting software to OpenBSD.

The article sets out its purpose as,

The goal is to provide an overview of how to configure a single instance for port building with minimal effort. Whether you’re trying dpb(1) for the first time or looking for a straightforward guide, I hope this documentation will be useful both for beginners and for myself, as a reference for future setups since I don’t have an Ansible playbook for it ;).

So maybe an Ansible playbook is up next? Anyway, a good read for prospective and current porters. Enjoy!

Jeremie Courreges-Anglas (jca@) committed a change which is likely to be welcomed by laptop users:

CVSROOT:	/cvs
Module name:	src
Changes by:	jca@cvs.openbsd.org	2024/11/21 04:58:45

Modified files:
	sys/kern       : sched_bsd.c 
	lib/libc/sys   : sysctl.2 

Log message:
Let the user provide an alternative perfpolicy when on battery

The current behavior of "auto", which implies running at full speed when
on AC power, does not fit all the hardware and use cases. For some people
it results in more power consumption, more heat, more noise, etc.

Extend the semantics of hw.perfpolicy and provide two buttons to
specify the desired behavior:

sysctl hw.perfpolicy=<policy while on ac>[,<policy while on battery>]

Keep the default behavior of "high,auto". People can opt for "auto,auto"
or simply "auto" instead.

No objection from deraadt@, input and ok sobrado@ sthen@

This is now in snapshots, so please test if you run those!

Soon, unwind will have support wildcard in blacklist.

Here, a change that makes any domain in the blacklist that starts with '.', which is not a legal name due to an empty label, is treated as any subdomain on that zone.

This means that .example.com blocks all requests to any subdomain of example.com, but allows example.com.

Changes: https://marc.info/?l=openbsd-cvs&m=173244784522937&w=2

Version 0.106 of Game of Trees has been released (and the port updated).

• prevent gotd from exiting with pending notifications if client disconnects
• convert got to the new imsg API
• gotwebd: improve performance of repository age calculations
• gotwebd: ensure child processes inherit non-default config

Version 0.105 of Game of Trees has been released (and the port updated).