Week of 2026-06-25
Shipped across security, the appliance, routing, and observability this week.
Read the update29 weeks of shipped work, in Zeledon's voice, mined from git history. New weeks are also posted to Discord's ze-news. Subscribe by RSS, or scan the terser changelog.
Shipped across security, the appliance, routing, and observability this week.
Read the updateFocused on trimming attack surface and rounding out OSPF.
Read the updateNative IS-IS landed, MPLS gained fast reroute, and firewall rules can now pull straight from the IRR.
Read the updateA week of operator-facing polish: a real Web Workbench UI, SR-Policy and IRR-based filtering in BGP, per-subscriber CoS, and a talk at LINX.
Read the updateThe CLI grammar rollout finished, MRT tooling arrived, and a handful of quiet-but-important reliability bugs got fixed.
Read the updateMPLS grew a full label-switching stack, flow export and gNMI landed, and config commits became transactional.
Read the updateA full native IPsec/IKEv2 VPN stack, a route server for IXPs, and a big allocation-hunting pass across the BGP hot path.
Read the updateCPE features round out, interface config gets restructured, and RPKI gains ASPA path verification.
Read the updateTwo major subsystems landed this week: a fleet management tool for appliances, and a PPPoE access concentrator alongside VPP-backed NAT and ACLs.
Read the updateInterface configuration now rolls back cleanly on failure, the web UI got a dedicated CLI page, and traffic-control state survives more edge cases.
Read the updateSecurity hardening, a new diagnostics subsystem, and a redesigned operator web UI headline this week.
Read the updateA complete L2TP/PPP access stack, TACACS+ and pluggable AAA, a VPP dataplane, and new nftables/tc firewall backends.
Read the updateA full BFD engine, BGP route reflection and policy filters, a real REST/gRPC config editor, WireGuard support, and a talk at Net Manchester.
Read the updateA full interface management subsystem, offline DNS/RIR resolution tooling, config-driven plugin loading, BGP healthcheck and long-lived graceful restart support, and a Looking Glass overhaul.
Read the updateA full web interface, fleet management, redistribution filtering, and a stack of routing-protocol correctness work all landed together.
Read the updateRPKI route origin validation landed in full, alongside a wave of BGP RFC compliance work, CLI polish, and daemon security hardening.
Read the updateA big week for access, config safety, and BGP session security.
Read the updateReal best-path selection landed, along with outbound route tracking and a round of CLI/editor polish.
Read the updateA route-server-focused week: reliability fixes for BGP Route Server under load, a new external plugin protocol option, and systematic config validation.
Read the updateA hard round of route reflector hardening, a live web dashboard for the chaos tool, and a batch of BGP protocol and config improvements.
Read the updateA new chaos-testing tool, matured config reload, RFC 7606 enforcement, and a hot-path allocation cleanup.
Read the updateMostly spent on the config editor, a new capability, and a round of decode/RIB bug fixes.
Read the updateConfig work, the ExaBGP migration path, and correctness fixes across the wire.
Read the updateA big architecture week: Ze split into a hub process and a BGP child process, gained live config reload, and got a documented plugin SDK.
Read the updateA week focused on Graceful Restart, ExaBGP migration tooling, and logging.
Read the updateThis week rounded out route-refresh, ADD-PATH and VPN/labeled-unicast support in the plugin API, alongside a batch of BGP correctness fixes.
Read the updateRoute-family coverage rounded out (labeled-unicast, MPLS VPN, MUP, route reflection), a batch of protocol-correctness fixes, and a security-relevant change to how Ze listens for BGP sessions.
Read the updateWork on the BGP engine itself: route encoding correctness, session robustness, and a first real API surface for driving peers programmatically.
Read the updateThe first tracked week of development on Ze. In seven days the BGP engine went from nothing to a config-driven daemon that speaks the wire protocol, holds a RIB, and tests itself against ExaBGP.
Read the update