Week of 2026-06-25
Shipped across security, the appliance, routing, and observability this week.
π Control-plane survival
A big push to keep the control plane alive under attack:
- GTSM / TTL-security (RFC 5082) for BGP
- CoPP policing on TCP/179
- Egress CS6 scheduling
- On-demand flowspec route origination with a tag registry
- Automatic DDoS detection and auto-mitigation, with a Flowtriq reporter, attack-target prefixes pulled from live traffic stats, and attack characterization feeding a surgical responder
π§© Feature gates
Ze can now compile subsystems out at build time: gNMI, MCP, REST/gRPC APIs, the Prometheus exporter, and each of ISIS / LDP / OSPF / RSVP-TE. Smaller images, less attack surface.
πΏ Appliance & installer
The installer's old busybox shell initrd is gone, replaced by a single pure-Go PID-1 binary that boots the same way over PXE or off USB/ISO media. Along with it: boot-NIC pinning, DHCP recovery, MAC-pinned recovery, a gated rescue shell, SSH enabled on the appliance, and consolidated build outputs with faster incremental kernel builds.
π°οΈ Routing & access
- Per-family import/export filtering with an egress gate
- Fixed an AS_PATH rewrite panic
- L2TP dead-peer detection and route withdrawal on teardown
- PPP now keeps IPv4 up when IPv6CP is declined
- Leaner ISIS/OSPF hot paths
π Observability
- New GeoDNS per-source-IP server plugin
- Lazy traffic-stat aggregation and a multi-subscriber observation feed
π οΈ Under the hood
Storage now self-heals a corrupt blob store on open, the internal module layout got tidied up, and there's a unified dev bootstrap.
π Coming up
Design work started on AS112 anycast DNS and kernel lockdown / hardening.