Feature

RFC Implementation Status

This page is the public standards ledger for Ze. It lists RFCs that Ze implements, partially implements, intentionally does not implement, or has deferred. It is a product-support view, not a formal IETF compliance certificate: Supported means the behavior is implemented and tied to current source anchors; Experimental means implemented but still needs deployment evidence or hardening before production claims; Partial means a named subset is missing, intentionally skipped, or not proven; Unsupported means Ze explicitly does not implement it; Future means tracked but not shipped.

Reference summaries under rfc/short/ are not implementation claims by themselves. A row belongs here only when current docs, source code, tests, or learned closure notes tie the RFC to a Ze feature.

BGP base protocol, capabilities, and session safety

RFC Area Status Implemented coverage Remaining if not complete
RFC 4271 BGP-4 base protocol Supported FSM, OPEN, UPDATE, NOTIFICATION, KEEPALIVE, core path attributes, session events. βœ•
RFC 5492 BGP capability advertisement Supported Capability TLV parser, encoder, unknown-capability ignore behavior, negotiated session view. βœ•
RFC 4760 Multiprotocol BGP Supported AFI/SAFI capability negotiation, MP_REACH_NLRI, MP_UNREACH_NLRI, family-specific UPDATE handling. RFC 7606 MP attribute ordering tradeoff is tracked under RFC 7606.
RFC 6793 4-byte AS numbers Supported ASN4 capability, AS4_PATH, AS4_AGGREGATOR, AS_TRANS handling. βœ•
RFC 2918 Route Refresh Supported Route Refresh capability and ROUTE-REFRESH message handling. βœ•
RFC 7313 Enhanced Route Refresh Supported BoRR and EoRR support, capability checks, bounded route resend. βœ•
RFC 7911 ADD-PATH Supported Per-family send and receive modes, Path ID packing, NLRI path IDs where negotiated. βœ•
RFC 8654 BGP Extended Message Supported Extended message capability and 65535-byte message limit when negotiated. βœ•
RFC 8950 Extended Next Hop Supported IPv6 next-hop for IPv4 NLRI and negotiated extended next-hop lookup. βœ•
RFC 5549 Legacy extended next-hop encoding Supported Backward-compatible parser for the older format superseded by RFC 8950. Main public claim uses RFC 8950.
RFC 4724 Graceful Restart Supported GR capability, End-of-RIB markers, receiving-speaker stale handling, restart marker integration. βœ•
RFC 9494 Long-Lived Graceful Restart Supported LLGR capability state, LLGR_STALE community, route depreference during long-lived stale retention. βœ•
RFC 9234 BGP Role and OTC Supported Role capability negotiation, role mismatch NOTIFICATION, OTC egress stamping, OTC ingress leak detection and treat-as-withdraw, unicast-only (AFI 1/2, SAFI 1) OTC scoping. βœ•
RFC 8516 FQDN capability Supported Hostname capability code 73, decode support, per-peer hostname and domain advertisement. Some older plugin comments still reference the draft name.
RFC 2545 IPv6 next-hop handling Supported IPv6 MP_REACH next-hop parsing, including global plus link-local next-hop form. Capability code 77 is draft-based; RFC 2545 covers the next-hop wire behavior.
RFC 4486 BGP Cease subcodes and prefix maximum Supported Cease subcode catalog, max-prefix teardown, backoff, and operator reset paths. βœ•
RFC 7607 Prefix-limit enforcement context Supported Prefix-limit enforcement is called before route admission and documented with RFC 4486. βœ•
RFC 9687 Send Hold Timer Supported Send Hold Timer, auto duration max(8min, 2x hold-time), NOTIFICATION code 8 on expiry. βœ•
RFC 7606 Revised UPDATE error handling ∿ Structural UPDATE validation, treat-as-withdraw decisions, attribute-discard decisions, tests. Ze intentionally emits MP_UNREACH first and MP_REACH last, which is not fully compliant with Section 5.1 ordering guidance.
RFC 8203 Administrative Shutdown Communication Supported UTF-8 shutdown message for Cease/Admin Shutdown and Cease/Admin Reset. Sender keeps the conservative 128-byte RFC 8203 limit.
RFC 9003 Administrative Shutdown Communication update Supported Receiver accepts the updated UTF-8 format and 255-byte length field; invalid UTF-8 is stripped on send. Sender remains conservative at 128 bytes for interoperability.
RFC 8538 Notification GR Unsupported Cease Hard Reset subcode (9) name is known. The GR N-bit is decoded but not acted upon; routes are dropped on any NOTIFICATION, so RFC 8538 route retention is not implemented.
RFC 5065 BGP confederations Unsupported None claimed. Explicitly unsupported.
RFC 2385 TCP MD5 Supported on supported kernels Per-peer MD5 password plumbing and OS-specific socket hooks. Platform availability depends on kernel support.
RFC 5082 GTSM and TTL security Supported on Linux TTL security settings and BFD/BGP TTL gates where supported. Platform availability depends on kernel support.
RFC 5925 TCP-AO Unsupported None claimed. Not implemented.

BGP attributes, families, policy, and NLRI

RFC Area Status Implemented coverage Remaining if not complete
RFC 1997 Standard communities Supported COMMUNITY attribute parsing, encoding, JSON, and well-known names. βœ•
RFC 3765 NOPEER community Supported NOPEER well-known community parsing and text output. βœ•
RFC 4360 Extended communities Supported Extended community attribute parsing, encoding, JSON, and policy use. βœ•
RFC 5701 IPv6 extended communities Supported IPv6 extended community attribute support. βœ•
RFC 8092 Large communities Supported LARGE_COMMUNITY parsing, validation, duplicate removal, JSON, and RFC 7606 length checks. βœ•
RFC 4456 Route Reflection Supported ORIGINATOR_ID, CLUSTER_LIST, route-reflector plugin behavior, cluster checks. βœ•
RFC 7311 AIGP attribute ∿ AIGP wire encoding, decoding, JSON, and set/increment/decrement filters. AIGP is not consumed by best-path selection.
RFC 4364 BGP/MPLS IP VPNs Supported VPNv4 NLRI, RD, labels, route config, encode, and decode. βœ•
RFC 4659 VPNv6 Supported VPNv6 NLRI and next-hop behavior through VPN family support. βœ•
RFC 8277 BGP Labeled Unicast Supported IPv4 and IPv6 labeled unicast NLRI, label stack handling, route config, and dataplane handoff. βœ•
RFC 3032 MPLS label stack encoding Supported as dependency 20-bit label stack encoding and validation used by labeled unicast and VPN NLRI. βœ•
RFC 4761 VPLS NLRI Supported L2VPN VPLS family registration, encode, decode, and route config. βœ•
RFC 4762 VPLS architecture Supported at feature scope VPLS feature inventory and NLRI support tie the RFC to current behavior. βœ•
RFC 7432 EVPN Supported EVPN NLRI family, common header, route-type parsing, encode, and decode. Routes are announced via the update text API command; config-file route declaration is not implemented for EVPN.
RFC 9136 EVPN IP Prefix extensions Supported in EVPN scope EVPN implementation tracks the extension alongside RFC 7432. βœ•
RFC 8955 IPv4 FlowSpec Supported IPv4 FlowSpec and FlowSpec VPN NLRI encoding, decoding, route config, filters, and action communities. βœ•
RFC 8956 IPv6 FlowSpec Supported IPv6 FlowSpec and FlowSpec VPN family support. βœ•
RFC 5575 Earlier FlowSpec reference Supported as legacy reference Legacy FlowSpec action community behavior remains documented. Main public claim uses RFC 8955 and RFC 8956.
RFC 7752 BGP-LS ∿ BGP-LS and BGP-LS VPN NLRI decode, including many TLVs. Encode and route config are not implemented; BGP_LS path attribute remains marked not implemented.
RFC 9085 BGP-LS Segment Routing extensions ∿ Decoded as part of BGP-LS TLV coverage. Same BGP-LS encode and route-config gaps.
RFC 9514 BGP-LS SRv6 extensions ∿ Decoded as part of BGP-LS SRv6 TLV coverage. Same BGP-LS encode and route-config gaps.
RFC 4684 Route Target Constraint ∿ RTC NLRI decode. βœ•
RFC 6514 MVPN and PMSI Tunnel ∿ MVPN NLRI decode, MVPN NLRI encode primitives, and config route parser for source-active, shared-tree join, and source-tree join routes. PMSI_TUNNEL path attribute remains marked not implemented; not all MVPN route types have config builders.
RFC 9012 Tunnel Encapsulation attribute ∿ On-demand parsing of selected Tunnel Encapsulation sub-TLVs. Not exposed as a full feature claim.
RFC 8669 BGP Prefix-SID attribute ∿ SRv6 Prefix-SID validation and filtering are recorded in learned notes. Architecture attribute table still says BGP_PREFIX_SID is not implemented; docs need reconciliation before a Supported claim.
RFC 9252 BGP SRv6 Service TLV ∿ SRv6 Prefix-SID service TLV validation and RFC 7606 error handling are implemented in the learned closure. Shares the RFC 8669 documentation conflict.
RFC 9830 BGP SR Policy Supported IPv4 and IPv6 SR Policy NLRI encode, decode, and route config. βœ•

BGP operations, telemetry, RPKI, and BFD-adjacent standards

RFC Area Status Implemented coverage Remaining if not complete
RFC 7854 BMP v3 ∿ BMP receiver and sender, peer lifecycle, route monitoring messages, CLI and config. Loc-RIB route monitoring is deferred under RFC 9069.
RFC 8671 BMP Adj-RIB-Out Supported within BMP sender scope Adj-RIB-Out direction flag handling and sent-route monitoring. βœ•
RFC 9069 BMP Loc-RIB monitoring Future Tracked by BMP learned notes. Requires reconstructing wire UPDATEs from structured best-change batches.
RFC 6811 RPKI origin validation Supported Origin validation states, ROA/VRP lookup, default reject for invalid routes, fail-open guard. βœ•
RFC 8210 RPKI RTR Supported RTR cache sessions, VRP download, multi-cache merge, v1 fallback for ASPA path. βœ•
RFC 6810 Earlier RPKI RTR Supported as compatibility reference Comparison docs group RFC 6810 and RFC 8210 for RTR support. Main guide and registration use RFC 8210.
RFC 9582 RPKI RTR v2 ASPA records Supported ASPA PDU cache, full replacement semantics, RTR v2 negotiation. βœ•
RFC 5880 BFD base ∿ BFD FSM, timers, jitter, echo advertisement, authentication, metrics, show commands. Feature remains Partial; demand mode is intentionally skipped and IPv6 transport coverage is not complete.
RFC 5881 BFD single-hop ∿ Single-hop UDP 3784 sessions, TTL/GTSM gate, interface binding. IPv6 dual-bind and wider deployment proof remain tracked with BFD.
RFC 5882 BFD generic application ∿ BFD integration model used by BGP and static next-hop tracking. Same BFD partial status.
RFC 5883 BFD multi-hop ∿ Multi-hop UDP 4784 sessions and min-TTL floor. Same BFD partial status.
RFC 9384 BFD-triggered BGP Cease Supported within BFD BGP peer opt-in sends Cease subcode 10 when BFD reports forwarding path loss. βœ•

IS-IS, OSPF, MPLS, and traffic engineering

RFC Area Status Implemented coverage Remaining if not complete
RFC 1195 Integrated IS-IS for IPv4 Experimental Native IS-IS over Layer 2, L1/L2, broadcast and point-to-point circuits, TLV 132. Feature remains Experimental pending production hardening and deployment evidence.
RFC 5301 IS-IS dynamic hostname Experimental Dynamic hostname TLV support. Same IS-IS experimental status.
RFC 5303 IS-IS point-to-point three-way Experimental Point-to-point adjacency behavior. Same IS-IS experimental status.
RFC 5304 IS-IS HMAC-MD5 authentication Experimental Interface and level key-chain authentication. Same IS-IS experimental status.
RFC 5310 IS-IS generic crypto authentication Experimental HMAC-SHA authentication path. Same IS-IS experimental status.
RFC 5305 IS-IS wide metrics and TE TLVs Experimental Extended IS reachability and IPv4 reachability TLVs. Same IS-IS experimental status.
RFC 2966 IS-IS up/down bit Experimental Up/down bit retention and redistribution behavior. Same IS-IS experimental status.
RFC 5308 IS-IS IPv6 Experimental IPv6 reachability over the same IS-IS instance. Same IS-IS experimental status.
RFC 5120 IS-IS multi-topology Unsupported None; IS-IS runs single-topology dual-stack only. Non-congruent IPv4/IPv6 topologies are out of scope; multi-topology TLVs are not implemented.
RFC 2328 OSPFv2 Experimental Native OSPFv2 engine, raw protocol 89, LSDB, SPF, flooding, virtual links. Feature remains Experimental pending production hardening and deployment evidence.
RFC 3101 OSPF NSSA Experimental NSSA Type 7 origination, translator election, Type 7 to Type 5 translation, preference rules. Same OSPF experimental status.
RFC 5709 OSPFv2 HMAC-SHA authentication Experimental OSPFv2 cryptographic authentication path. Same OSPF experimental status.
RFC 7474 OSPFv2 manual-key security extension Experimental Cryptographic authentication with per-packet-type replay protection (RFC 7474 defines no OSPFv2 authentication trailer; that construct is OSPFv3/RFC 7166). Same OSPF experimental status.
RFC 5340 OSPFv3 Experimental OSPFv3 IPv6 family, packet format, instance IDs, IPv6 LSAs. Same OSPF experimental status.
RFC 5838 OSPFv3 multiple address families Experimental Multi-AF OSPFv3 behavior. Same OSPF experimental status.
RFC 7166 OSPFv3 authentication trailer Experimental OSPFv3 Authentication Trailer support. Same OSPF experimental status.
RFC 4552 OSPFv3 IPsec authentication Experimental Manual AH/ESP IPsec config for OSPFv3 IPv6 interfaces, XFRM readiness check, SA and policy lifecycle. Manual keying only; feature remains under OSPF experimental status.
RFC 5250 OSPFv2 opaque LSAs Experimental Opaque LSA framework and retention. Same OSPF experimental status.
RFC 3630 OSPFv2 Traffic Engineering LSA Experimental TE LSA body and sub-TLV support. Same OSPF experimental status.
RFC 5392 OSPF inter-AS TE extensions Experimental Inter-AS TE sub-TLV support. Same OSPF experimental status.
RFC 7770 OSPF Router Information LSA Experimental Router Information LSA body and multi-instance ordering. Same OSPF experimental status.
RFC 7684 OSPF Extended Prefix and Link LSAs Experimental Extended Prefix and Extended Link LSA bodies and malformed TLV handling. Same OSPF experimental status.
RFC 3623 OSPFv2 Graceful Restart Experimental Restarter and helper behavior. Same OSPF experimental status.
RFC 5187 OSPFv3 Graceful Restart Experimental Restarter and helper behavior for OSPFv3. Same OSPF experimental status.
RFC 8665 OSPF Segment Routing extensions Experimental Segment Routing TLV encoding shared by OSPFv2 and OSPFv3 paths. Same OSPF experimental status.
RFC 8666 OSPFv3 Segment Routing Experimental OSPFv3 Segment Routing (SR-MPLS) over RFC 8362 Extended LSAs: SRGB/SRLB, index-to-label arithmetic, Prefix-SID and Adjacency-SID. Same OSPF experimental status.
RFC 8362 OSPFv3 Extended LSAs Experimental Extended LSA framework used by OSPFv3 extensions. Same OSPF experimental status.
RFC 5286 Loop-Free Alternate FRR Experimental LFA and TI-LFA fast reroute: per-neighbor SPFs, loop-free / node-protecting / downstream backup selection, SR repair lists, multi-area suppression. Same OSPF experimental status.
RFC 5036 LDP Experimental UDP discovery, TCP session FSM, label information base, kernel MPLS integration. Feature remains Experimental, despite learned notes showing interop progress.
RFC 3209 RSVP-TE Experimental PATH and RESV signaling, ERO routing, bandwidth admission, soft-state refresh, teardown. Cross-vendor RSVP-TE interop remains constrained by available open daemons.
RFC 2205 RSVP base protocol Experimental RSVP base message handling used by RSVP-TE. Same RSVP-TE experimental status.
RFC 4090 RSVP-TE Fast Reroute Experimental Facility backup behavior. One-to-one detour backup was explicitly split to later work.

Access, AAA, PPP, and subscriber services

RFC Area Status Implemented coverage Remaining if not complete
RFC 2661 L2TPv2 ∿ LNS/LAC tunnel lifecycle (answerer and initiator: ze dials SCCRQ, verifies SCCRP, sends SCCCN), AVP codec, hidden AVPs, challenge/response, reliable control channel, HELLO, StopCCN, data sessions, LNS-side outgoing call (OCRQ/OCRP/OCCN) via request l2tp outgoing-call, dial-target config, LAC PPPoEβ†’L2TP relay (control plane). Feature remains Partial; see L2TP guide for operational limits. Initiator tunnel interop proven vs xl2tpd (test/l2tp-interop/scenarios/03). LAC data-plane bridge (A-4) is QEMU/CAP_NET_ADMIN-gated.
RFC 1661 PPP LCP ∿ PPP LCP FSM, negotiation, echo keepalive, common NCP structure used by L2TP and PPPoE. Carries the L2TP and PPPoE Partial status.
RFC 1334 PAP ∿ PAP authentication option through PPP auth handling. Carries the L2TP and PPPoE Partial status.
RFC 1994 CHAP ∿ CHAP-MD5 authentication for PPP and tunnel auth contexts. Carries the L2TP and PPPoE Partial status.
RFC 2759 MS-CHAPv2 Supported within PPP and IPsec EAP Mutual authentication in both the PPP and IPsec EAP paths; MPPE/MSK key derivation in the IPsec EAP path only. βœ•
RFC 1332 IPCP ∿ IPv4 address negotiation and pool integration. Carries the L2TP and PPPoE Partial status.
RFC 1877 IPCP DNS options ∿ Primary and secondary DNS option parsing and negotiation. Carries the L2TP and PPPoE Partial status.
RFC 5072 IPv6CP ∿ Interface identifier negotiation and independent IPv6 NCP handling. IPv6 address assignment is outside IPv6CP and handled separately.
RFC 2516 PPPoE ∿ Access concentrator discovery state machine, AC-Cookie, session tables, AF_PPPOX kernel sessions, shared PPP driver. Feature remains Partial.
RFC 2865 RADIUS authentication Supported for subscriber access Access-Accept profile extraction, Filter-Id, Session-Timeout, Idle-Timeout, VSAs, pool selection. Operator/admin login RADIUS (PAP) is a separate backend under system/authentication/radius; the profile attributes above are subscriber-access only.
RFC 2866 RADIUS accounting Supported for subscriber access Start, Stop, and Interim-Update accounting records. Admin/operator RADIUS accounting is not wired; the admin backend is authentication-only.
RFC 2869 RADIUS extensions Supported for subscriber access Gigaword counters and selected accounting extensions. Scoped to subscriber access.
RFC 5176 RADIUS CoA and Disconnect Message Supported for subscriber access CoA/DM listener for RADIUS-initiated changes and disconnects. Scoped to subscriber access.
RFC 8907 TACACS+ ∿ SSH login PAP auth, ordered failover, MD5 pseudo-pad encryption, command accounting, optional authorization, single-connect mode. Feature inventory still marks TACACS+ Partial while learned notes record several closed gaps.

IPsec, IKE, EAP, and kernel security associations

RFC Area Status Implemented coverage Remaining if not complete
RFC 7296 IKEv2 Supported Wire codec, cryptographic primitives, initiator and responder FSM, IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA, INFORMATIONAL, rekey, DPD. βœ•
RFC 4301 IPsec architecture Supported SAD/SPD model projected through XFRM policies and route-based IPsec interfaces. βœ•
RFC 4302 Authentication Header Supported in OSPFv3 manual IPsec path AH algorithm planning and RFC 4552 OSPFv3 use. Scoped to configured manual IPsec support.
RFC 4303 ESP Supported ESP SA parameter model, protocol 50, tunnel and transport modes, XFRM installation, OSPFv3 manual ESP. βœ•
RFC 3948 UDP encapsulation of ESP Supported NAT-T non-ESP marker, UDP 4500 encapsulation, NAT keepalive, XFRM UDP encap attributes. βœ•
RFC 4555 MOBIKE Unsupported None; the IKE engine does not define the MOBIKE notify types (16396/16400) and does not handle UPDATE_SA_ADDRESSES. Responder role (announce MOBIKE_SUPPORTED, accept UPDATE_SA_ADDRESSES, migrate XFRM endpoints) is not implemented.
RFC 3748 EAP Supported in IPsec EAP framework inside IKEv2 IKE_AUTH, Success and Failure handling. βœ•
RFC 5216 EAP-TLS Supported in IPsec TLS handshake in EAP, fragmentation, MSK derivation feeding IKEv2 AUTH. βœ•
RFC 5282 IKEv2 AEAD algorithms Supported AES-GCM IKEv2 AEAD encryption and decryption framing. βœ•

DNS, provisioning, MRT, and flow telemetry

RFC Area Status Implemented coverage Remaining if not complete
RFC 1035 DNS message behavior Supported DNS cache TTL handling, authoritative GeoDNS and AS112 response shaping. βœ•
RFC 7871 EDNS0 Client Subnet Supported GeoDNS client IP selection from EDNS0 client-subnet or packet source. βœ•
RFC 7534 AS112 operations Supported Authoritative sink for misdirected RFC 1918 and link-local reverse DNS. βœ•
RFC 7535 EMPTY.AS112.ARPA Supported EMPTY.AS112.ARPA DNAME-redirection zone. βœ•
RFC 2131 DHCPv4 Supported DHCP server with DORA, leases, static mappings, PXE support. βœ•
RFC 2132 DHCP options Supported DHCP options used by DHCP server and PXE support. βœ•
RFC 4578 DHCP PXE options Supported PXE boot option injection for BIOS and UEFI bootfile selection. βœ•
RFC 1350 TFTP Supported Read-only TFTP server for PXE bootloader delivery. βœ•
RFC 2347 TFTP option negotiation Supported Option negotiation for TFTP provisioning paths. βœ•
RFC 6396 MRT Supported Daemon-side MRT recording, TABLE_DUMP_V2 snapshots, BGP4MP messages, analysis tools. βœ•
RFC 3954 NetFlow v9 Experimental Flow export templates and records over UDP. Flow export feature remains Experimental.
RFC 7011 IPFIX Experimental IPFIX export templates and records over UDP. Flow export feature remains Experimental.

Drafts and non-RFC standards tracked near RFC work

These are not RFCs, but they sit next to RFC implementation status and are useful when reading the tables above.

Standard Area Status Note
draft-abraitis-idr-addpath-paths-limit BGP PATHS-LIMIT Supported Per-family path-count limit capability for ADD-PATH.
draft-ietf-sidrops-aspa-verification ASPA path verification Supported ASPA validation algorithm, policy actions, and RPKI event output.
draft-ietf-idr-linklocal-capability Link-local next-hop capability code 77 Supported Capability declaration around RFC 2545 next-hop behavior.
draft-ietf-idr-software-version BGP Software Version capability code 75 Supported Software version advertisement plugin.
ISO/IEC 10589 IS-IS base protocol Experimental Base IS-IS protocol reference, paired with the IS-IS RFC rows above.
sFlow v5 sFlow export Experimental Flow export protocol alongside NetFlow v9 and IPFIX.