Every feature Ze ships.

46 features plus a spec'd roadmap, color-coded by category.

Each card's color is its category: how the feature fits into the system. Solid cards are shipped; dashed cards are experimental; blueprint cards at the bottom are specs, not code. Everything shipped runs in both daemon and appliance modes unless a card says otherwise. Click a category to filter, click again to show everything.

Built for demanding operators.

Ze owns its BGP engine, configuration model, plugin system, and operator surfaces, all designed together.

Operate

SSH CLI

Autocomplete History
  • commit and commit confirmed
  • rollback and diff
  • Command mode
Operate

YANG Configuration

YANG ExaBGP
  • Schema-driven validation
  • One model for everything
  • Plugin defined
Operate

Output Formatting

Shell-like pipes Offline
  • table, json, yaml, ndjson
  • match, count, first/last
  • Offline via ze format
Operate

Web Workbench

HTMX SSE
  • No SPA, server-rendered
  • Config editor, admin panel
  • Live updates via SSE
Operate

Looking Glass

Routes Topology Birdwatcher
  • Peer and route viewer
  • Topology graph
  • SSE streaming for live state
Operate

System Readiness

ze doctor ze explain
  • Offline pre-start checks: config, TLS certs, kernel modules, listeners, disk space, clock skew
  • Platform-aware: gokrazy, systemd, container, plain-Linux detection
  • --json output with stable diagnostic codes and ze explain <code> remediation
Routing

Native BGP Engine

BGP IPv4/IPv6 FlowSpec
  • Full implementation in Go
  • Lazy parsing, buffer-first encoding
  • Negotiated capabilities
Routing

Static Routes

ECMP BFD PBR
  • Named tables, policy routing
  • BFD-tracked failover
  • Multi-path ECMP groups
Routing

BFD

RFC 5880 Auth
  • Single-hop and multi-hop
  • GTSM, jitter, BGP integration
  • SHA1/MD5 auth, echo mode
Routing

MRT Recording

RFC 6396 Analysis
  • Updates, messages, RIB snapshots
  • Strftime file rotation
  • Show, inject, replay, filter
Services

DNS Resolver

Cache Pipes
  • Built-in cached resolver
  • | resolve and | origin pipe operators
  • No external daemon needed
Automate

Plugin System

ExaBGP RPKI Policy
  • Route-server, graceful restart
  • Persistence, NLRI families
  • Independent, composable
Automate

Programmable

REST gRPC gNMI
  • REST API, gRPC, gNMI
  • External process plugins
  • Automate from any language
Automate

AI-First Design

Self-describing Skills
  • Self-describing command catalog generated from the live binary, never hand-written
  • Structured diagnostics: ze explain <code> and machine-parseable repair plans
  • Version-matched skills served by the binary for agent workflows
Automate

MCP Integration

MCP OAuth 2.1
  • Streamable HTTP transport, OAuth 2.1 resource server
  • Server-initiated elicitation, task-augmented tool calls
  • MCP Apps UI with embedded panels
Automate

ExaBGP Compatibility

Migration Bridge
  • Automatic config migration
  • Plugin bridge for existing workflows
  • Smooth transition path
Observe

Evidence Over Claims

Fuzz Interop Docker
  • Unit, functional, fuzz, chaos
  • Performance benchmarks
  • Interop vs FRR, BIRD, GoBGP
Observe

Development Activity

Heatmap Live data
  • A year of commits and added lines, at a glance
  • Regenerated from git history, not curated
  • Top commit and line days, ranked
Observe

Prometheus Telemetry

Netdata Prometheus
  • 138 metrics from /proc and /sys
  • Netdata naming, drop-in replacement
  • Existing Grafana dashboards keep working
Observe

Health Registry

HTTP 503
  • /health HTTP endpoint
  • Per-component status checks
  • BGP, FIB, IPsec, L2TP, VPP
Observe

Host Inventory

CPU NIC SMART
  • CPU, NIC, DMI, memory, thermal
  • SMART disk health and self-tests
  • JSON output for pipelines
Observe

Crash Capture

Panic Syslog
  • Automatic panic stack traces
  • Ring buffer context (last 64 entries)
  • show crashes CLI command
Observe

Tech-Support Bundle

Offline JSON
  • 20 modules, pure Go, no shell-outs
  • Structured JSON per module
  • Privacy-by-default, gokrazy-safe
Observe

Production Diagnostics

CLI MCP
  • 11 built-in tools replacing ss, dmesg, lsof
  • tcpdump, traceroute, ping, mtr
  • All exposed via MCP for AI debugging
Secure

Secure by Default

SSH RBAC RPKI ASPA
  • SSH access to the CLI
  • RPKI route origin validation
  • No other daemons needed
Secure

TACACS+ AAA

RFC 8907 Accounting
  • SSH login via TACACS+
  • Command accounting START/STOP
  • Server failover, local fallback
Secure

Audit Trail

Commits Auth
  • Config commit, discard, reload
  • Failed auth across all surfaces
  • Filter by action, actor, time
Secure

PKI Store

X.509 TLS
  • YANG-modeled certificate management
  • Chain validation, expiry checks
  • Shared by IPsec, TLS, mutual auth
Platform

Two Targets

Appliance Server
  • Lean bootable appliance
  • Linux server with systemd
  • Single static binary
  • Ideal for virtual networking
Platform

Runs Itself

Update Systemd
  • Binary self-update
  • Built-in readiness checks
  • No orchestrator needed
Platform

Docker Support

Daemon only Scratch Compose
  • Static binary on scratch base
  • Compose support included
  • Optional build tags

Experimental and growing.

Implemented and tested, not yet production-proven.

These still need deployment evidence or hardening before production claims. Configuration may change.

Services Experimental

IPsec VPN

IKEv2 X.509 EAP
  • Full IKEv2 engine, rekeying, DPD
  • NAT-T, keepalive, XFRM interfaces
  • EAP-MSCHAPv2, EAP-TLS, road warrior
Services Experimental

L2TPv2 BNG

PPP RADIUS CQM
  • RFC 2661 LNS with PPP negotiation
  • RADIUS auth, accounting, CoA
  • CQM monitoring, shaping, web UI
Services Experimental

PPPoE Access

RFC 2516 PPP
  • Access concentrator with discovery FSM
  • Shared PPP driver with L2TP
  • HMAC-SHA256 cookie, rate limiting
Services Experimental

Interface Management

Netlink DHCP
  • Ethernet, VLAN, bridge, WireGuard
  • 8 tunnel kinds, DHCP client
  • NTP sync, offload tuning, mirroring
Services Experimental

Firewall

nftables NAT
  • 15 match types, 19 actions
  • SNAT, DNAT, masquerade
  • FlowSpec-to-firewall bridge
Services Experimental

Policy Routing

nftables PBR
  • L3/L4 match criteria
  • Table steering, next-hop actions
  • TCP-MSS clamping, interface wildcards
Services Experimental

VPP Data Plane

DPDK GoVPP
  • FIB programming via GoVPP
  • MPLS label operations
  • Per-interface Prometheus metrics
Routing Experimental

MPLS / LDP / RSVP-TE

Labels Signaling
  • Kernel MPLS FIB, push/swap/pop
  • LDP discovery and sessions
  • RSVP-TE ERO, bandwidth admission
Routing Experimental

OSPF

RFC 3101 ECMP
  • OSPFv2 and OSPFv3, one config root
  • Stub, totally-stubby, NSSA areas
  • Redistributes with BGP both ways
Routing Experimental

IS-IS

ISO 10589 Dual-stack
  • L1/L2 link-state IGP over Layer 2
  • RFC 5304/5310 authentication, key chains
  • Dual-stack IPv6, redistributes with BGP
Observe Experimental

Flow Export

sFlow NetFlow IPFIX
  • sFlow v5, NetFlow v9, IPFIX
  • Packet sampling, conntrack flows
  • BGP next-hop enrichment
Platform Experimental

Install and Provision

PXE ISO
  • PXE bare-metal provisioning
  • Bootable ISO builder
  • systemd install, uninstall
Platform Experimental

Kernel Tunables

Sysctl Profiles
  • Three-layer precedence
  • Named profiles (DSR, router, hardened)
  • Originals restored on stop
Services Experimental

AS112 Anycast DNS

AS112 Anycast
  • Authoritative sink zones on four fixed anycast addresses (RFC 7534/7535)
  • Conditional BGP origination via healthcheck-gated watchdog
  • Anycast IPs bound on lo automatically, never operator-typed
Routing Experimental

Segment Routing

SAFI 73 SRv6
  • SR-Policy NLRI (RFC 9830), SAFI 73
  • MPLS and SRv6 binding SID, tunnel encap
  • ExaBGP bridge for SR-Policy migration

Spec'd, not built.

Aspirations with written, reviewed specs. Nothing here is usable today.

Every card links to a pending spec in the main repo's plan/ directory, where captured intent moves from skeleton to design to ready to in-progress, and a spec is deleted only when the work ships.

Routing Spec'd

OSPFv2

OSPF IGP
  • Full link-state IGP: SPF, areas, flooding
  • 16 extension specs: TE, SR, TI-LFA
  • Graceful restart, BFD, multi-AF
Routing Spec'd

VRF

VRF L3VPN
  • VRF as a first-class concept
  • Per-VRF BGP stacks, YANG config
  • Kernel VRF devices, table binding
Automate Spec'd

Fleet Management

Registry Rollout
  • Device registry, config templates
  • Staged rollout, config freeze
  • Fleet audit trail, inventory health
Secure Spec'd

IRR Route Filtering

IRR as-set
  • Prefix-lists from IRR data
  • bgpq4-style, live in the engine
  • Automatic from the peer's remote ASN
Secure Spec'd

Kernel Lockdown

Lockdown Integrity
  • Kernel lockdown integrity mode
  • Blocks unsigned modules, kexec, /dev/mem
  • Design reviewed, not yet scheduled
Platform Spec'd

Cloud-Init Provisioning

Cloud-init User-data
  • Appliance identity from cloud metadata
  • SSH keys and config via user-data
  • No pre-baked seed image needed