The road so far.
22 milestones, oldest first. The landmarks that mark Ze's path from a bare BGP speaker to a full network operating system. Each entry is the first time a whole capability arrived; the week-by-week detail lives in the Changes log and the blog. Oldest first, color-coded by category.
Each node's color is its category. This is the coarse view: the Changes log has every week, and Features lists what ships today. Click a category to filter, click again to show everything.
Q4 2025
-
BGP engine
routingThe foundational BGP speaker lands: wire-format codec, every message type, capability negotiation, path attributes, a RIB, and the finite state machine, tested against ExaBGP from day one.
Read the week → -
Config model and CLI editor
operateA schema-driven configuration parser with ExaBGP-compatible syntax, wired straight to the reactor, plus an interactive CLI editor with autocomplete.
Read the week →
Q1 2026
-
ExaBGP migration path
automate
Read the week →exabgp migrateconverts ExaBGP configs to Ze's format, and a bridge runs existing ExaBGP process plugins under Ze, translating JSON and commands both ways. -
Hub architecture and Plugin SDK
platformZe splits into a hub orchestrator that forks BGP as a child process, gains live config reload over SIGHUP, and ships a documented SDK for writing plugins outside the core tree.
Read the week → -
BGP Route Server
routingA forward-all Route Server (RFC 7947) for IXPs: targeted per-peer replay on reconnect, backpressure-safe forwarding, and plugin dependency resolution.
Read the week → -
Best-path selection
routingOn-demand best-path selection in the RIB, covering LOCAL_PREF, AS_PATH length, ORIGIN, MED, eBGP/iBGP preference, and the full tiebreak chain (RFC 4271 section 9.1.2).
Read the week → -
SSH CLI, TCP-MD5, and RBAC
secureAn SSH server becomes the primary way to reach the CLI, alongside TCP-MD5 session authentication (RFC 2385) and end-to-end RBAC authorization.
Read the week → -
RPKI origin validation
secureA full RPKI pipeline: an RTR-speaking plugin maintains a ROA cache and validates route origins as routes arrive on the adjacency RIB-in path, not after the fact.
Read the week → -
Web interface
operateA browser-based config editor with YANG-driven rendering, per-user drafts, inline diffs, live SSE updates, and a light/dark theme, started with
Read the week →ze start --web. -
MCP server for AI operations
automateAn MCP server exposing tools for AI-assisted BGP operations: announce, withdraw, peer status, peer control, and command execution.
Read the week → -
Interfaces and kernel FIB
platformA JunOS-style interface management subsystem (netlink monitoring, DHCP, SLAAC) and a FIB pipeline that installs best-path routes into the kernel via netlink.
Read the week →
Q2 2026
-
BFD liveness detection
routingA complete BFD implementation (RFC 5880/5881/5883): single- and multi-hop, authentication, echo mode, BGP session opt-in, and operator visibility.
Read the week → -
gokrazy appliance build
platformThe first gokrazy VM appliance build for x86_64: the start of Ze shipping as a self-contained appliance image, not just a daemon.
Read the week → -
L2TP/PPP broadband access
servicesA full L2TPv2 stack for broadband access: tunnel and session FSMs, a reliable delivery engine, and PPP authentication (PAP, CHAP-MD5, MS-CHAPv2).
Read the week → -
VPP dataplane
platformA VPP dataplane backend for high-performance forwarding: connection management, DPDK binding, and FIB programming via GoVPP.
Read the week → -
Firewall and traffic control
securenftables and tc-netlink backends sharing one YANG data model, with
Read the week →show firewallandshow traffic-controlcommands. -
Appliance fleet management
platform
Read the week →ze appliancemanages images end to end: encrypted secrets, TLS and SSH provisioning, day-2 operations, remote push, and export/import for disaster recovery. -
IPsec / IKEv2 VPN
secureA native IKEv2 VPN stack built from the wire format up and interop-tested against strongSwan: child SA negotiation, EAP, NAT-T, and route-based VPN via XFRM.
Read the week → -
MPLS label switching
routingLabel switching across three layers, verified in QEMU against FRR: a kernel MPLS dataplane, LDP (RFC 5036), and RSVP-TE.
Read the week → -
Native IS-IS
routingA native IS-IS link-state IGP (ISO/IEC 10589, RFC 1195): full PDU/TLV codec, adjacency FSM, LSDB flooding, DIS election, and SPF with ECMP, interop-tested against FRR's isisd.
Read the week → -
OSPFv2 / OSPFv3
routingA unified OSPFv2/OSPFv3 engine with IPv6 interop coverage and live SSE state views in the web UI.
Read the week → -
DDoS auto-mitigation
secureControl-plane survival under attack: GTSM/TTL-security (RFC 5082), CoPP policing on TCP/179, and automatic DDoS detection with attack-characterized auto-mitigation.
Read the week →