The road so far.

22 milestones, oldest first. The landmarks that mark Ze's path from a bare BGP speaker to a full network operating system. Each entry is the first time a whole capability arrived; the week-by-week detail lives in the Changes log and the blog. Oldest first, color-coded by category.

Each node's color is its category. This is the coarse view: the Changes log has every week, and Features lists what ships today. Click a category to filter, click again to show everything.

Q4 2025

  1. BGP engine

    routing

    The foundational BGP speaker lands: wire-format codec, every message type, capability negotiation, path attributes, a RIB, and the finite state machine, tested against ExaBGP from day one.

    Read the week →
  2. Config model and CLI editor

    operate

    A schema-driven configuration parser with ExaBGP-compatible syntax, wired straight to the reactor, plus an interactive CLI editor with autocomplete.

    Read the week →

Q1 2026

  1. ExaBGP migration path

    automate

    exabgp migrate converts ExaBGP configs to Ze's format, and a bridge runs existing ExaBGP process plugins under Ze, translating JSON and commands both ways.

    Read the week →
  2. Hub architecture and Plugin SDK

    platform

    Ze splits into a hub orchestrator that forks BGP as a child process, gains live config reload over SIGHUP, and ships a documented SDK for writing plugins outside the core tree.

    Read the week →
  3. BGP Route Server

    routing

    A forward-all Route Server (RFC 7947) for IXPs: targeted per-peer replay on reconnect, backpressure-safe forwarding, and plugin dependency resolution.

    Read the week →
  4. Best-path selection

    routing

    On-demand best-path selection in the RIB, covering LOCAL_PREF, AS_PATH length, ORIGIN, MED, eBGP/iBGP preference, and the full tiebreak chain (RFC 4271 section 9.1.2).

    Read the week →
  5. SSH CLI, TCP-MD5, and RBAC

    secure

    An SSH server becomes the primary way to reach the CLI, alongside TCP-MD5 session authentication (RFC 2385) and end-to-end RBAC authorization.

    Read the week →
  6. RPKI origin validation

    secure

    A full RPKI pipeline: an RTR-speaking plugin maintains a ROA cache and validates route origins as routes arrive on the adjacency RIB-in path, not after the fact.

    Read the week →
  7. Web interface

    operate

    A browser-based config editor with YANG-driven rendering, per-user drafts, inline diffs, live SSE updates, and a light/dark theme, started with ze start --web.

    Read the week →
  8. MCP server for AI operations

    automate

    An MCP server exposing tools for AI-assisted BGP operations: announce, withdraw, peer status, peer control, and command execution.

    Read the week →
  9. Interfaces and kernel FIB

    platform

    A JunOS-style interface management subsystem (netlink monitoring, DHCP, SLAAC) and a FIB pipeline that installs best-path routes into the kernel via netlink.

    Read the week →

Q2 2026

  1. BFD liveness detection

    routing

    A complete BFD implementation (RFC 5880/5881/5883): single- and multi-hop, authentication, echo mode, BGP session opt-in, and operator visibility.

    Read the week →
  2. gokrazy appliance build

    platform

    The first gokrazy VM appliance build for x86_64: the start of Ze shipping as a self-contained appliance image, not just a daemon.

    Read the week →
  3. L2TP/PPP broadband access

    services

    A full L2TPv2 stack for broadband access: tunnel and session FSMs, a reliable delivery engine, and PPP authentication (PAP, CHAP-MD5, MS-CHAPv2).

    Read the week →
  4. VPP dataplane

    platform

    A VPP dataplane backend for high-performance forwarding: connection management, DPDK binding, and FIB programming via GoVPP.

    Read the week →
  5. Firewall and traffic control

    secure

    nftables and tc-netlink backends sharing one YANG data model, with show firewall and show traffic-control commands.

    Read the week →
  6. Appliance fleet management

    platform

    ze appliance manages images end to end: encrypted secrets, TLS and SSH provisioning, day-2 operations, remote push, and export/import for disaster recovery.

    Read the week →
  7. IPsec / IKEv2 VPN

    secure

    A native IKEv2 VPN stack built from the wire format up and interop-tested against strongSwan: child SA negotiation, EAP, NAT-T, and route-based VPN via XFRM.

    Read the week →
  8. MPLS label switching

    routing

    Label switching across three layers, verified in QEMU against FRR: a kernel MPLS dataplane, LDP (RFC 5036), and RSVP-TE.

    Read the week →
  9. Native IS-IS

    routing

    A native IS-IS link-state IGP (ISO/IEC 10589, RFC 1195): full PDU/TLV codec, adjacency FSM, LSDB flooding, DIS election, and SPF with ECMP, interop-tested against FRR's isisd.

    Read the week →
  10. OSPFv2 / OSPFv3

    routing

    A unified OSPFv2/OSPFv3 engine with IPv6 interop coverage and live SSE state views in the web UI.

    Read the week →
  11. DDoS auto-mitigation

    secure

    Control-plane survival under attack: GTSM/TTL-security (RFC 5082), CoPP policing on TCP/179, and automatic DDoS detection with attack-characterized auto-mitigation.

    Read the week →