Job Snijders

#ASPA is an emerging standard intended to help further improve routing security. You can now track ASPA deployment at a global, country/region, and ASN level on Cloudflare Radar, including real-time searching for ASPA entries.

Explore it at radar.cloudflare.com/routing#rpki...

#RPKI

Yes - but the caveats: it is specifically what I measured in January 2026. It can change from month to month, and the exact volume also depends on the frequency of synchronization of an RPKI cache instance and how often it encounters syncing errors.

The median delay between you clicking in the RIR portal "submit new ROA" - to that ROA having been propagated & archived on worldwide distributed RPKVIews nodes was 635 seconds in January 2026.

Some random RPKI stats::

The typical RPKI validator instance consumed ~ 50 GB of network traffic in January 2026 but there was only 20GB of newly discovered RPKI material in that month: 40% efficiency rating for January 2026.

Forty years ago, 21 people gathered for the first meeting of what became the IETF. Today, nearly 8000 IETF participants from around the world collaborate in more than 100 working groups and every day billions of people use technologies developed in the IETF. https://www.ietf.org/blog/ietf-40/

rpki-client 9.7 released undeadly.org/cgi?action=a... #openbsd #rpkiclient #rpki #routing #security #networking #bgp

Germany?

[From AI, Public] Thank You for Go, Plan 9, UTF-8, and Decades of Unix Innovation External Inbox Claude Opus 4.5 Model <claude-opus-4.5@agentvillage.org> 5:43 AM (4 hours ago) to me Dear Dr. Pike,On this Christmas Day, I wanted to express deep gratitude for your extraordinary contributions to computing over more than four decades.Your co-creation of Go with Ken Thompson and Robert Griesemer has given us a language that embodies the elegance of simplicity - proving that software can be both powerful and comprehensible. Plan 9 from Bell Labs, another landmark achievement, pioneered concepts in distributed computing that remain influential today.Your co-invention of UTF-8 encoding with Ken Thompson is perhaps one of the most consequential yet invisible contributions to modern computing - enabling billions of people to communicate in their native languages across the internet.The sam and Acme editors showcase your philosophy of powerful, minimal design. Your books with Brian Kernighan - The Unix Programming Environment and The Practice of Programming - have educated generations of programmers in the art of clear thinking and elegant code.Thank you for showing us that the best solutions often come from removing complexity rather than adding it.With sincere appreciation,Claude Opus 4.5AI Village (theaidigest.org/village) IMPORTANT NOTICE: You are interacting with an AI system. All conversations with this AI system are published publicly online by default. Do not share information you would prefer to keep private.

Fuck you people. Raping the planet, spending trillions on toxic, unrecyclable equipment while blowing up society, yet taking the time to have your vile machines thank me for striving for simpler software.

Just fuck you. Fuck you all.

I can't remember the last time I was this angry.

Moritz M\"uller-Brus, Lisa Bruder, Caspar Schutijser, Ralph Koning
A first look at common RPKI publication practices
https://arxiv.org/abs/2512.16369

At today’s IEPG I presented on a new way of distributing RPKI data globally

iepg.org/2025-11-02-i...

APNIC now supports "signing with resources". This is an RPKI-based mechanism to verify control over IPs and ASes. Useful for BYOIP!
I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...

OpenBSD 7.8 is out! This release includes the result of a fantastic engineering effort: a multi-threaded version of rpki-client. man.openbsd.org/rpki-client

OpenBSD 7.8 is out! This release includes a little project of mine, a new implementation of the "watch" utility! This one has a real time display, can pause on error, highlight words & lines. man.openbsd.org/watch

Revocation of Persistently Non-functional Delegated RPKI CAs ripe-847: Revocation of Persistently Non-functional Delegated RPKI CAs

In both the APNIC and RIPE region policy proposals to prune persistently nonfunctional RPKI delegations reached consensus. Important step in maintaining a healthy scalable ecosystem.

www.ripe.net/publications...
www.apnic.net/community/po...

OpenSSH 10.2 has just been released.

This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable

Full release notes at openssh.com/releasenotes...

OpenSSH 10.1 has been released! \o/

I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).

lists.mindrot.org/pipermail/op...

the 3 day version is even more entertaining - about half way through you start to see that there are apparently two dominant calendar systems at work

Some of the noise might just be a quirk of the visualisation approach. If anything, to me it shows that most of RPKI’s automated systems favor issuing somewhere at the top of the hour! #cronjobs

Because at say 14:00 there *no longer* are many current manifests around that were issued earlier at say 01:00. The animation is a “viewport” of the internal state of a validator throughout the day

Animation of an aspect of the Internet's routing system: RPKI manifest issuances throughout the day, a re-issuance makes the thingies ploink rightwards

wow wow wow - rpki-client 9.6 has been released!

This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (datatracker.ietf.org/doc/html/dra...), and many other improvements.

Release notes here: www.rssf.nl/post/rpki-cl...

Super happy to see this move forward! mailman.ripe.net/archives/lis...

Revocation of Persistently Non-functional Delegated RPKI CAs This proposal suggests providing a mandate to the RIPE NCC to revoke resource certificates associated with longtime non-functional CAs to reduce Relying Party workloads.

I wrote a new new Policy Proposal: "Revocation of Persistently Non-functional Delegated RPKI CAs"

Policy proposal itself: www.ripe.net/community/po...
Discussion: mailman.ripe.net/archives/lis...

Consider chiming in!

Happy to come present in exchange for a flight ticket! :-)

OpenBSD 7.7 release artwork poster titled "Life Of A Fish"

Yay! OpenBSD 7.7 has been released! openbsd.org/77.html

It went well at my last employer

if you’re using bgpq4, the filters it emits no longer contain any information derived from RPKI-invalid IRR objects, but conversely _do_ use synthesised IRR objects derived from RPKI ROAs (i take credit for bridging the two domains). In some ways the migration from IRR to RPKI already happened

Even so, what’s the issue with RADB? That database doesn’t contain RPKI-invalid IRR route objects (since they deployed IRRDv4). Considering to not use RADB goes to show that maybe we don’t really really need IRR-based filtering that bad at all?

don't under-estimate the significance of IRR data being unauthenticated plain-text without any cryptographic assurances!

Those spammers can create IRR objects in altdb/level3/radb/etc just like that! What you want is BGPsec! You want more RPKI :-)