Job Snijders
@jobsnijders.bsky.social
📤 323
📥 76
📝 45
Internet routing system hacker-for-hire, active in OpenBSD & IETF
At today’s IEPG I presented on a new way of distributing RPKI data globally
iepg.org/2025-11-02-i...
loading . . .
http://iepg.org/2025-11-02-ietf124/slides-124-iepg-sessa-rethinking-rpki-data-distribution-a-different-way-to-split-the-bill-00.pdf
25 days ago
0
3
0
APNIC now supports "signing with resources". This is an RPKI-based mechanism to verify control over IPs and ASes. Useful for BYOIP! I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...
loading . . .
RPKI Signed Checklists (RSCs) - APNIC-Services - Orbit
Where the APNIC community connect, discuss and share information
https://orbit.apnic.net/hyperkitty/list/
[email protected]
/thread/AMIULYGZ3IIVSUY3PY6CYYA7NLZD647Z/
about 1 month ago
0
2
0
OpenBSD 7.8 is out! This release includes the result of a fantastic engineering effort: a multi-threaded version of rpki-client.
man.openbsd.org/rpki-client
about 1 month ago
0
4
1
OpenBSD 7.8 is out! This release includes a little project of mine, a new implementation of the "watch" utility! This one has a real time display, can pause on error, highlight words & lines.
man.openbsd.org/watch
loading . . .
about 1 month ago
0
4
0
In both the APNIC and RIPE region policy proposals to prune persistently nonfunctional RPKI delegations reached consensus. Important step in maintaining a healthy scalable ecosystem.
www.ripe.net/publications...
www.apnic.net/community/po...
loading . . .
Revocation of Persistently Non-functional Delegated RPKI CAs
ripe-847: Revocation of Persistently Non-functional Delegated RPKI CAs
https://www.ripe.net/publications/docs/ripe-847/
about 1 month ago
0
2
0
reposted by
Job Snijders
Damien Miller
about 2 months ago
OpenSSH 10.2 has just been released. This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable Full release notes at
openssh.com/releasenotes...
loading . . .
OpenSSH: Release Notes
OpenSSH release notes
http://openssh.com/releasenotes.html#10.2
0
14
7
OpenSSH 10.1 has been released! \o/ I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).
lists.mindrot.org/pipermail/op...
loading . . .
Announce: OpenSSH 10.1 released
https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-October/042178.html
about 2 months ago
0
2
0
Animation of an aspect of the Internet's routing system: RPKI manifest issuances throughout the day, a re-issuance makes the thingies ploink rightwards
loading . . .
2 months ago
1
8
3
wow wow wow - rpki-client 9.6 has been released! This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (
datatracker.ietf.org/doc/html/dra...
), and many other improvements. Release notes here:
www.rssf.nl/post/rpki-cl...
loading . . .
A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR)
This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used t...
https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr
2 months ago
0
4
0
Super happy to see this move forward!
mailman.ripe.net/archives/lis...
add a skeleton here at some point
3 months ago
0
2
0
I wrote a new new Policy Proposal: "Revocation of Persistently Non-functional Delegated RPKI CAs" Policy proposal itself:
www.ripe.net/community/po...
Discussion:
mailman.ripe.net/archives/lis...
Consider chiming in!
loading . . .
Revocation of Persistently Non-functional Delegated RPKI CAs
This proposal suggests providing a mandate to the RIPE NCC to revoke resource certificates associated with longtime non-functional CAs to reduce Relying Party workloads.
https://www.ripe.net/community/policies/proposals/2025-02/
6 months ago
0
1
2
Yay! OpenBSD 7.7 has been released!
openbsd.org/77.html
7 months ago
0
4
4
reposted by
Job Snijders
Doug Madory
7 months ago
In this post for
@kentik.bsky.social
,
@jobsnijders.bsky.social
and I dig into the problem of excessively large AS-SETs — out of control route objects which can render IRR-based route filtering useless. Includes data analysis from
@benjojo.bsky.social
founder of
bgp.tools
.
add a skeleton here at some point
1
9
5
reposted by
Job Snijders
OpenBSD España
9 months ago
RPKI Views: The archive of RPKI state PING podcast
@jobsnijders.bsky.social
discusses RPKIViews, his long term project to collect the "views" of RPKI state every day, and maintain an archive of BGP route validation states.
loading . . .
RPKI Views: The archive of RPKI state
How Job Snijders collects and collates the worldwide state of RPKI
https://blubrry.com/ping_podcast/142261879/rpki-views-the-archive-of-rpki-state/
0
3
2
reposted by
Job Snijders
John Kristoff
10 months ago
@job again dropping some knowledge and insight with current
#rpki
operations. Worth a read:
https://mailman.nanog.org/pipermail/nanog/2025-January/227206.html
0
2
3
Spent the last 6 days hiking the gorgeous StauSeeSteig trail
11 months ago
0
7
0
rpki-client 9.4 has been released! This release imposes restrictions on Trust Anchor certificate validity periods, includes ASPA support for BIRD2, protection against AS0 TALs, and various reliability improvements. Read the release notes here:
cdn.openbsd.org/pub/OpenBSD/...
loading . . .
https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt
11 months ago
1
3
1
reposted by
Job Snijders
Peter N. M. Hansteen (@
[email protected]
)
11 months ago
rpki-client stricter aging policy for Trust Anchor certificates commited to -current
www.undeadly.org/cgi?action=a...
#openbsd
#rpki-client
#rpki
#routing
#certificates
#trustanchor
#ta
#networking
#bgp
#freesoftware
#libresoftware
loading . . .
rpki-client stricter aging policy for Trust Anchor certificates commited to -current
https://www.undeadly.org/cgi?action=article;sid=20241219163800
0
2
1
reposted by
Job Snijders
Kentik
11 months ago
@eldomador.bsky.social
’s 2024 in review: BGP, RPKI adoption, submarine cable cuts, major outages, and the role of geopolitics in shaping the internet. 🌐 Check out the year’s biggest highlights:
kentik.com/blog/a-year-...
#InternetAnalysis
#BGP
#RPKI
#SubmarineCables
#Kentik
loading . . .
A Year in Analysis: 2024
In this post, Doug Madory reviews the highlights of his wide-ranging internet analysis from the past year, which included covering the state of BGP (leaks and the state of RPKI adoption), submarine ca...
https://kentik.com/blog/a-year-in-analysis-2024/
0
6
2
New (short) RFC: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization
www.rfc-editor.org/rfc/rfc9697....
Rpki-client was the first to implement Ties’s clever concept
loading . . .
RFC 9697: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization
This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties to detect a particular form of RPKI Repository Delta Protocol (RRDP) session desynchronization and how...
https://www.rfc-editor.org/rfc/rfc9697.html
12 months ago
0
3
0
Today marks the day: 1 month nicotine free!
12 months ago
1
9
0
Today my latest RFC was published. It fixes a security issue in the RPKI distribution protocol: in the original RRDP specification it was possible for one repository operator to impose load on another repository operator.
rfc-editor.org/rfc/rfc9674....
loading . . .
RFC 9674: Same-Origin Policy for the RPKI Repository Delta Protocol (RRDP)
This document describes a Same-Origin Policy (SOP) requirement for Resource Public Key Infrastructure (RPKI) Repository Delta Protocol (RRDP) servers and clients. Application of a SOP in RRDP ...
https://rfc-editor.org/rfc/rfc9674.html
12 months ago
0
14
2
insightful thread about SCION
add a skeleton here at some point
about 1 year ago
0
4
2
reposted by
Job Snijders
Doug Madory
about 1 year ago
There are a lot more of these unheralded success stories than people think. Problematic BGP routes are regularly being filtered without human intervention.
add a skeleton here at some point
0
5
1
War story: RPKI, working as intended. On how Fastly’s IP space was BGP hijacked, but nobody noticed
www.fastly.com/blog/war-sto...
loading . . .
War story: RPKI is working as intended
Explore the transformative impact of RPKI on the Internet. Discover how collaboration and perseverance drive fundamental changes in routing reliability and security.
https://www.fastly.com/blog/war-story-rpki-is-working-as-intended
about 1 year ago
0
1
2
Our favorite Internet routing protocol - BGP - just got an update! The mechanism in this RFC should help a bit against zombie routes and other problems
rfc-editor.org/rfc/rfc9687....
hat tip to
@benjojo.bsky.social
and Yingzhen Qu for sticking it out with me
loading . . .
RFC 9687: Border Gateway Protocol 4 (BGP-4) Send Hold Timer
This document defines the SendHoldTimer , along with the SendHoldTimer_Expires event, for the Border Gateway Protocol (BGP) Finite State Machine (FSM). Implementation of the SendHoldTimer h...
https://rfc-editor.org/rfc/rfc9687.html
about 1 year ago
0
2
2
you reached the end!!
feeds!
log in
