Job Snijders
@jobsnijders.bsky.social
Internet routing system hacker-for-hire, active in OpenBSD & IETF
APNIC now supports "signing with resources". This is an RPKI-based mechanism to verify control over IPs and ASes. Useful for BYOIP!
I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...
I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...
RPKI Signed Checklists (RSCs) - APNIC-Services -
Orbit
Where the APNIC community connect, discuss and share information
orbit.apnic.net
October 28, 2025 at 3:37 PM
APNIC now supports "signing with resources". This is an RPKI-based mechanism to verify control over IPs and ASes. Useful for BYOIP!
I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...
I helped develop this as an open standard & software implementation. Nice to see it finally reach the production environment :-)
orbit.apnic.net/hyperkitty/l...
OpenBSD 7.8 is out! This release includes the result of a fantastic engineering effort: a multi-threaded version of rpki-client. man.openbsd.org/rpki-client
October 22, 2025 at 10:12 AM
OpenBSD 7.8 is out! This release includes the result of a fantastic engineering effort: a multi-threaded version of rpki-client. man.openbsd.org/rpki-client
OpenBSD 7.8 is out! This release includes a little project of mine, a new implementation of the "watch" utility! This one has a real time display, can pause on error, highlight words & lines. man.openbsd.org/watch
October 22, 2025 at 10:07 AM
OpenBSD 7.8 is out! This release includes a little project of mine, a new implementation of the "watch" utility! This one has a real time display, can pause on error, highlight words & lines. man.openbsd.org/watch
In both the APNIC and RIPE region policy proposals to prune persistently nonfunctional RPKI delegations reached consensus. Important step in maintaining a healthy scalable ecosystem.
www.ripe.net/publications...
www.apnic.net/community/po...
www.ripe.net/publications...
www.apnic.net/community/po...
Revocation of Persistently Non-functional Delegated RPKI CAs
ripe-847: Revocation of Persistently Non-functional Delegated RPKI CAs
www.ripe.net
October 16, 2025 at 5:26 AM
In both the APNIC and RIPE region policy proposals to prune persistently nonfunctional RPKI delegations reached consensus. Important step in maintaining a healthy scalable ecosystem.
www.ripe.net/publications...
www.apnic.net/community/po...
www.ripe.net/publications...
www.apnic.net/community/po...
Reposted by Job Snijders
OpenSSH 10.2 has just been released.
This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable
Full release notes at openssh.com/releasenotes...
This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable
Full release notes at openssh.com/releasenotes...
OpenSSH: Release Notes
OpenSSH release notes
openssh.com
October 10, 2025 at 9:44 AM
OpenSSH 10.2 has just been released.
This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable
Full release notes at openssh.com/releasenotes...
This release contains only non-security bugfixes, most notably for a bad regression that made interactive that used ControlPersist basically unusable
Full release notes at openssh.com/releasenotes...
OpenSSH 10.1 has been released! \o/
I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).
lists.mindrot.org/pipermail/op...
I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).
lists.mindrot.org/pipermail/op...
Announce: OpenSSH 10.1 released
lists.mindrot.org
October 6, 2025 at 2:44 PM
OpenSSH 10.1 has been released! \o/
I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).
lists.mindrot.org/pipermail/op...
I contributed changes to the DSCP marking mechanism: if a SSH connection contains ONLY interactive sessions, ssh/sshd will automagically classify the packets for Expedited Forwarding (DSCP EF).
lists.mindrot.org/pipermail/op...
Animation of an aspect of the Internet's routing system: RPKI manifest issuances throughout the day, a re-issuance makes the thingies ploink rightwards
September 27, 2025 at 10:51 PM
Animation of an aspect of the Internet's routing system: RPKI manifest issuances throughout the day, a re-issuance makes the thingies ploink rightwards
wow wow wow - rpki-client 9.6 has been released!
This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (datatracker.ietf.org/doc/html/dra...), and many other improvements.
Release notes here: www.rssf.nl/post/rpki-cl...
This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (datatracker.ietf.org/doc/html/dra...), and many other improvements.
Release notes here: www.rssf.nl/post/rpki-cl...
A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR)
This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used t...
datatracker.ietf.org
September 21, 2025 at 9:20 PM
wow wow wow - rpki-client 9.6 has been released!
This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (datatracker.ietf.org/doc/html/dra...), and many other improvements.
Release notes here: www.rssf.nl/post/rpki-cl...
This amazing release includes support for multi-threaded object validation, the new versatile CCR data interchange format (datatracker.ietf.org/doc/html/dra...), and many other improvements.
Release notes here: www.rssf.nl/post/rpki-cl...
Super happy to see this move forward! mailman.ripe.net/archives/lis...
September 10, 2025 at 9:34 AM
Super happy to see this move forward! mailman.ripe.net/archives/lis...
I wrote a new new Policy Proposal: "Revocation of Persistently Non-functional Delegated RPKI CAs"
Policy proposal itself: www.ripe.net/community/po...
Discussion: mailman.ripe.net/archives/lis...
Consider chiming in!
Policy proposal itself: www.ripe.net/community/po...
Discussion: mailman.ripe.net/archives/lis...
Consider chiming in!
Revocation of Persistently Non-functional Delegated RPKI CAs
This proposal suggests providing a mandate to the RIPE NCC to revoke resource certificates associated with longtime non-functional CAs to reduce Relying Party workloads.
www.ripe.net
June 6, 2025 at 3:08 PM
I wrote a new new Policy Proposal: "Revocation of Persistently Non-functional Delegated RPKI CAs"
Policy proposal itself: www.ripe.net/community/po...
Discussion: mailman.ripe.net/archives/lis...
Consider chiming in!
Policy proposal itself: www.ripe.net/community/po...
Discussion: mailman.ripe.net/archives/lis...
Consider chiming in!
Yay! OpenBSD 7.7 has been released! openbsd.org/77.html
April 27, 2025 at 6:46 PM
Yay! OpenBSD 7.7 has been released! openbsd.org/77.html
Reposted by Job Snijders
In this post for @kentik.bsky.social, @jobsnijders.bsky.social and I dig into the problem of excessively large AS-SETs — out of control route objects which can render IRR-based route filtering useless.
Includes data analysis from @benjojo.bsky.social founder of bgp.tools.
Includes data analysis from @benjojo.bsky.social founder of bgp.tools.
April 23, 2025 at 10:09 PM
In this post for @kentik.bsky.social, @jobsnijders.bsky.social and I dig into the problem of excessively large AS-SETs — out of control route objects which can render IRR-based route filtering useless.
Includes data analysis from @benjojo.bsky.social founder of bgp.tools.
Includes data analysis from @benjojo.bsky.social founder of bgp.tools.
Reposted by Job Snijders
RPKI Views: The archive of RPKI state
PING podcast
@jobsnijders.bsky.social discusses RPKIViews, his long term project to collect the "views" of RPKI state every day, and maintain an archive of BGP route validation states.
PING podcast
@jobsnijders.bsky.social discusses RPKIViews, his long term project to collect the "views" of RPKI state every day, and maintain an archive of BGP route validation states.
RPKI Views: The archive of RPKI state
How Job Snijders collects and collates the worldwide state of RPKI
blubrry.com
February 19, 2025 at 10:40 PM
RPKI Views: The archive of RPKI state
PING podcast
@jobsnijders.bsky.social discusses RPKIViews, his long term project to collect the "views" of RPKI state every day, and maintain an archive of BGP route validation states.
PING podcast
@jobsnijders.bsky.social discusses RPKIViews, his long term project to collect the "views" of RPKI state every day, and maintain an archive of BGP route validation states.
Reposted by Job Snijders
@job again dropping some knowledge and insight with current #rpki operations. Worth a read: https://mailman.nanog.org/pipermail/nanog/2025-January/227206.html
January 30, 2025 at 3:01 PM
@job again dropping some knowledge and insight with current #rpki operations. Worth a read: https://mailman.nanog.org/pipermail/nanog/2025-January/227206.html
Spent the last 6 days hiking the gorgeous StauSeeSteig trail
January 15, 2025 at 12:22 PM
Spent the last 6 days hiking the gorgeous StauSeeSteig trail
rpki-client 9.4 has been released! This release imposes restrictions on Trust Anchor certificate validity periods, includes ASPA support for BIRD2, protection against AS0 TALs, and various reliability improvements. Read the release notes here: cdn.openbsd.org/pub/OpenBSD/...
cdn.openbsd.org
January 8, 2025 at 8:50 AM
rpki-client 9.4 has been released! This release imposes restrictions on Trust Anchor certificate validity periods, includes ASPA support for BIRD2, protection against AS0 TALs, and various reliability improvements. Read the release notes here: cdn.openbsd.org/pub/OpenBSD/...
Reposted by Job Snijders
rpki-client stricter aging policy for Trust Anchor certificates commited to -current www.undeadly.org/cgi?action=a... #openbsd #rpki-client #rpki #routing #certificates #trustanchor #ta #networking #bgp #freesoftware #libresoftware
rpki-client stricter aging policy for Trust Anchor certificates commited to -current
www.undeadly.org
December 19, 2024 at 4:40 PM
rpki-client stricter aging policy for Trust Anchor certificates commited to -current www.undeadly.org/cgi?action=a... #openbsd #rpki-client #rpki #routing #certificates #trustanchor #ta #networking #bgp #freesoftware #libresoftware
Reposted by Job Snijders
@eldomador.bsky.social’s 2024 in review: BGP, RPKI adoption, submarine cable cuts, major outages, and the role of geopolitics in shaping the internet. 🌐
Check out the year’s biggest highlights: kentik.com/blog/a-year-...
#InternetAnalysis #BGP #RPKI #SubmarineCables #Kentik
Check out the year’s biggest highlights: kentik.com/blog/a-year-...
#InternetAnalysis #BGP #RPKI #SubmarineCables #Kentik
A Year in Analysis: 2024
In this post, Doug Madory reviews the highlights of his wide-ranging internet analysis from the past year, which included covering the state of BGP (leaks and the state of RPKI adoption), submarine ca...
kentik.com
December 18, 2024 at 7:37 PM
@eldomador.bsky.social’s 2024 in review: BGP, RPKI adoption, submarine cable cuts, major outages, and the role of geopolitics in shaping the internet. 🌐
Check out the year’s biggest highlights: kentik.com/blog/a-year-...
#InternetAnalysis #BGP #RPKI #SubmarineCables #Kentik
Check out the year’s biggest highlights: kentik.com/blog/a-year-...
#InternetAnalysis #BGP #RPKI #SubmarineCables #Kentik
New (short) RFC: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization www.rfc-editor.org/rfc/rfc9697.... Rpki-client was the first to implement Ties’s clever concept
RFC 9697: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization
This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties to detect a particular form of RPKI Repository Delta Protocol (RRDP) session desynchronization and how...
www.rfc-editor.org
December 14, 2024 at 7:06 PM
New (short) RFC: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization www.rfc-editor.org/rfc/rfc9697.... Rpki-client was the first to implement Ties’s clever concept
Today marks the day: 1 month nicotine free!
a man wearing sunglasses is making a funny face and saying i do n't smoke .
ALT: a man wearing sunglasses is making a funny face and saying i do n't smoke .
media.tenor.com
December 12, 2024 at 1:10 PM
Today marks the day: 1 month nicotine free!
Today my latest RFC was published. It fixes a security issue in the RPKI distribution protocol: in the original RRDP specification it was possible for one repository operator to impose load on another repository operator. rfc-editor.org/rfc/rfc9674....
RFC 9674: Same-Origin Policy for the RPKI Repository Delta Protocol (RRDP)
This document describes a Same-Origin Policy (SOP) requirement for Resource Public Key Infrastructure (RPKI) Repository Delta Protocol (RRDP) servers and clients.
Application of a SOP in RRDP ...
rfc-editor.org
December 5, 2024 at 11:23 AM
Today my latest RFC was published. It fixes a security issue in the RPKI distribution protocol: in the original RRDP specification it was possible for one repository operator to impose load on another repository operator. rfc-editor.org/rfc/rfc9674....
insightful thread about SCION
There are some (mostly academics and old fashioned telcos) that say the Internet isn't secure, badly designed, outdated, flawed and unfit for the future. The SCION project says it can do better. At #DENOG16 its presentation showed it does worse pretalx.com/denog16/talk...
November 20, 2024 at 1:29 PM
insightful thread about SCION
Reposted by Job Snijders
There are a lot more of these unheralded success stories than people think.
Problematic BGP routes are regularly being filtered without human intervention.
Problematic BGP routes are regularly being filtered without human intervention.
War story: RPKI, working as intended. On how Fastly’s IP space was BGP hijacked, but nobody noticed www.fastly.com/blog/war-sto...
War story: RPKI is working as intended
Explore the transformative impact of RPKI on the Internet. Discover how collaboration and perseverance drive fundamental changes in routing reliability and security.
www.fastly.com
November 15, 2024 at 12:36 PM
There are a lot more of these unheralded success stories than people think.
Problematic BGP routes are regularly being filtered without human intervention.
Problematic BGP routes are regularly being filtered without human intervention.
War story: RPKI, working as intended. On how Fastly’s IP space was BGP hijacked, but nobody noticed www.fastly.com/blog/war-sto...
War story: RPKI is working as intended
Explore the transformative impact of RPKI on the Internet. Discover how collaboration and perseverance drive fundamental changes in routing reliability and security.
www.fastly.com
November 8, 2024 at 6:35 PM
War story: RPKI, working as intended. On how Fastly’s IP space was BGP hijacked, but nobody noticed www.fastly.com/blog/war-sto...