Alexei Krylov on Wirez

Asia Data Growth Stalls as Grids Reach Limit

Tue, 28 Apr 2026 17:13:46 +0000

Asia's data center vacancy rate crashed to 10.9% in 2025 as Cushman & Wakefield reports supply failing to match AI demand.

Large firms see AI strain networks now

Tue, 28 Apr 2026 17:13:46 +0000

With 67% of large enterprises reporting altered connectivity needs, AI has instantly transformed business internet from a utility into a critical bottleneck. The era of treating corporate bandwidth as a static commodity is over; generative AI workloads now demand dynamic, low-latency pipelines that legacy architectures simply cannot support without severe degradation.

Route server blind spots break ASSET filtering

Wed, 15 Apr 2026 00:00:00 +0000

A single misconfigured prefix can cascade across multi-terabit exchanges because current Route Server models often fail to verify the origin ASN against authorized lists.

Cloudflare's 500 Tbps capacity stops 31.4 Tbps attacks

Fri, 10 Apr 2026 00:00:00 +0000

Cloudflare now commands 500 Tbps of external capacity across 330+ cities, reserving the surplus explicitly as a DDoS budget. You will examine the sheer physical reality of this global backbone, dissect the packet processing pipeline using eBPF and XDP for line-rate filtering, and explore how Workers and RPKI validate routes at the edge.

CHINOG 2026: Real MPLS Shifts I See

Wed, 01 Apr 2026 00:00:00 +0000

The CHI-NOG 13 submission deadline of April 6, 2026, demands immediate attention from operators navigating a $723.78 billion global market projection. Readers will examine how regional groups drive consensus on Segment Routing and zero-trust architectures, moving these from theoretical concepts to mandatory deployment patterns in large-scale environments. The discussion details the specific mechanical shifts required to support AI workloads, analyzing the transition from general datacenter fabrics to specialized high-performance interconnects demanded by modern compute clusters.

Cloudflare edge shift: Why 2MB cache matters

Mon, 23 Mar 2026 00:00:00 +0000

Cloudflare's new Gen 13 servers cut per-core L3 cache to just 2MB, a sixth of the previous generation's allocation. A tour inside cloudflares latest generation servers This hardware reality forces a fundamental architectural pivot: high-density edge infrastructure can no longer rely on massive caches to mask software inefficiencies. The era of cache-heavy reliance is over, replaced by a core-dense model where performance scales strictly through software optimization and thread isolation.

RPKI validation stops 820k daily IoT attacks by 2026

Mon, 23 Mar 2026 00:00:00 +0000

With over 820,000 daily IoT attacks projected for early 2026, RPKI deployment is the only viable defense against mass routing hijacks. The central thesis is clear: manual configuration is obsolete, and cryptographic validation via Route Origin Authorizations is now the baseline for operational survival.

BGP visibility jumps with 300 vantage points

Thu, 19 Mar 2026 00:00:00 +0000

Collecting data from over 300 vantage points, bgproutes. Io shatters the 2% visibility ceiling of legacy BGP monitoring systems. This platform represents a fundamental shift from passive archiving to active, discrete state processing via the BGP Monitoring Protocol. By using BMP architecture, the system extracts granular transaction logs from individual speakers rather than relying on aggregated route dumps.

SCION routing fixes BGP's 40-year security gap

Tue, 17 Mar 2026 00:00:00 +0000

Over 7,000 route entries remained invalid in March 2020 despite decades of patch attempts. The Border Gateway Protocol fundamentally lacks native mechanisms to verify address ownership, rendering current fixes like RPKI insufficient against sophisticated route hijacks. While extensions such as BGPsec attempt to secure the AS_PATH attribute, they impose heavy computational overhead and fail to address the core architectural rot of a forty-year-old system.

BGP visibility gaps: Why legacy tools miss leaks

Fri, 13 Mar 2026 00:00:00 +0000

Covering less than 2% of Autonomous Systems, legacy collectors like RIPE RIS and RouteViews leave the internet blind to most routing anomalies. RIPE's routing information service ris The bgproutes. Io platform argues that maximizing vantage point diversity through BMP aggregation is the only viable path to true routing security. As global traffic surges toward 602.1 exabytes monthly in 2026, the traditional trade-off between data retention and coverage creates dangerous visibility gaps that attackers exploit.

Routing control stays yours during DDoS outages

Tue, 10 Mar 2026 00:00:00 +0000

When cloud DDoS platforms suffer multi-hour outages, organizations lose independent rerouting capabilities if they cede BGP routing control.

The central thesis is clear: resilient architectures must strictly separate attack mitigation from traffic authority. While the cybersecurity market explodes toward USD 591.84 billion by 2032 per Research and Markets, spending alone cannot buy immunity when a provider's orchestration layer collapses. As Ofir Shaham notes, reality has proven wrong the assumption that providers never fail; when they do, customers relying on static paths face recovery dependent on the very vendor causing the blackout. True durability demands that while a provider absorbs the flood, the customer retains the keys to the gate.

RIPE Navigation Update: What 75 Countries Gain

Fri, 06 Mar 2026 00:00:00 +0000

On March 16, 2026, the RIPE NCC begins deploying a unified interface across six critical tools to replace fragmented access points. Draft ripe ncc charging scheme 2026 This modernization represents a strategic pivot toward operational consistency, ensuring that network operators managing resources for over 75 countries no longer struggle with disjointed application switchers. The organization is fundamentally restructuring how engineers interact with internet number resources by prioritizing findability over legacy technical labeling.

IPv6 data shows DNS issues are gone

Thu, 05 Mar 2026 00:00:00 +0000

Geoff Huston's advertising-based experiments reveal that the negative impact of DNS resolution via IPv6 is now negligible. APNIC's measuring ipv6 This data drives the core thesis: the internet has shifted from asking if IPv6 breaks DNS to confirming it is ready for widespread, normative deployment as a Best Current Practice.

Cloudflare remediation stops SaaS link risks fast

Tue, 03 Mar 2026 00:00:00 +0000

Cloud attacks surged 26% in 2024, proving that visibility without automated remediation is merely a delay tactic. Cloudflare's casb ga The narrative explores how security teams can finally bypass the friction of manual ticketing and external admin consoles by using Remediation actions directly inside the Cloudflare One dashboard. Instead of flagging overshared files in Microsoft 365 or Google Workspace and waiting for IT to respond, administrators can now instantly revoke public links or restrict domain-wide access with a single click. This capability addresses the critical gap where dangerous configurations persist simply because the fix requires too many steps across disjointed interfaces.

Blackhole validation must use active path data now

Sun, 01 Mar 2026 00:00:00 +0000

Strict path verification now overrides legacy IRR checks, as 2026 mandates enforce penalties for invalid blackhole route requests. The industry has decisively shifted from voluntary filtering to rigid enforcement protocols, where regulators and Tier-1 providers penalize operators who fail to validate traffic forwarding paths accurately. Job Snijders confirmed in a March 2026 NANOG discussion that modern blackhole validation must discard reliance on unverified IRR data, noting that such arbitrary lists lack the provenance required for today's compliance environment. Instead, operators must verify if IP traffic is actively forwarded to the requesting entity before honoring any mitigation request.

RTBH validation: Secure blackhole routing fast

Sun, 01 Mar 2026 00:00:00 +0000

Validating RTBH routes requires checking for the BLACKHOLE community within seconds, not relying on stale IRR data. The central thesis is that operators must shift to originAS-only validation specifically for blackhole traffic, enforcing strict community attachment while ignoring maxLength constraints to ensure rapid, secure mitigation.

Validation errors break blackhole routes now

Sun, 01 Mar 2026 00:00:00 +0000

Bryton Herdes warns that relaxing maxLength protections for blackhole routes creates a direct path for BGP hijacks.

The central thesis is that networks must strictly pair originAS-only validation with the mandatory presence of the BLACKHOLE community to prevent security degradation. While the global network security market races toward USD 205.98 billion by 2031, basic BGP hygiene remains fragile without these specific constraints. Herdes, a Principal Network Engineer at Cloudflare, argues that vendors offering shortcut configurations for loose validation directly undermine RFC9319 standards. Cloudflare's rpki 2020 fall update

APNIC IPv6 /32 vs /36: Why I Back the Larger Block

Tue, 24 Feb 2026 00:00:00 +0000

APNIC serves over four billion people, yet debates persist on reducing minimum IPv6 address blocks to a /36. APNIC's ip addresses through 2025

RPKI in 2025: Why Path Validation Matters Now

Fri, 20 Feb 2026 00:00:00 +0000

With Unique ASPA Customer ASIDs surging 539% in 2025 per RPKIViews. Org data, the industry has decisively pivoted from simple origin checks to thorough path validation. Readers will examine how RPKI evolved from a niche preference to a critical infrastructure component, underpinned by a 23% increase in ROA objects reaching over 344,000 entries according to ARIN and RIPE NCC trust anchors. ARIN's implementing rpki its easier than you think We dissect the mechanics of validation performance, noting that despite a 20% growth in total cache size, optimized implementations like rpki-client reduced wall time validation runs by 23% on standard hardware. The analysis further details the strategic imperative for ASPA objects, where all Regional Internet Registries have committed to full service availability by late 2026.

Forwarders Fuel DNS Attacks: The Invisible Risk

Thu, 12 Feb 2026 00:00:00 +0000

With open resolvers plummeting from 25M to 1.4M since 2014, attackers now exploit transparent DNS forwarders to sustain reflection volumes.

IPv4x Extends 32bit Space Without Breaking Routers

Tue, 10 Feb 2026 00:00:00 +0000

With global IPv6 adoption stalled at 45% per Circleid reports, IPv4x offers the pragmatic extension the internet actually needs. The industry's reliance on Carrier-Grade NAT has stretched the original 32-bit scheme far beyond its 1981 design limits, creating a fragile stalemate where enterprise adoption of IPv6 lgers at merely 32%. Instead of waiting for neighbors to deploy incompatible 128-bit infrastructure, IPv4x maintains the Version 4 field while unlocking new address space within existing packets. This approach respects the reality that routers and firmware cannot be replaced overnight, avoiding the massive capital expenditure that currently paralyzes network operators.

RDAP and JSON: Handling 65 Billion Monthly Queries

Tue, 10 Feb 2026 00:00:00 +0000

With 374 gTLDs disabling legacy services by September 2025, the Registration Data Access Protocol is now the mandatory backbone for internet identity. The era of unstructured text lookups has ended, replaced by a rigid, machine-readable architecture designed to handle the deluge of AI-driven infrastructure demands. We dissect the strategic pivot triggered when ICANN removed contractual obligations for WHOIS in January 2025, a move that caused query volumes to plummet 60% within eight months. You will examine the technical transition toward JSContact standards, which resolve long-standing privacy and formatting deficiencies inherent in the previous protocol. The data reveals a stark reality: automation drives this ecosystem, with monthly queries surging from seven billion to 65 billion in less than a year according to ICANN reports. As ARIN maintains steady query rates and bootstrapping services like rdap. Org handle millions of requests, the industry has effectively silenced the noisy, inefficient past. This is not merely a protocol upgrade; it is the essential plumbing required to sustain global connectivity as spending on artificial intelligence approaches $2.5 trillion.

RIPE Arbiters Panel: Who Resolves IP Conflicts in 2026?

Tue, 10 Feb 2026 00:00:00 +0000

The RIPE NCC seeks volunteers by 6 March 2026 to fill its Arbiters Panel for critical internet governance disputes. Ripe 848

Routing communities: Spot real handoff sites

Mon, 02 Feb 2026 00:00:00 +0000

Only 4% of routes are tagged near their origin, breaking direct geolocation assumptions according to Thomas Krenc et al. With manual tracking impossible, operators must shift from opaque speculation to data-driven inference using passive observation.

ARIN Policy 2026: Why 8M Records Demand Your Input Now

Wed, 28 Jan 2026 00:00:00 +0000

ARIN seeks input from its 40,000 served organizations to fix a policy process that often feels disconnected from the engineers actually running the network. ARIN research data This survey represents a critical pivot point for bottom-up governance, attempting to modernize how Internet number resources are managed before external regulatory pressures force a less flexible, state-influenced model upon the region.

RDAP fixes the 10-20% WHOIS match gap

Wed, 28 Jan 2026 00:00:00 +0000

The legacy whois protocol fails to reliably map IP addresses back to organizations, achieving match rates of only 10-20% in pure reverse lookup scenarios. While the industry rushes toward RDAP adoption following its January 2025 mandate for generic TLDs, the immediate utility of daily statistical exports remains vastly underutilized for asset discovery.

ASPATH length traps: When short routes risk security

Thu, 01 Jan 2026 00:00:00 +0000

Shorter AS_PATH lengths win route selection when other BGP criteria tie, per RFC 4271.

In reality, actual reachability depends entirely on external filtering policies and RPKI validation, not just path metrics. As bogdancyber clarified on the NANOG mailing list in January 2026, conflating path brevity with trust creates dangerous blind spots in risk modeling for potential hijacks.

Machine learning misses real BGP security flaws

Thu, 01 Jan 2026 00:00:00 +0000

Tom Beecher rejected the BGP Security Intelligence Platform immediately after reading claims that as_path length dictates routing credibility. This skepticism highlights a critical flaw in current predictive modeling: relying on outdated heuristics rather than verifiable propagation data. The article argues that effective risk assessment demands discarding static path assumptions in favor of dynamic, origin-side vulnerability scoring combined with real-time structural analysis.