Doug Madory (@dougmadory@infosec.exchange)

Attached: 1 image A major earthquake occurred yesterday (Tuesday, July 29, 2025) off the coast of Russia's Kamchatka Peninsula. A disruption of internet traffic was picked up in @kentikinc@bird.makeup's aggregate NetFlow data at 23:26 UTC for two of the largest providers in the region.

real internet architecture

a very interesting read to check out, especially if you’re used to books written by networking vendors. this one offers a different perspective on the Internet — a mix of academic insight and practical with real-world examples. it’s a short book, but it does a great job of clearly (and practically) explaining key elements of how the Internet is structured. using a kind of “geological” language, it explores concepts like abstraction layers and protocol stacking. it’s a quick read, and I can easily imagine that even someone with very little prior knowledge could come away with a solid understanding — and appreciation — of the Internet’s architecture. in fact, after reading it carefully, you’ll probably be able to relate to various parts of our everyday online world with technical accuracy, without needing to get deep into configuration details. that’s a pretty digestible level for non-network engineers. :)

PQC for the RPKI

Future capabilities of quantum attackers will present a host of new vulnerabilities for RPKI. A research student from SIDN Labs presents the first work on post-quantum cryptography for the RPKI, establishing the foundation for making this critical Internet infrastructure quantum-safe.

A new efficient RPKI Design

Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, all these introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment. In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations.

Afstudeeronderzoek: PQC voor de RPKI | SIDN Labs

De internetstandaard RPKI beveiligt het BGP, maar maakt gebruik van digitale handtekeningen waarvan verwacht wordt dat ze uiteindelijk gebroken kunnen worden door kwantumcomputers. Dat moet dus anders. Maar hoe? Dirk wijdde er zijn afstudeeronderzoek aan bij SIDN Labs.

Release 0.15.0-rc3 · NLnetLabs/krill

Other changes Upgraded the bundled Krill UI to release 0.9.0. (#1295) Added packaging support for RHEL 10-alikes. (#1297)

Login with Named Users — Krill 0.15.0-rc2 documentation