• Posts
ai-assisted-engineering
ebpf-bng-production
ebpf-bng-infra
ebpf-bng
gitops
socat
gitops-pr-diffs

AI Didn't Design This BNG. Experience Did.

When I open-sourced the eBPF BNG last month, someone on Hacker News called it “vibe coded.” I understand why. The project moved fast — a working distributed BNG with eBPF/XDP packet processing, DHCP, RADIUS, NAT, PPPoE, BGP, and a coordination service, all open-sourced within weeks. That’s suspicious. When something appears quickly, people assume it was thrown together quickly. But speed of implementation isn’t the same as absence of design. And using AI tools to write code isn’t the same as letting AI design your system.

• ebpf
• ai
• software-engineering
• networking
• isp
• distributed-systems

Saturday, February 14, 2026 | 7 minutes Read

The Unglamorous Work: Hardening an eBPF BNG for Production

A month ago I wrote about building an eBPF-accelerated BNG and the infrastructure repo that lets you run it locally. The response was better than I expected — the post hit 94 points on Hacker News and sparked some good discussion. It also sparked some fair criticism. One commenter called the code “vibe coded.” Another wrote a detailed comment about why distributed BNG has never achieved commercial success, despite attempts by Cisco, Metaswitch, and others. Someone asked about CPU-to-NPU bandwidth in whitebox OLTs. Someone else pointed to 6WIND’s commercial DPDK-based BNG as a more production-ready alternative.

• ebpf
• xdp
• networking
• isp
• distributed-systems
• go
• linux
• testing
• security

Saturday, February 14, 2026 | 8 minutes Read

From Zero to eBPF BNG in 15 Minutes: The GitOps Deployment Repo

Last week I open-sourced the eBPF BNG itself. The response was great, but the most common question was: “How do I actually run this thing?” Fair question. The BNG repo has a Dockerfile and some example configs, but spinning up a distributed system with multiple components, observability, and realistic test traffic isn’t trivial. That’s the hard part of infrastructure - not writing the code, but figuring out how to deploy it, test it, and debug it when things break.

• ebpf
• gitops
• kubernetes
• tilt
• k3d
• isp
• networking

Saturday, January 24, 2026 | 9 minutes Read

Killing the ISP Appliance: An eBPF/XDP Approach to Distributed BNG

I used to work for an ISP startup that was building next-generation infrastructure. The company didn’t make it, but the problems we were trying to solve stuck with me. So I spent a few weeks building what we never got to: an open-source, eBPF-accelerated BNG that runs directly on OLT hardware. This post explains the architecture and why I think it’s the future of ISP edge infrastructure. The Problem: Centralised BNG is a Bottleneck Traditional ISP architecture looks like this:

• ebpf
• xdp
• networking
• isp
• distributed-systems
• go
• linux

Friday, January 16, 2026 | 6 minutes Read

Practical GitOps Pattern

Introduction If you’ve spent any time working with Kubernetes, you’ve probably heard of GitOps -a methodology that treats Git as the source of truth for defining and operating infrastructure and applications. In this post, I’ll walk you through a GitOps setup that uses a hierarchical folder structure, combining Helm, Helmfile, and Kustomize to give you robust, testable, and scalable deployments. We’ll also see how tools like Flux and Tilt fit into the workflow, enabling both automated deployments and seamless local development.

Tuesday, February 25, 2025 | 6 minutes Read

GitOps PR Diffs: Review What You Deploy

Introduction A common pattern I see promoted is using tools that show you what will change in your cluster at sync time - after your code is already merged. In my view, this is already too late and goes against GitOps principles. How can Git be the source of truth if there are extra steps between merge and understanding impact? In this post, I’ll show you how to generate manifest diffs during PR review, so reviewers see exactly what will change in the cluster before they approve.

Tuesday, January 14, 2025 | 6 minutes Read

Using socat to backdoor via kubernetes

Sometimes when you’re developing or debugging locally you need access to resources that are exposed to your cluster. Typically, most organisations use VPN’s to enable you to access these resources, but there’s a much easier way. Socat. The alpine/socat image is perfect for enabling backdoor access to private or internal services that are available to your cluster without having to set up and manage VPN’s. How it works is pretty simple. We run a socat pod exposing a service that’s viewable by the pod but not by us.

Friday, January 22, 2021 | 1 minute Read