The global BGP routing table crossed one million IPv4 routes for the first time in September 2025, and combined with IPv6 entries, the default-free zone now carries over 1.2 million prefixes. Every one of those prefixes has to be reachable within milliseconds when a link fails, or the consequences land hard on the businesses depending on it. Unplanned IT downtime now averages $14,056 per minute across organizations, rising to $23,750 per minute for large enterprises, and over 90% of midsize and large enterprises report that a single hour of downtime costs them more than $300,000. The blast radius of a routing failure has grown faster than most operators realized, and the convergence speed of the protocols underneath has become the variable that determines whether a service stays online.
Joby Neelamthara Thoman is a Principal Software Engineer with more than 22 years of experience designing high-performance networking and data center systems, including packet processing, DPU platforms, and high-speed Ethernet for major cloud and networking platforms. A Senior Member of the IEEE, he led the early development of BGP Prefix-Independent Convergence on a major networking equipment vendor’s high-end service-provider routing platforms, work that took data-plane recovery from multi-second outages down to sub-50-millisecond failover at carrier scale. His career covers ASIC-level networking, software-hardware co-design, and the kind of forwarding-plane engineering that decides whether a global network’s resilience promises hold under real failure conditions.
The fragility sitting beneath the world’s routing tables
The Border Gateway Protocol has been the connective tissue of the internet for more than three decades, and over that span the routing table has grown from a few thousand entries to more than a million. BGP route leaks alone cause an average of 15 major internet blackouts per month, and roughly 75% of enterprises reported at least one major internet outage in 2022. 197 distinct global network outage events were logged in a single week of December 2024, a baseline that stayed roughly constant across the year. Most of these are not catastrophic protocol failures. They are convergence events, the long seconds between a link going down and traffic finding its way to a working alternative.
The architectural problem Joby worked on between 2007 and 2009 was structural. Traditional BGP convergence required the router to recompute paths one prefix at a time after a failure, which meant that a router carrying 300,000 to 500,000 prefixes took proportionally longer to recover than one carrying 30,000. He led development of BGP Prefix-Independent Convergence on a major equipment vendor’s carrier-grade router platforms, designing the hierarchical FIB logic that pre-installed backup next-hops for every BGP route. PIC Core handled core node and link failures inside the service provider’s network. PIC Edge handled eBGP link and peer failures at the customer boundary. The two together broke the linkage between routing table size and convergence time, which was the underlying scaling problem nobody had solved at production scale.
“The first thing you accept when you work on the forwarding plane is that the failure is going to happen. You cannot prevent it. What you can do is decide whether it costs the network three seconds or 30 milliseconds,” Joby Neelamthara Thoman says. “That choice has to be made in software design years before the cable ever gets pulled, because the recovery logic has to already be sitting in the ASIC when the failure arrives.”
Pre-installed failover instead of reactive recalculation
The managed MPLS market was valued at roughly $68 billion in 2024 and is projected to reach above $110 billion by 2033, with Layer 3 MPLS VPN holding the dominant share. Banks, healthcare networks, and federal agencies built their wide-area connectivity on these platforms because they offered guaranteed jitter below 10 milliseconds, traffic isolation from the public internet, and the kind of SLA enforcement no best-effort service could match. The cost of that reliability was complexity, and most of it lived in the forwarding silicon. Five-nines availability, the benchmark for telecom and core financial infrastructure, allows only 5 minutes and 15 seconds of downtime per year, which means any failover event eating more than a few seconds is a meaningful chunk of the entire annual budget.
The mechanism Joby designed shifted the work from reactive computation to pre-staged forwarding. Rather than waiting for BGP to recompute paths after a failure, his implementation programmed the router’s line-card forwarding ASICs to hold a backup next-hop for every primary route, sitting dormant in hardware memory. When a link or peer failure was detected, the data plane switched traffic to the backup entry at line rate, without involving the route processor at all. The forwarding silicon could execute the failover in tens of microseconds, while the control plane caught up at its own pace in the background. This was the inversion the design depended on. Convergence was no longer a software event that traffic had to wait for. It was a hardware action that had already been prepared.
“You stop thinking about failover as a calculation and start thinking about it as a lookup,” Thoman observes. “The work is in deciding what the backup path should be before you ever need it, and making sure the silicon can hold that decision for every prefix without running out of memory or speed.”
Solving the half-million-route scaling problem
The default-free zone has roughly doubled in size over the past decade, and a typical Tier-1 ISP today carries multiple full BGP tables plus internal routes, pushing some BGP instances to manage several million entries with continuous update churn. The IPv4 routing table grew by roughly 53,000 entries in 2024 alone, a 6% year-over-year increase, while the IPv6 table has been growing at 17% per year on a smaller base. For service-provider routing platforms, the question is not whether the table will keep growing. It is whether convergence behavior remains constant as the table scales, because a system that gets slower as it gets bigger eventually fails its SLA.
Joby, a judge for the Globee Awards recognizing achievement in technology and business, led the validation effort to confirm that PIC’s failover behavior held flat across the full range of production route table sizes. The team tested lab-simulated service provider networks carrying more than 500,000 VPN routes, demonstrating consistent sub-second convergence regardless of prefix count. They profiled convergence times with instrumentation that captured the moment a link went down through the moment traffic resumed on the backup path, then iterated on memory layout and lookup paths in the forwarding engine to keep failover constant-time. The result was a forwarding architecture that handled 500,000 prefixes the same way it handled 50,000, which meant carriers could scale their networks two to three times without re-engineering the convergence layer.
“Scale is the test that exposes whether your design works or whether it just happens to work in a small lab,” Thoman notes. “If your failover times slip when the table doubles, you have a feature that demos well and breaks in production. Constant-time convergence was the actual requirement, not the marketing number.”
Detection speed, the forgotten half of the equation
Convergence has two halves: how long it takes to notice a failure, and how long it takes to recover from it. Bidirectional Forwarding Detection, defined in RFC 5880, can be configured with intervals as low as a few milliseconds, giving service provider networks sub-50-millisecond fault detection across Ethernet, MPLS, IP tunnels, and any media that lacks native failure signaling. Without rapid detection, even the fastest forwarding switch matters very little, because the router has not yet realized it needs to act. The faster the data plane gets, the more the detection layer becomes the binding constraint.
Joby integrated BFD tightly with the BGP PIC implementation so that link-failure detection and FIB switchover operated as a single coherent event. The team tuned BFD’s detection intervals against the forwarding plane’s switchover latency to make sure the two layers reinforced rather than serialized against each other. He also worked with the BGP protocol teams to make IGP events, such as ISIS or OSPF reporting a link down, trigger instant FIB switchovers without per-route recomputation. The protocol stack ran from physical link detection through forwarding update in one motion, end to end, inside the 50-millisecond budget.
“Detection and forwarding are the same engineering problem if you want sub-second convergence,” Thoman explains. “Separating them in the design is how you accidentally build a system where one part is fast and the other part is the bottleneck. The whole stack has to converge together, or it doesn’t converge.”
What sub-50-millisecond convergence means for cloud and AI workloads
AI model training is reshaping data center networking at a pace few infrastructure teams anticipated. Network bandwidth per accelerator is climbing past 1 Tbps, cluster sizes are quadrupling every two years, and AI workloads are projected to account for nearly 30% of all data center traffic by 2025. Hyperscale operators are deploying 400 Gbps and 800 Gbps fabrics inside their campuses, with 93% of them now targeting 40 Gbps or faster connections for the core fabric. AI training generates dense east-west traffic between GPU clusters where even microsecond-level latency differences cause training inefficiency, which means the resilience properties of the underlying network determine how much expensive compute time gets wasted on retransmissions and stalls.
The same architectural principle Joby helped establish in carrier-grade routing more than a decade ago, that recovery should be a pre-staged hardware action rather than a reactive software event, has migrated into the data center fabric designs that now carry AI training and inference traffic. Hyperscalers run multiple parallel paths between racks, with pre-computed failover entries sitting in forwarding silicon ready to engage on link failure. The route table sizes are different, the speeds are different, and the topology is different, but the underlying engineering principle is the same. Convergence has to happen at the speed of the silicon, not the speed of the control plane, or the workloads above it pay the cost in latency and lost throughput.
“The networks I work on today look almost nothing like the carrier routers I started on, but the discipline carries over,” Thoman reflects. “You design failure recovery before you design steady-state behavior, because steady state is the easy case. The interesting engineering happens in the milliseconds after something breaks, and that has not changed since the day we shipped the first PIC implementation.”
