Network infrastructure

Network infrastructure incl. routing, P2P and VPN

This page contains a concise overview of projects funded by NLnet foundation that belong to Network infrastructure (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. If a description on this page is a bit technical and terse, don't despair — the dedicated page will have a more user-friendly description that should be intelligible for 'normal' people as well. If you cannot find a specific project you are looking for, please check the alphabetic index or just search for it (or search for a specific keyword).

0WM — Measure and visualize Wi-Fi coverage

Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users.

>> Read more about 0WM

Accessible security — Integration effort of independent security efforts like Qubes, Heads, coreboot, etc

The "Accessible security" project's initiative was sparked by the need for usable security made available to the average citizen. Several projects are contributing a part of this bigger puzzle: QubesOS, coreboot, Heads, me_cleaner, Whonix and others. Yet the average person does not have the sophistication to integrate these software projects. With some effort we can add some missing parts, help the effected projects usability, and facilitate access to cutting-edge developments, currently only usable by developers and more sophisticated users. Bringing these projects together will reduce the amount of expertise and effort required to benefit from these projects.

>> Read more about Accessible security

AI-VPN — Local machine-based learned analysis of VPN trafffic

Our security decreases significantly especially when we are outside our offices. Current VPNs encrypt our traffic, but they do not protect our devices from attacks or detect if there is an infection. The AI-VPN project proposes a new solution joining the VPN setup with a local AI-based IPS. The AI-VPN implements a state-of-the-art machine learning based Intrusion Prevention System in the VPN, generating alerts and blocking malicious connections automatically. The user is given a summary of the traffic of the device, showing dectected malicious patterns, privacy leaked data and security alerts, in order to protect and educate the users about their security status and any risks they are exposed to.

>> Read more about AI-VPN

Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking

Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks.

>> Read more about Detecting Forged-Origin BGP hijacks

Bitmask — User-friendly and secure VPN configuration

Bitmask is a Desktop and Android client designed to achieve a zero-configuration end-user experience for setting up a VPN that connects to a given set of providers - those that follow the LEAP platform specification. To do so, clients rely on providers exposing configuration files on well-known urls, according to their particular setup regarding the available VPN gateways and transports. This project aims at adding low-end routers a new extra platform that users can choose when installing BitmaskVPN. Running VPN software in a commonly available router, with hardware-based user interfaces, will greatly extend the target audience for Bitmask. To achieve this goal, a porting of the BitmaskVPN client will be done in nim, a statically typed language that generates small native and dependency-free executables, allowing the setup of the VPN with the switch of a hardware button. Finally, the resulting port will be packaged for OpenWRT, and build scripts will be made available for providers to offer to their users a ready-to-use flashing image for a selection of routers.

>> Read more about Bitmask

CAKE-MAINT — Improve network queue management algorithms on Linux

With the wider and wider adoption of the fq_codel (RFC8290) and cake codebases in shipping products, many issues in the field have been discovered, and features to address them proposed but not mainlined into Linux (or the BSDs). This project intends to tighten up the corner cases, fix up multiple observed problems, and add some needed new features if possible, as well as take a stab at addressing the biggest observed problem in the field for cake - not scaling shaping well to ever more popular multi-core routers.

In addition the project will work on a new release of babeld, the reference implementation of RFC 8966 (Babel Routing Protocol) and on standardisation of Sroam, a protocol for WiFi roaming.

>> Read more about CAKE-MAINT

CNSPRCY — E2EE connections between trusted devices

CNSPRCY aims to tightly integrate your personal computing devices (i.e. desktop, laptop & phone but not wearables) with each other. It will provide a replicated eventually-consistent database, the ability to send encrypted messages, and it will always (unless it is impossible) know how to connect to your other devices!

It does not rely on third parties or blockchains, and it will not make your devices carry other people's data. Devices will simply connect directly to each other, forming a mesh and adapting to the conditions of the underlying network using a variety of protocols.

CNSPRCY provides a CLI application and exposes an IPC API, allowing you or your applications and scripts to synchronize data (asynchronously) or exchange messages (synchronously) with your other devices. These messages can then trigger scripts and execute applications on the receiving device. With these tools, it will be easier to write robust, private, offline-first, P2P software than it is to implement a centralized client-server architecture.

>> Read more about CNSPRCY

CryptPad: Project Dialogue — Secure surveys and polls for Cryptpad

Cryptpad is a real-time collaboration environment that encrypts everything clientside. The project will incorporate structured group interaction other than collaborative editing (e.g. gathering input through forms, polls) is a useful addition to this. This will replacing the current basic implementation of polls (like Doodle), and introduce surveys (like Google Forms). Authors will have exclusive control over the content and format of the polls and surveys, such as which questions are asked and the acceptable format of their answers. They'll also have control over the cryptographic keys which decrypt the submitted results, granting authors control over publishing. In addition, the project will develop an extension of its current notifications system to allow instance administrators to publish translatable messages visible to all their users. We'll use this broadcast system to distribute language-specific surveys and recruit willing users into a series of usability studies which will guide a second round of development for these applications.

>> Read more about CryptPad: Project Dialogue

dhcpcanon — Network configuration with better privacy

When your computer enters a new network as a guest, it will need to receive information to be able to send and receive packets. The internet standard responsible for this is called Dynamic Host Configuration Protocol (DHCP). Traditional DHCP and DHCPv6 can potentially leak information which can be abused to uniquely identify a certain device - and thus track a user. dhcpcanon is a DHCP client implementation that implements the technical standard RFC7844, DHCP Anonymity Profiles. The new standard provides guidelines for minimizing information disclosure via DHCP. This project will produce DHCP clients implementing the Anonymity Profiles for restricted devices as microcontrollers and easy integration with network management tools.

>> Read more about dhcpcanon

Distributed GNU Shepherd — A Secure Distributed System Layer for Networked Cluster Computing

The project to convert the GNU Shepherd to a distributed program by porting it to use Spritely's Goblins library will empower users to more securely connect computers for clustered and other forms of cooperative work. As a daemon-managing daemon, the Shepherd exposes control of the system layer. Goblins, as an implementation of the object-capability security paradigm, provides both networking and security abstractions. Together, they will simplify and increase the efficiency of existing networked workflows without sacrificing security while also enabling entirely new kinds of cooperation between disparate machines.

>> Read more about Distributed GNU Shepherd

Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32

The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable.

>> Read more about Open source ESP32 802.11 MAC

Fix the Pitch Black Attack in Freenet routing — A decentralized distributed platform for private communication

Hyphanet (previously: Freenet) is a peer-to-peer platform with academic roots, offering censorship-resistant publication and privacy by design. It uses a decentralized distributed data store to store and forward information of its users, and is one of the oldest privacy related infrastructures - having been in continuous development for two decades, and predating the alpha version of TOR with several years. This project solves a published theoretical denial-of-service attack on the friend-to-friend structure of its routing, which has been a looming threat since it was discovered a number of years ago.

GNUnet CONG — Modernise the network stack of GNUnet

GNUnet-CONG is an intermediate abstraction layer for decentralized network stacks. The goal of this project is to create a common abstraction for the gnunet layer-2-overlay and libp2p, which can be used by higher level services of GNunet (DHT, CADET and others). In addition to the abstraction GNUnet-CONG adds E2E encryption and protocol versioning for protocols on higher layers. With wrapping these functionalities in a nice abstraction, CONG offers a usable secure protocol/service that enables a controlled way to deal with developmental progress on higher layers. In addition to integrating the latest changes to the layer-2-overlay of GNUnet with its other parts, this project is a step towards interoperability and collaboration between projects for a decentralized internet on a technical as well as on a organisational level.

>> Read more about GNUnet CONG

Layer-2-Overlay — Generalising the GNUnet Layer-2 Overlay for broader usage

Layer-2-Overlay is a P2P connectivity layer that allows decentralized applications to establish communication with peers. The current Internet architecture is strongly biased in favor of client-server applications. To regain data sovereignty from tech oligopoly, citizens must be able to communicate directly without a few gatekeepers. Therefore decentralized applications need to overcome network obstacles of the existing Internet infrastructure without the need to setup a costly alternative infrastructure. An additional benefit is the effective usage of existing resource, to lower the environmental damage big centralized systems are doing to our planetary ecosystem. The Layer-2-Overlay will achieve this goal by utilizing a variety of existing protocols and infrastructure (Ethernet/WLAN, TCP/UDP, QUIC, Satellite) and an effective flow- and congestion-control to distribute traffic through different channels. After reconnecting the edges (e.g. PCs at home or mobiles) of the existing Internet among each other again, traffic can be forwarded directly to known peers and existing infrastructure will be preserved. The API of Layer-2-Overlay will be usable by all kinds of decentralized application use cases. For a first showcase Layer-2-Overlay will be integrated into GNUnet, an alternative network stack for building secure, decentralized and privacy-preserving distributed applications.

>> Read more about Layer-2-Overlay

GNUnet Messenger API — API for decentralized instant messaging using CADET

Communication is one of the most valuable goods, but it requires confidentiality, integrity and availability to trust it. The GNUnet Messenger API implements an encrypted translation layer based on Confidential Ad-hoc Decentralized End-to-End Transport (CADET). Through CADET the API will allow any kind of application to set up a fully decentralized form of secure and private communication between groups of users. The service uses e2e-encryption and does not require any personal information from you to be used.

You are able to send text messages, share files, invite contacts to a group or delete prior messages with a custom delay. Messages and files will both be stored decentralized being only available for others in the group. GNUnet provides the possibility to use this service without relying on the typical internet structures, with a turnkey optional DHT for sharing resources.

Unlike many other messengers out there the GNUnet Messenger service focuses on privacy. You decide who can contact you and who does not. You decide which information gets shared with others and which stays a secret. The whole service and its API is free and open by design to be used by many different applications without trusting any third party.

>> Read more about GNUnet Messenger API

Gosling — Generic Onions Services Library Project

One of the internet’s core infrastructural flaws is a lack of anonymity - yet anonymity is a form of privacy that many users would prefer to have. Building products which preserve this user privacy while also being featureful and easy to use is difficult. Part of this difficulty has to do with the fact that developers need to be aware of and actively counter the myriad ways users can be de-anonymised (e.g. fingerprinting, side-channels). This requires knowing many intricate details at all levels of the software stack.Project parent Blueprint for Free Speech's goal is to gradually increase the portion of the internet that offers anonymity. By creating a “generic onions services library” (Gosling), we can help developers create secure and anonymous p2p applications without having to delve too deeply into protocol design or the Tor spec, and to do so with more security assurance.

>> Read more about Gosling

OCap layer for Haskell actor library — Implement OCapN and Syndicate in Haskell's troupe

This project aims to develop a stratified framework for the Haskell language to utilize ocap-based protocols. This would enable modern, secure, and efficient communication in distributed systems. The target protocols are OCapN and Syndicate, both related to CapTP, but different in focus (RPC vs sharing state). The project will provide a set of packages necessary to participate in a cross-language P2P network of applications. That includes pluggable transports, message codecs, and handling patterns.

>> Read more about OCap layer for Haskell actor library

SCE, DelTiC and Antler — High-Fidelity Congestion Control

Some Congestion Experienced (SCE) is a project in high-fidelity congestion control (HFCC) that aims to stabilize transport congestion windows, thereby reducing queueing delay and jitter, and increasing link utilization. Our goals under NGI Zero are to complete the DelTiC (Delay Time Control) AQM algorithm, implement a new MIMD transport response aiming for max-min-fair flow competition at shared bottlenecks, and release a purpose-built congestion control testing tool, Antler v1.0. We will inform the CC community about our work, and update our Internet Drafts to keep the door open for future standardization, should the opportunity arise.

>> Read more about SCE, DelTiC and Antler

Holo Routing — A novel routing stack in Rust, including IS-IS routing

Holo is a suite of routing protocols designed to address the needs of modern networks. Holo was started in response to the increasing trend in the networking field towards automation, where network devices are expected to be managed programatically using a variety of standard interfaces. Written in Rust, a memory-safe language, Holo prioritizes reliability, ease of maintenance, and security.

This project aims to extend Holo by incorporating support for the IS-IS protocol, one of the most widely used interior routing protocols. The IS-IS implementation will encompass both IPv4 and IPv6 support, cryptographic authentication, and extensions for traffic engineering. Rigorous testing against multiple vendors and comprehensive conformance tests will ensure the interoperability and robustness of the implementation.

>> Read more about Holo Routing

Hypermachines: Realtime and Collaborative P2P Search — Realtime and Collaborative P2P Search

Modern search systems don't work offline, rely on proprietary indexes, and give users limited interfaces for content discovery. Our earlier work on the Hypercore Protocol produced a collection of data structures and networking modules for building low-latency, secure P2P applications. With this project, we will extend the Hypercore Protocol with a novel mechanism for distributing sandboxed computation, called Hypermachines, that can be combined with the existing data structures in our stack to power a next-generation search system. Hypermachines are deterministic Javascript programs, akin to lightweight smart contracts, that introduce algorithmic transparency and compositionality into our ecosystem. Users can create powerful indexing pipelines that merge their Hypermachine datasets together, yielding a highly-composable, collaborative search engine. By storing indexing logic directly alongside data structures, users can see exactly how indexes are produced, verify that they were produced correctly, and modify them according to their needs. We imagine a future in which Hypermachines power a decentralized marketplace for collaborative, transparent, and fast search engines.

Interpeer — Collaboration infrastructure with near real-time p2p data synchronization

The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. For that reason, the initial focus lies on facilitating the extreme end of the use case spectrum with very low latency and high bandwidth requirements, as exemplified by peer-to-peer video communications in quality as close to 4k resolution as possible. When that initial goal is reached, the project focus will shift to other collaboriative applications of the technology.

>> Read more about Interpeer

IPv6-monostack - upstream Linux SIIT/NAT64 — Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment

NAT64/SIIT technology is critical in enabling networks to transition away from the legacy internet protocol IPv4, yet this network function is currently expensive and hard to deploy, seriously hampering adoption. We believe we can remedy this situation by getting this translation technology accepted into the upstream Linux kernel thus paving the way to rapid and widespread adoption, accelerating IPv6 adoption overall.

>> Read more about IPv6-monostack - upstream Linux SIIT/NAT64

Irdest - OpenWRT Image and Bluetooth LE — Add Bluetooth LE connections to Irdest

This project extends the Irdest mesh networking stack in two ways:

Firstly, adding Bluetooth Low Energy support to Irdest. Bluetooth Low Energy (BLE) is an important technology to support for the mesh to work seamlessly. BLE supports the same communication range as regular Bluetooth protocol, while substantially reducing the energy footprint. Given that almost all mobile devices support BLE, supporting it in Irdest is a great advantage.

Secondly, creating an OpenWRT image for Irdest. OpenWRT is a Linux distribution for embedded devices like routers. Like any other operating system, it has apps or packages. Irdest could see wider adoption if we publish an Irdest package for easy installation on OpenWRT.

>> Read more about Irdest - OpenWRT Image and Bluetooth LE

Irdest IP Traffic Proxy — Route existing IP-network traffic through an Irdest network

An Irdest network allows users to easily create locally focused mesh networks amongst their communities and friend circles. To allow applications not written for this mesh network (using IP traffic routing) to route traffic through the Irdest network a proxy is required. This proxy is responsible for managing routes on entry and exit nodes, announcing routes, and allowing users control over which exit nodes they want to use for different target IP addresses. The goal of this proxy is to provide a better out-of-the box experience for new users, and expanding the scope of usable scenarios.

>> Read more about Irdest IP Traffic Proxy

Irdest spec, db, route scoring — Route scoring and other routing improvements for Irdest meshnets

Performant ad hoc mesh networks are an important way to achieve more resilience and reduce the dependency on fixed infrastructure. Irdest is a mature, relevant and up-to-date effort for hardware- and end-user-agnostic mesh networking. This project tackles some of the largest remaining issues in the Irdest stack. The Ratman router is currently not yet usable in production settings without immense supervision. The main goal of this project is to elevate the quality and resilience of Ratman to reach a level that users, who are not directly involved in development, have the capacity to run an instance and get reasonable error messages when something goes wrong - while minimising the amount of intervention actually required. Additional implementation of a few key missing features will make Ratman more useful in a wider set of deployments, and should improve general performance and uptime.

>> Read more about Irdest spec, db, route scoring

it — Radically decentralised version control with CRDTs

The project summary for this project is not yet available. Please come back soon!

>> Read more about it

Verified Differential Privacy for Julia — Proving sound privacy guarantees through a type system

Differential privacy can be used to prevent leakage of private information from published results of analyses performed on sensitive data. Doing so correctly requires handling the extra complexity introduced by this technique, on top of the complexity of the analysis procedure itself. A proposed relief comes in the form of type systems. They allow tracking privacy properties of functions in types, where successful typechecking is equivalent to proving sound privacy guarantees. This aids the programmer in reasoning about code, detects implementation errors that are really hard to notice before one falls victim to privacy breach, and can give formal guarantees to the people whose privacy is claimed to be protected. This project will implement a typechecker based on the type system of the Julia programming language. Julia is a high-level, high-performance, dynamic programming language. While it is a general purpose language and can be used to write any application, many of its features are well-suited for high-performance numerical analysis and computational science. This should enable data scientists to compute privacy guarantees for any Julia function before they start working with real user data.

>> Read more about Verified Differential Privacy for Julia

Katzen — Meta-data resistant instant messaging over the Katzenpost mixnet

Katzen is a new private instant messaging application built using the Katzenpost mixnet project, which is an overlay network that is able to hide communication patterns of individual users from passive network observers. This means that attackers cannot link sending and receiving of messages on the network with any of the participants. Messages between conversation parties are delivered to and read from message queues operated by the mixnet service operators. The legacy simple design maintains a per client queue and is able to see when a client is receiving a message, how often clients receive messages, and when the client is online and checking for their messages. The purpose of this project is to replace the legacy ephemeral message storage system used by Katzen with a replacement that does not link messages with a specific user or conversation, To do this, clients will include a csprng seed as part of the contact creation process that will be used to generate a deterministic sequence of message identifiers between conversation participants; these identifiers will be used by each client to query the ephemeral storage provider for the next message in the conversation. Because polling the storage service adds latency, and this design must check for new messages from each conversation partner, mechanisms to reduce the number of round trips - such as using SURBs as an asynchronous callback upon message delivery on the storage provider will be explored as a means to build a mixnet 'push' service to decrease the total round trip delay in receiving a new message.

>> Read more about Katzen

Katzenpost — Observation resistant secure messaging layer

Secure messaging is among the most fundamental privacy challenges of today. While there are meanwhile several widely used offerings that can encrypt instant messages you send to others, there are very few reliable options that are able to keep others from finding out who you were communicating with - and when. The most popular end-to-end messaging application do not adequately protect the identities of who-is-talking-to-who from the infrastructure operators. Katzenpost aims to offer a traffic analysis resistant messaging layer that allows all the participants in the network to have significantly more privacy than other mechanisms. It offers a decentralized mixnet architecture that works similarly to onion routing, where message routing information is encrypted, and differs in that each message is a fixed size, has random forwarding delays, and is accompanied by cover traffic messages to frustrate passive traffic analysis. The project aims to be a building block for other to build applications on, lowering the threshold for existing applications to benefit from increased privacy and confidentiality.

>> Read more about Katzenpost

Standardizing KEMTLS — Post-quantum TLS without handshake signatures

KEMTLS is a recent academic proposal for an alternative way of adding authentication to the Transport Layer Security (TLS) protocol. The project is motivated by the need to migrate public key cryptography to new algorithms that resist attacks by quantum computers. Compared to traditional cryptography, post-quantum signature schemes generally have larger public keys and/or signatures, and need more computational effort. KEMTLS, published at the ACM Computer and Communications Security Conference in 2020, replaces signature-based authentication for web servers with a post-quantum key exchange (called a KEM) in a way that saves communication and computation.

In this project we aim to prepare KEMTLS for standardization by the Internet Engineering Task Force (IETF). To that end we will implement KEMTLS in a few different open source TLS software libraries and demonstrate the viability and interoperability of these implementations. This software will assist later implementers of KEMTLS by allowing to validate their implementations against our reference. We will also investigate optimizations for using KEMTLS in specialized environments like IoT, and will investigate issues involving certification of KEM keys.

>> Read more about Standardizing KEMTLS

Wireguard-1GE FPGA — Implement Wireguard in Verilog

WireGuard is a modern data tunneling and encryption protocol for Internet security. Traditional VPN solutions such as OpenVPN and IPSec are outdated, bloated, and have security gaps. While WireGuard in many cases will be a superior alternative, the performance of a software implementation will not always be enough for high-throughput use cases.

The project will implement the WireGuard protocol on a cost-effective Artix-7 FPGA, targeting a board supported by open-source tools for Xilinx with four 1Gbps Ethernet ports. The corresponding gateware will be written in the industry-standard Verilog, welcoming everyone to contribute and review our code, helping us make it more secure and widely used.

This project promises to deliver a working prototype of WireGuard in hardware in complete alignment with the spirit of the open-source movement.

>> Read more about Wireguard-1GE FPGA

Krill High Availability — Making Krill RPKI daemon deployment more robust

Krill shows users which announcements are seen in BGP based on the resources on their certificate, and uses this information to give suggestions about ROA configurations. Currently, this functionality is built around RIPE Routing Information System (RIS) data, which can be up to 8 hours old. With this funding Krill will be extended so that it will be able to use a local BMP or even BGP feed. This will offer a number of major advantages to users. Most importantly it will allow for near-realtime insight and alerting, and it will ensure the visibility of RPKI Route Origin Validation "Invalid" announcements - as those are more and more commonly dropped and therefore increasingly invisible to RIS.

>> Read more about Krill High Availability

Let's Connect! Client-Server to P2P — Add P2P features to Let's Connect!

Let's Connect! provides an open-source VPN solution allowing ISPs, hosting providers and businesses to easily set up a secure VPN service. Currently Let's Connect! has been engineered in a traditional client-server VPN model. Basically connecting the client with VPN technology into the organization where the VPN server is deployed.

Let's Connect! is also used in the educational and research community under the name eduVPN. Roughly 140 organisations, and estimated 300K users, around the globe are using eduVPN.

The current client-server model of Let's Connect! doesn't facilitate directly connecting devices located in various places, like IoT devices at home or services offered in various datacenters or (public) cloud environments.

This project focusses on engineering a P2P solution integrated with Let's Connect! VPN, which empowers users to connect safely to all their devices, anywhere on the internet.

>> Read more about Let's Connect! Client-Server to P2P

Librecast — E2E encrypted multicast

The Librecast project contributes to decentralising the Internet by enabling multicast. It builds transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. This can for instance help to synchronise large evolving datasets to many users at the same time (even hundreds of gigabytes of blockchain data) in an economic, reliable, transparent and fair way - unlike with unicast, everyone can get a copy of the same packets received by everyone else. Not depending on a centralised structure (anyone can be the upstream source), means it is very robust as well. LibreCast is energy efficient and as a next generation internet technology offers confidentiality and security - and is sustainable, has high scalability and throughput.

Librecast Live is a Multicast Live Streaming, Conferencing and Remote Collaborative Work Environment. It is a versatile multicast platform flexible and scalable enough to be used for live-streaming, classrooms and conferences - using an ad hoc or previously established web of trust. While using multicast helps solve the scalability inherent with this kind of setup, actually all messages are transmitted over encrypted channels - providing strong privacy and integrity assurances through E2E encryption.

>> Read more about Librecast

Librecast Overlay Multicast — Privacy-preserving, energy efficient data replication and verification

The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today.

The Librecast project contributes to decentralizing the Internet by enabling multicast. Multicast is an important network capability for a secure, decentralized and private by default Next Generation Internet. Multicast is networking with consent. Unfortunately, today's infrastructure does not fully support end to end multicast. In order to reap the benefits of multicast in the applications we build now, we need a transitional mechanism which enables overlay multicast via peer to peer tunnels so that multicast applications - using the Librecast libraries - can work everywhere, regardless of underlying network support.

The Librecast project is building the transitional protocols and software required to extend the reach of multicast and enable easy deployment by software developers, to make end to end encrypted multicast a reality.

>> Read more about Librecast Overlay Multicast

LibreOffice P2P — Encrypted collaborative editing in the browser

LibreOffice Online is the online version of the popular open source office application, and a leading implementation of the ISO/IEC 26300 OpenDocument Format standard. During the project this free software application will be modified so it can run fully client-side inside a regular browser - meaning you can view and edit office documents without an install required. This provides the technical foundations to support true P2P editing of complex office documents. The ability to remove the entire dependency on a server means that document collaboration is moving towards zero-knowledge implementations – where no single-point of architectural failure exists and no data is required to sit unencrypted on a non-user owned (or trusted) server instance. The improved LibreOffice Online will be able to provide end-to-end encryption – both for the peer2peer use case, as well as securely keeping documents encrypted when at rest. That means data is safe when the user is disconnected, whether it is stored on an untrusted server or in the local Web storage.

>> Read more about LibreOffice P2P

LibreQoS — Improve congestion control for wifi networks

LibreQoS is a Quality of Experience (QoE) open source platform that leverages state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithms to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access.

>> Read more about LibreQoS

LibreQoS 2.1 — Transactional Move System and improved APIs for LibreQoS

LibreQoS is a Quality of Experience (QoE) open source platform that leverages the state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithm CAKE to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access.

This project adds API functionality, which will make scaling LibreQoS to multiple servers much easier, allowing ISP operators to break the current 70 Gbps per server barrier. In addition, this project allows for a new Transactional Move System, which prevents any packet loss upon reload/refresh of shaper rules - allowing LibreQoS to scale to much larger ISP networks, improving internet connectivity for millions more end-users worldwide.

>> Read more about LibreQoS 2.1

libresilient — Create robust web presence with service workers and DHT

A browser-based decentralized content delivery network, implemented as a JavaScript library to be deployed easily on any website. LibResilient uses ServiceWorkers and a suite of non-standard in-browser delivery mechanisms, with a strong focus on decentralized tools like IPFS. Ideally, users should not need to install any special software nor change any settings to continue being able to access an overloaded LibResilient-enabled site as soon as they are able to access it once.

>> Read more about libresilient

The Libre-SOC Gigabit Router — Native Open Hardware chip implementation of crypto primitives

The Libre-SOC Project is developing a Libre System-on-a-Chip in a transparent fashion to engender end-user trust. Based on the OpenPOWER ISA, the next logical step is to extend and modernise OpenPOWER into the cryptographic and blockchain realm, and to do so in a practical way: design a Router ASIC. Whilst many commercial ASICs would do this using hard-coded non-transparent blocks or instructions, true transparency really only exists if the ISA has general-purpose primitives that can be Formally (mathematically) validated. The Libre-SOC Crypto-router Project therefore goes back to mathematical "first principles" to provide general-purpose Galois-Field, Matrix abstraction and more, on top of Simple-V Vectorisation. This provides flexibility for future cryptographic and blockchain algorithms on a firm transparent foundation.

>> Read more about The Libre-SOC Gigabit Router

librice — Pure Rust implementation of IETFs real-time communication standard ICE

The Interactive Connectivity Establishment (ICE) protocol is everywhere in real-time communication, providing a rendezvous mechanism allowing to establish e.g. a SIP or WebRTC connection. Addition of another protocol, TURN, allows hosts which are behind a middleware box or CPE (which is the most common scenario in the IPv4 realm) to still successfully set up a bi-directional path. This puts ICE/TURN at the heart of communication. This project will implement the four key TURN RFCs in librice - a pure Rust implementation of ICE.

>> Read more about librice

Mainstreaming Anonymity for Developers (MAD) — Add Onion Services to interactive internet applications

A library that allows software developers to build anonymous and secure peer-to-peer services and applications using Tor onion services.

Gosling enables a developer to easily build technologically-guaranteed secure, metadata-resistant and anonymous networked applications (both peer-to-peer or client-server). Gosling is a Blueprint for Free Speech-developed, open-source library enabling this functionality via the use of Tor's onion services.

Because effectively and safely using Tor onion services programmatically is difficult and requires specialised expertise, very few applications use this technology despite the benefits to users. Most of these existing applications are dependent on the web-browser technology stack and seek to 'bolt-on' anonymity and privacy guarantees to existing clearnet applications.

Gosling, inspired by Ricochet Refresh and subsequent peer-to-peer onion service-based instant messaging clients, starts from first-principles and provides developers a tailored, pluggable system for peer-to-peer connectivity with all of the security and privacy properties of Tor onion services. It provides a simple API surface which reduces the chance of errors by developers which may end up compromising users' security and anonymity.

Gosling contributes to globally expanding user's defences against ever-more-ubiquitous online surveillance. This project moves Gosling from a functional proof-of-concept toward a trusted library which developers will be happy integrating into their programs to build the next generation of privacy-preserving internet applications.

>> Read more about Mainstreaming Anonymity for Developers (MAD)

Practical Decentralised Search and Discovery — Search and discovery inside mesh/adhoc networks

Internet search and service discovery are invaluable services, but are reliant on an oligopoly of centralised services and service providers, such as the internet search and advertising companies. One problem with this situation, is that global internet connectivity is required to use these services, precisely because of their centralised nature. For remote and vulnerable communities stable, affordable and uncensored internet connectivity may simply not be available. Prior work with mesh technology clearly shows the value of connecting local communities, so that they can call and message one another, even in the absence of connectivity to the outside world. The project will implement a system that allows such isolated networks to also provide search and advertising capabilities, making it easier to find local services, and ensuring that local enterprises can promote their services to members of their communities, without requiring the loss of capital from their communities in the form of advertising costs. The project will then trial this system with a number of pilot communities, in order to learn how to make such a system best serve its purpose.

>> Read more about Practical Decentralised Search and Discovery

Minedive — P2P search over webRTC

The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions.

>> Read more about Minedive

MirageVPN — Robust OpenVPN client and server, and QubesOS client

OpenVPN is a virtual private network protocol which is still widely used. We will extend the existing MirageOS OpenVPN implementation in three aspects: develop a unikernel suitable for QubesOS, develop an OpenVPN server, and add recent features (e.g. tls-crypt v2) .

The project builds on top of MirageOS: a library operating system developed in OCaml — a memory-safe functional programming language. In MirageOS, each service is a separate unikernel with a minimal attack surface that only contains the code required to run it. These unikernels are normally executed as a virtualized machine such as KVM, VirtIO, Xen. MIrageOS also supports using a strict security feature of the Linux kernel called seccomp.

The elliptic curve primitives used in this project are correct by construction (and free of timing side channels), and have been developed in Coq as part of the Fiat-Crypto project.

>> Read more about MirageVPN

mitmproxy — HTTP/3 Support and OS Proxy Mode for intercepting local proxy

mitmproxy is a versatile tool for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay network communication from websites and mobile applications.

This project is about the development of two new major features to mitmproxy: HTTP/3 Interception and a new OS proxy mode. With an increasing number of apps using the HTTP/3 protocol to communicate, we are adding support for it in mitmproxy so that it can be observed just as well as other protocols. For the second part of this project, we will be adding a new operating mode that makes it possible to inspect applications running on the user's device with a single click. These features collectively empower users to gain insights into what data their own devices are sending out.

>> Read more about mitmproxy

Securing Decentralised Live Information with m-ld — Collaborative editing of LInked Data based on CRDT

m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an "information" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data.

Movedata — Privacy-preserving, energy efficient data replication and verification

MOVEDATA is an efficient and privacy-preserving tool to distribute large blocks of data, such as the contents of a whole storage device (or a device image), with zero knowledge of the structure or meaning of the data to enhance the privacy aspect, and using multicast and other technologies for efficiency, both in terms of network bandwidth and of energy usage. Ease of use is also of particular concern, providing different interfaces adapted to different use cases.

>> Read more about Movedata

MPTCP — MultiPath TCP

How do you find the best way to communicate with a computer on the other side of the internet? And why bet everything on a single connection? Multipath TCP (MPTCP) extends the most widely used transport protocol on the internet (TCP) so that it can discover and use several physical paths (e.g., Wifi, cellular, between multihomed servers) in parallel. This allows to speed up transfers, smoothly transition from wifi to cellular when leaving one's house or potentially prevent traffic spying.

While the protocol is proven to work well in certain conditions (the fastest TCP connection ever was using MPTCP), it is configuration-sensitive and can degrade badly under adverse conditions (for instance in heterogeneous networks with small buffers). The aim of this project is to provide the tool to help analyze the performance of a multipath protocol as well as the software to (auto)configure the system depending on the application objective and network conditions.

>> Read more about MPTCP

Improving the deployability of Multipath TCP — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in some controlled environments but not as good in too heterogeneous ones like it is common to see on the Internet. Also its configuration is sometimes seen as difficult and/or confusing for the moment. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

>> Read more about Improving the deployability of Multipath TCP

Improving the deployability of Multipath TCP, part 2 — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in controlled environments but there is room for improvement in heterogeneous ones. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

Packet classification extensions for Netfilter — High throughput packet classification of tunneled traffic

With the advent of virtualization and containers, datacenter traffic is becoming prominently tunneled through layer 2 and layer 3 encapsulation techniques such as VLAN, GRE, VxLAN, GRETAP and Geneve among others. Extended packet classification through advanced string-matching also allows to proactively detect malicious traffic patterns and to improve overall datacenter network security. Performance is also a paramount aspect to improve resource utilization and to allow packet classification to scale up to the increasing demands in latency and bandwidth.

Nftables is the next generation packet classification software that replaces {ip,ip6,eb,arp}tables which reuses the existing main components of the Netfilter frameworks such as Connection tracking, NAT and logging. This project aims at three goals: 1) Enhancing Nftables packet classification by extending its tunneled packet classification capabilities to allow to match on inner header, 2) add string-matching infrastructure for Nftables and 3) evaluate performance to analyze bottlenecks and deliver upstream enhancements for the Netfilter packet classification datapath.

neuropil — DHT based overlay network

The neuropil protocol is a new integration protocol for the IoT, which can be embedded into applications and devices. It facilitates and recombines messaging paradigms with distributed hash tables, self-sovereign identities and named-data networks to establish a new kind of privacy- and security-by-design overlay network. The protocol itself embraces self-containment, reducing the need for external systems/dependencies. Our goal is a trustworthy, democratized access control mechanism for the internet of everybody. Within our project we would like to leave the beta-phase and realize the first full release of our protocol. To reach this goal we will add two remaining critical parts to our protocol: distributed time calculations and distributed linked time-stamping authorities. The first addition is not only crucial for systems without an RTC, but it also enables a de-centralized time service with a much lower attack surface. The second builds upon the first and is a key requirement to establish trust between entities using the protocol. It can also be used to ensure the integrity and to keep-track of (search-) contents of peers. Furthermore we will review our current reference implementation for efficiency and use less power-hungry algorithms whenever possible to support the green deal of the European Union.

>> Read more about neuropil

Improvements for the next generation firewalling tool in Linux — Netfilter kernel improvements, user space tools and testing

This project comprises a series of preventive and corrective actions as well as improvements for the next generation firewall software offered by the Netfilter project (https://www.netfilter.org) available in the Linux kernel, such as the enhancement of the set and map infrastructure, the resolution of existing limitations in the user space tool and libraries, enhancements to the filtering policy optimisation infrastructure, improved string match support and the extension of the test coverage for early detection of regression.

NixBox — Nix integration with netbox

NixBox is a modern approach to network deployments, it combines the configuration management powers of nix with the documentation capabilities provided by NetBox. It focuses on testability, reliability and automation while making your network documentation your configuration. Our goals are to reduce downtime and improve network visibility. Utilizing virtual machine tests we can ensure that your deployment will actually work before you ship it to production.

>> Read more about NixBox

node-Tor — Implementation of Tor protocols for inside webpages

Node-Tor is an open source project and the only existing implementation of the Tor protocol in Javascript. That gives it the unique property to not just run on a server or desktop, but also inside a regular webbrowser itself as a standalone secure webapp. It must not be misunderstood for just a re-implementation of Tor network nodes: the goal is much wider, because it allows any project related to privacy/security enhancement to implement the Tor protocol in their nodes and/or inside a web page. The browser client acts as a standalone node itself communicating via web interfaces such as Websockets with servers or through WebRTC with other browsers. The use of Javascript allows to reduce very significantly the code and libraries (prone to security breaches), simplifying the integration for developers (like removing the need to maintain installation packages since standard web interfaces can be used), simplifying the use for users. This offers a lot of potential for increasing security and privacy for everybody, since the technology can be accessed from any place and any device that has a browser or can run Javascript, including mobile devices.

>> Read more about node-Tor

Adopting the Noise Key Exchange in Tox — Improved security of Tox instant messaging with NoiseIK

Tox is a P2P instant messaging protocol that aims to provide secure messaging. It's implemented in a FOSS library called "c-toxcore" (GPLv3). The project started in the wake of Edward Snowden's disclosure of global surveillance. It's intended as an end-to-end encrypted and distributed Skype replacement. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. Tox' authenticated key exchange (AKE) during Tox' handshake works, but it is a self-made cryptographic protocol and is known to be vulnerable to key compromise impersonation (KCI) attacks. This vulnerability enables an attacker, who compromised the static long-term private X25519 key of a Tox party Alice, to impersonate any other Tox party (with certain limitations) to Alice (reverse impersonation) and to perform Man-in-the-Middle attacks. The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability. Further Noise's rekey feature will be evaluated for adoption.

>> Read more about Adopting the Noise Key Exchange in Tox

Strengthening NTP and NTS in ntpd-rs — Memory-safe implementation of IETF time standards including NTPv5 and NTS

NTP is one of the building blocks of the internet, and it and its security improvements are, therefore, of vital importance for a safer internet. Over the last year, we have created a new implementation of the Network Time Protocol called ntpd-rs, which includes Network Time Security support.

In this project, we will work on growing adoption and strengthening our implementation. On the one hand, that means expanding platform support, packaging options, and implementing improvements suggested by early adopters. On the other hand, we see the need to increase the usability of NTS, which is not deployed widely. By contributing to improvements of NTP (NTPv5) and exploring the creation of an NTS pool, we aim to foster NTS adoption.

>> Read more about Strengthening NTP and NTS in ntpd-rs

Nyxt — Browser integration of federated, distributed platforms

Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. The information available to browsers is limited by the protocols they understand; the languages they speak. Most browsers only speak HTTP(S), a protocol designed for client/server interactions.

In its latest generation, Nyxt plans to open up access to an Internet beyond HTTP, a larger, more decentralized Internet. The new versions of Nyxt will feature support for XMPP, ActivityPub, and IPFS. Together, these decentralized technologies will power much of the next generation of Internet technologies, and Nyxt will speak their language!

>> Read more about Nyxt

OpenHarbors — Dynamic Tunneling of WPA over IP/L2TP

OpenHarbors wants to establish a novel approach for secure communication over an untrusted Wifi network - and beyond: Dynamic tunneling of WPA over IP/L2TP. Why? Because current, secure solutions are not satisfactory: They are either hard to set up, require extra software in advance or are not applicable on an open wireless community mesh network like Freifunk.

OpenHarbors will utilize and implement WPA Enterprise with an extra twist: Instead of providing an encryption channel only between your mobile device and the direct WLAN access point you will be able to securely dial-out at any location on the internet you trust and choose and are granted access to. Without the hassle of installing and setting up an extra VPN software on your phone. Without the need of a trusted WLAN access point operator model or closed source firmware, in contrast to current approaches with Passpoint/Hotspot 2.0/eduroam/WBA OpenRoaming and similar - which all are conceptually not applicable on open wireless community mesh networks.

>> Read more about OpenHarbors

PeerTube — A decentralised streaming video platform

PeerTube is a free, libre and federated video platform. Video is a very popular class of content and meanwhile accounts for a signicant share of internet traffic, but the choice of hosting has a lot of implications - if you send your viewers to some proprietary platform because you want to avoid cost, what happens after they watch your video? And who watches them watch? PeerTube allows for a federation of interconnected hosts (so more choice of videos wherever you go to see them) while containing the risk of exposing users to profiling, algorithmic pressure that favors extreme content, censorship and other negative aspects of centralised services like YouTube or Vimeo. PeerTube implements the ActivityPub standard and works with peer-to-peer distribution - and therefore viewing. This means no slowing down when a video suddenly goes viral, and much lower distribution costs thanks to shared bandwidth. PeerTube aims to make it easier to host videos on the server side, while remaining practical, ethical and fun on the Internet user side. In this project, Framasoft will work on PeerTube 4.0 with interesting new features such as better search, live streaming, channel customisation and improved accessibility.

>> Read more about PeerTube

Peertube-Desktop — Enjoy and share federated videos

Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well.

We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols.

>> Read more about Peertube-Desktop

Securing PLCs via embedded protocol adapters — Open hardware protocol adapters for industrial automation

Industrial Programmable Logic Controllers have been controlling the heart of any production machinery since the mid-70s. However have these devices never been built for the usage in completely unprotected environments such as the Internet. Currently most PLCs out in the wild have absolutely no means to protect them from malicious manipulation (Most don't even have an effective password protection). Unfortunately "Industry 4.0" is all about connecting these devices to the Cloud and hereby attaching them to potentially unsecure networks. In the "Securing PLCs via embedded Open-Source protocol adapters" initiative we are planning on porting the Apache PLC4X drivers to languages that can also be used in embedded hardware. Additionally we also want to create secure protocol-adapters using these new drivers together with Apache MyNewt, to create protocol-adapters that could eventually even be located inside the network connectors which are plugged into the PLC in an attempt to reduce the length of the unsecured network to an absolute minimum without actually modifying the PLC itself.

>> Read more about Securing PLCs via embedded protocol adapters

Privacy Enhancements for PowerDNS and DNSdist — Make it easier to deploy private DoT/DoH resolvers

DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary.

Probabilistic NAT Traversal — Last resort ad hoc connections for GNUnet

With the Probabilistic NAT Traversal project, we want to significantly improve the ability of users to directly connect with each other. For establishing a peer to peer (p2p) network among regular internet users, unhindered connectivity is anything but self-evident. Today consumer devices are often not directly reachable via the internet but quite often are behind a so called NAT delivering only indirect internet connectivity. There are several methods to reach peers who are behind a NAT, but there are as many reasons those existing methods might fail. Manual configuration for example, as it is possible for example with home routers, often does not work for mobile devices like mobile phones. We will implement a new way of NAT traversal that we think of being independent from the existing network configuration, and does not require a third party with a direct internet connection helping two peers to connect to each other. Existing NAT traversal methods using third parties which are permanently required for communication. Our Probabilistic NAT traversal method does require some third party only at the beginning of the communication. The selection of third parties to start the connection establishment is based on previous work from the Layer-2-Overlay project. Probabilistic NAT Traversal will greatly improve the connectivity of GNUnet and other P2P networks that adopt it.

>> Read more about Probabilistic NAT Traversal

Statime — Memory-safe high-precision clock synchronization

Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption.

Statime is part of Project Pendulum.

>> Read more about Statime

R5N-DHT — Formalisation within IETF of R5N Distributed Hash Table design

Decentralization and digital sovereignty are fundamental building blocks to strengthening European values of freedom of information and informational self-determination against particular interests of foreign state and commercial actors. Decentralization is often based on Distributed Hash Tables; DHTs are already an important component for many NGI components such as decentralized web applications (IPFS, Web3) or components in the blockchain ecosystem. The GNUnet/R5N-DHT - a Free Software distributed hash table and P2P protocol - provides additional and relevant properties like Byzantine fault tolerance and censorship resistance. The project will improve, implement and specify the R5N protocol as an IETF RFC (Informational). This supports other efforts such as the GNU Name System protocol (GNS).

>> Read more about R5N-DHT

Radio-Meshnet — Self-sustained Community and Emergency Radio Networking

The project summary for this project is not yet available. Please come back soon!

>> Read more about Radio-Meshnet

reqwest — Memory safe HTTP client

reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default "stack".

>> Read more about reqwest

Reticulum Network Stack — Networking stack for building local and wide-area networks even with extremely low bandwidth

Reticulum is a cryptography-based networking stack that offers end-to-end connectivity and encryption, and a privacy-oriented base-layer protocol. It aims to allow anyone to operate their own sovereign communication networks, and to cover large areas with independent, interconnectable and autonomous networks without kill-switches and external control.

Reticulum is a completely decentralised networking stack, and it enables the construction of both small and large-scale networks, without any need for hierarchical or beaureucratic structures to control or manage them, while ensuring individuals and communities full sovereignty over their own network segments, addresses and applications. It allows creating truly decentralised applications and services, that can continue to operate even in adverse conditions, and with extremely limited bandwidth and resources.

>> Read more about Reticulum Network Stack

Robur private DNS resolver and DHCP server — Secure network configuration and DNS resolution

DHCP and DNS are fundamental Internet protocols, DHCP is used for dynamic IP address configuration in a local network, DNS for resolving hostnames to IP addresses. In this project, we develop a robust DHCP server and DNS resolver as a MirageOS unikernel. MirageOS unikernels are self-contained virtual machine images which are composed of the required OCaml libraries, leading to a binary with a minimal trusted code base, and thus minimized attack surface. The choice of the memory-safe, functional, and statically typed language OCaml avoids common attack vectors, such as buffer overflows and double frees. MirageOS unikernels can be deployed on various hypervisors (Xen, KVM, BHyve), microkernels (Genode, Muen), or as Unix binary (also with seccomp rules that allow only 10 system calls) on x86-64 and arm64. Several DHCP and DNS privacy extensions, extensive testing, and documentation is worked on to allow everyone to use it on their home router or in the data center. Migration of existing configuration (e.g. dnsmasq) to Robur DNS resolver and DHCP server will be provided as well.

>> Read more about Robur private DNS resolver and DHCP server

Rosenpass Broker — Expanding the Rosenpass API's to enable easy integration in applications

Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications.

>> Read more about Rosenpass Broker

Rotonda Secure Extensions — Implement BGPSec in Rust and integrate into Rotonda

Rotonda is a modular routing project that brings BGP observability and easy BGP provisioning to networks. Its aim is to improve the safety and security of the inter-domain routing system. In this particular effort we will build two features that will help us further the goal of security and safety.

First, we will implement BGPsec as a first-class citizen in Rotonda. BGPsec is a standardised protocol for securing routes in the inter-domain routing system. As far as we know Rotonda will be the first open source routing software that supports BGPsec out-of-the-box.

Second, we will implement a run-time configurable plug-in system for Rotonda, that will not only increase its modularity and extensibility, but also its usability.

>> Read more about Rotonda Secure Extensions

SCION Open Source Implementation — Performance improvements for SCION reference Implementation

SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters.

>> Read more about SCION Open Source Implementation

WWW SCION — Path-aware web server/proxy deployment and browsing

The WWW SCION project aims to bring innovation to web applications by enabling seamless SCION support to the web ecosystem. SCION is a clean-slate, more secure, and robust path-aware Internet architecture designed to provide route control, fault isolation, and explicit trust information for end-to-end communication. The main outcome of this project will be a full software suite for path-aware web browsing that can be easily adopted by network operators to make their web resources available on the SCION network. To do so, this project will develop (1) a production-grade reverse proxy, which enables web resources to be accessed via SCION, and (2) much improved client-side support. This will have an immediate impact on thousands of users who are already connected to the SCION infrastructure, allowing them to access next-generation network features such as expressing path-selection policies that implement their preferences. For instance, a web user could avoid traversing ASes (Autonomous systems) in certain regions when accessing their e-banking website. Another example from which users may benefit is using distinct paths depending on the web resources. In this case, the server could make use of a high-bandwidth path to increase the throughput when loading a large resource, while it could use a low-latency path for a latency-sensitive resource, e.g., a server control message.

>> Read more about WWW SCION

Toward a Fully-Verified SCION Router II — Align router code with formal verification tooling

SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project is concerns the implementation part of a larger effort that is verifying the core component of the SCION inter-domain routing architecture - the SCION router. SCION’s open-source router should not only be memory-safe but should implement the SCION protocols correctly in order to provide the intended security and correctness guarantees.

>> Read more about Toward a Fully-Verified SCION Router II

SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations

SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space.

>> Read more about SES - SimplyEdit Spaces

smoltcp RPL — Implement Routing Protocol for Low-Power and Lossy networks

Smoltcp is a TCP/IP library written in the Rust programming language. The Rust language offers many advantages, such as memory safety. The smoltcp library recently gained support for the 6LoWPAN protocol, enabling IPv6 for IEEE802.15.4 devices. However, a routing protocol tailored for low power devices is still missing in the library (or even one written in the Rust programming language). In this project, an implementation of the Routing Protocol for Low-Power and Lossy Networks (RPL) will be added to the smoltcp library. This protocol is designed for Low-Power wireless networks that are generally susceptible to packet loss. By adding this protocol to smoltcp, we get closer to a network stack that is safer to use for the Internet of Things (IoT).

>> Read more about smoltcp RPL

Cell broadcast support for the Linux Mobile Stack — Implement SMS-CB for emergency messages on Linux

Cell broadcast is the capability of the mobile network to send messages to multiple mobile devices in an area. It is the common way to alert users about disasters and emergencies. Phosh is a user friendly, graphical interface for Linux based mobile phones using GTK, GNOME and the wlroots compositor library. It uses ModemManager for it's mobile broadband connections. ModemManager is used on Linux systems to control mobile broadband devices and connections.

The aim of this project is to add cell broadcast support to ModemManager and the necessary UI elements to Phosh so cell broadcast messages sent to devices running this platform can be properly received and displayed.

SocksTrace — Ptrace based proxy leak detector

Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable.

>> Read more about SocksTrace

Peer-to-Peer Access to Our Software Heritage — Access Software Heritage data via IPFS DHT

Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure.

>> Read more about Peer-to-Peer Access to Our Software Heritage

Spritely (and OCapN) — Enable secure P2P applications with Object Capabilities

OCapN (the Object Capability Network, and featuring CapTP, the Capability Transport Protocol) simplifies building otherwise complicated security-oriented peer to peer systems as a natural extension of ordinary programming patterns. OCapN/CapTP features intentional collaboration amongst networked objects, distributed garbage collection, networked promise pipelining for efficient distributed communication, a peer introduction and consensual resource sharing system, and an abstract networking layer compatible with Tor Onion Services, I2P, libp2p, and even more traditional DNS + TLS.

While multiple implementations exist within Spritely and elsewhere, these are all incompatible. The project will produce specifications, documentation, and test suites to encourage consistency, interoperability, and smooth adoption of the technology.

>> Read more about Spritely (and OCapN)

Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol

High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible.

We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides.

Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities.

>> Read more about Statime PTP Master

RETETRA — Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio

Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. TETRA authentication and encryption are handled by secret, proprietary cryptographic cipher-suites known as TAA1 and TEA which are only available to select parties under strict NDAs which runs counter to both the spirit of open technologies and Kerckhoffs's principle. The latter's potential consequences are illustrated by the fate of A5/1, A5/2 and their GMR variants in cellular and satellite communications, allowing ciphers that can be broken in practice to fester in public and critical infrastructure for far too long. This project aims to reverse-engineer and subsequently perform cryptanalysis on these cipher-suites and finally formulate a hardening roadmap in order to provide a research-oriented FOSS implementation of the cipher-suites and aid affected parties in moving away from unexamined, proprietary security mechanisms towards open standards.

>> Read more about RETETRA

TrustING — Ultrafast AS-level Public-Key Infrastructure

TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others.

The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust.

To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages.

>> Read more about TrustING

Build Transparency (Trustix) — Towards a decentralized supply chain for software

When we install a program, we usually trust downloaded software binaries. But how do we know that we aren't installing something malicious? Typically, we have confidence in those binaries because we get them from a trusted provider. But if the provider itself is compromised, the binaries can be anything. This makes individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralized trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. This is the first step towards an entirely decentralized software supply chain that can securely distribute software without any central corruptible entity.

>> Read more about Build Transparency (Trustix)

TSCH-rs — Time Slotted Channel Hopping implement in Rust

Time Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C.

TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack.

>> Read more about TSCH-rs

Toward a Fully-Verified SCION Router — Formal verification of the reference open source SCION Router

SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees.

>> Read more about Toward a Fully-Verified SCION Router

Vita — A high performance IPSEC implementation

When the IP protocol was designed, its original authors did not add adequate security features. In 1994 the first official RFC concerning an end-to-end encrypted variant of IP called IPSEC was published after a number of years of standardisation work in the IETF. Almost a quarter of a century later, there is still a very limited set of implementations of the protocol. IPSEC is perceived by many as hard to deploy, which creates a chicken and egg situation in driving adoption. Vita is a fresh new implementation of IPSEC based on Snabb Switch, a high performance open source packet networking toolkit. The goal of Vita is to make it very easy to use IPSec on commodity hardware, and to produce a fast and compliant clean room implementation. Vita previously received funding from the Internet Hardening Fund. This project will move the deployability of Vita forward, and among others will produce a number of drivers for interfacing with e.g. high speed interfaces such as the Linux kernel. It limited size and use of an existing packet networking toolkit means it can be easily audited.

>> Read more about Vita

Vula — Encrypted ad hoc local-area networking

With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks.

>> Read more about Vula

Waasabi Framework — P2P Live Streaming for events

Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various "batteries-included" offerings, but also removing the hassle of having to build everything from scratch. Active research into the creation of a peer-to-peer streaming backend seeks to advance the project's long-term goal of promoting the adoption of owned experiences through the use of decentralized technology. By further cutting down on dependencies, cost and infrastructure complexity this effort aims to enable broadcasts to scale as the audience size grows, which in turn will support Waasabi's continued adoption.

>> Read more about Waasabi Framework

Winden/Magic Wormhole dilation — Improving Magic-Wormhole by implementing dilation and multiple file support for the web

Winden is an open-source web app built on the Magic-Wormhole protocol, which allows two devices to connect and exchange data without requiring identity information. We are building Winden to make file-transfers for the web secure and private. With Winden, we are giving users control over their data without them needing to trust us. This project adds support for reconnection (referred to as the ‘Dilation’ protocol) and multiple file-transfers into both Winden and wormhole-william, the Go implementation of Magic-Wormhole used by Winden and other projects. Magic-Wormhole file-transfers require both parties to be online at the same time. Dilation allows for reconnection and changing networks during a transfer. This reduces the risks of connection interruptions during these synchronous transfers. Multiple file support is a much sought after need for transferring data, which requires Dilation (and Dilation’s sub-channels).

>> Read more about Winden/Magic Wormhole dilation

Wireguard Windows client — Native Wireguard protocol client for Windows

WireGuard is a next generation VPN protocol that uses state of the art cryptography. WireGuard allows to safely tunnel traffic across the internet. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. While still under heavy development, it is regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry. Initially released for the Linux kernel, it is now cross-platform and the open source technology is ready for wide deployment. Unfortunately, WireGuard support on the widely used Microsoft Windows operating system is still immature and experimental. This makes the technology unavailable to many desktop and notebook users. This project will deliver the first stable Windows version.

>> Read more about Wireguard Windows client

Wireguard Rust Implementation — Implementation of WireGuard in a type safe language

WireGuard is an emerging open VPN protocol, WireGuard stands out from similar solutions, notably OpenVPN and IPSec, by being significantly simpler and hence easier to analyze and implement. WireGuard is currently available on Linux, Windows, MacOS,iOS, Android and BSD variants. WireGuard-rs will be an implementation of WireGuard in the Rust systems programming language. The WireGuard projects desire for a Rust userspace implementation, stems from the improved speed, memory consumption and safety guarantees offered by the Rust language, all of which are essential to the nature of the WireGuard project: a high performance, high security VPN. This implementation will be targeting userspace for Linux, Windows, MacOS and BSD variants.

>> Read more about Wireguard Rust Implementation

Wireguard — Take modern network tunnels to the next level

WireGuard is a next generation VPN protocol that uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling. The current state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, in addition to cross-platform implementations, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. These features converge to create an open source VPN utility that is exceedingly simple, yet thoroughly modern and secure.

>> Read more about Wireguard

WireGuard on FPGA — FPGA implementation of Wireguard protocol written in SpinalHDL

This project will do an open hardware implementation of the WireGuard VPN protocol. The data plane with symmetric cryptography is implemented in HDL and should be able to handle 100 Gbit/s IP/Ethernet, whereas the asymmetric handshake is implemented on VexRiscv with accelerators and will be capable of maintaining thousands of concurrent connections. An off-the-shelf FPGA card handles the full protocol transparently: Ethernet/Ethernet or Ethernet/PCIe with one side ciphered and the other side plaintext.

>> Read more about WireGuard on FPGA

WireGuard — Scale up WireGuard

WireGuard is a next generation VPN protocol that uses state of the art cryptography. This project aims to deliver various tasks: put WireGuard into the OpenBSD kernel and userspace tooling (tcpdump, ifconfig, wg, etc), rewrite Android client UI in Kotlin and make use of Kotlin coroutines, make the Android code into a library consumable by third-party apps, support more complex DNS and networking management in Windows client, improve performance and stability of cross-platform userspace implementation library, integrate more closely with various Linux netdev semantics and backport to Linux 5.4 and 4.19.

>> Read more about WireGuard

Yrs — Collaborative editing with CRDT written in Rust

Yrs "wires" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative.

The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications.

The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to "bind" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release.

>> Read more about Yrs

Yrs Undo — Rust-based CRDT framework for real-time multi-user applications

Yrs "wires" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands.

>> Read more about Yrs Undo

Yrs weak links — More efficient CRDT by interconnecting and synchronising data structures inside documents

Yrs weak links project aims to extend existing implementation of Yjs/Yrs - one of the most popular free and open source libraries for building collaborative peer-to-peer applications - with new primitives such as cursors allowing for a seamless integration with rich text editors, and an ability to cross-reference and react to changes occuring in a different parts of an application: be it for display or other evaluation purposes like referencing cells in spreadsheet calculations. All of these will be possible while preserving eventual consistency in an environment where applications need to be operable and accept changes coming from many different users even when offline or when the standard Internet access is not available.

>> Read more about Yrs weak links

Search

Navigate projects

By theme

Want to help?

Help us by protecting open source and its users with 5 minutes of your time.

Donate today

Your donation can help grow the future!