Concept
Simplicity
Every Mycoria Router has an ID. For example:
fd1f:2cf7:903:b50b:e4cb:5c4c:270e:360c
This does not merely look like an IPv6 address, it is one. But it's also more than that: These addresses are generated by first creating a public/private key pair and then hashing the public key. This means, this IPv6 address is also the fingerprint of the public key of the router:
Ed25519 public key
│
▼
BLAKE3
│
▼
fd1f:2c7f:3903:b50b:e4cb:5c4c:270e:260c
This way you can distribute both the Mycoria address of a router and its public key with a single data point: An IPv6 address. As pretty much any software nowadays is able to resolve domains and connect via IPv6, Mycoria is compatible with all existing IPv6-enabled Internet infrastructure, as long as you have Mycoria running.
This enables for Mycoria to do 100% end-to-end encryption of traffic within the network.
Scalable Routing
Of course, random IPv6 addresses do not feel like a natural fit for scalable routing within a network. So, we take a two layered approach here:
First, there is some structure to the router IPs. While there are special purpose prefixes, most IPs will be in a geo-marked prefix. Every country (+ States in the US) has their own prefix within Mycoria. This means that on the global level, Mycoria routers in the same country share the same prefix. These prefixes are also (tendentially) similar to nearby countries.
Second, within a country prefix, Mycoria uses address-distance routing. This means that packets are sent in the direction of the "address-nearest" other router known. While this is not the most efficient way to route packets, it does work quite well with some additional steps - especially if confined to a smaller geographic region, as Mycoria is doing.
In addition, further route exploration procedures may reveal better paths. These can then be use directly by employing source routing:
Layers
After a router receives a packet, it is first handed to the switch. The switch handles source-routed packets ("frames"). These packets have the whole path within the packet header, so routers do not have to look up their table and do not necessary need to know the way to the destination. The switch labels in the switch block of the packet tells the switch which interface it should forward the packet to. This decreases the load on the router and also lays the groundwork for non-routable private addresses - more on that later.
Only if a switch cannot handle a packet itself, eg. for the simple reason that switch labels have come to an end, it hands the packet to the routing layer. There, all the usual things happen, that you expect from a router.
Private Address
This is not implemented yet.
In Mycoria, all packets are encrypted and authenticated. But Router IDs are still permanent and could be used to track the activities of a user. To enable privacy within Mycoria, there is a reserved prefix for private addresses, which cannot be routed. If using private addresses, packets are required to use the switch labels, explained before.
In order to get these, a router can send out a routed discovery packet (with a private source address), and routers will forward the packet to the destination, but will also attach their switch labels to it. The destination router can then build the full switch path using that data and return the packet to the sender without knowing exactly where the sender is. A block of switch labels can just be reversed at any time to form the return switch labels.
Switch labels can reveal some information if enough of the network is known. We are thinking about ways to mask the switch labels to mitigate this.
Cryptography
Mycoria uses modern and state of the art cryprography:
- Curve25519 for public/private keys and key exchanges
- Chacha20Poly1305 for authenticated encryption
- BLAKE3 for hashing
There are enough version and type fields to (mostly seamlessly) transition to other ciphers, should this become necessary.
Inspirations
The concepts behind Mycoria are inspired by previous work on the Safing Privacy Network as well as from the cjdns network.