README
¶
secure_network
secure_network is a zero-trust QUIC mesh and encrypted edge networking framework written in Go. It combines authenticated overlay routing, hardware-backed identity verification, RPC/gossip synchronization, and secure ingress tunneling into a unified distributed networking layer.
The system is designed for:
- secure edge gateways
- distributed service meshes
- authenticated overlay routing
- encrypted peer-to-peer backplanes
- hardware-bound machine identity
- QUIC-native reverse tunnels
- RPC and gossip propagation
- zero-trust infrastructure
Features
QUIC Mesh Networking
- Encrypted QUIC overlay transport using
quic-go - Persistent peer connections
- Stream multiplexing
- Automatic reconnect handling
- Bidirectional secure overlay communication
Secure RPC Layer
- Distributed RPC manager
- Request/response correlation
- Broadcast notifications
- Peer-targeted calls
- Timeout handling
- Concurrent-safe pending request tracking
Gossip Synchronization
- Distributed gossip propagation
- Lamport logical clocks
- Signature verification
- Service-scoped handlers
- Replay protection
- Mesh-wide broadcast support
Zero-Trust Tunnel Gateway
- Reverse HTTP tunnel ingress
- QUIC-backed stream forwarding
- Subdomain tunnel registration
- Machine identity authentication
- Human session authentication
- Secure overlay proxy transport
Hardware-Backed Identity
- TPM-backed service identity support
- DBSC-compatible verification flows
- RSA signature validation
- Passkey/WebAuthn integration
- Secure session enforcement
Secure Overlay Routing
- Peer discovery and management
- Concurrent-safe routing tables
- Dynamic peer registration
- Broadcast routing
- Direct peer messaging
Production Safety
- Concurrent-safe internal structures
- Race-condition tested
- Graceful shutdown handling
- Context-aware cancellation
- Modular router architecture
Architecture
┌────────────────────┐
│ Public Clients │
└─────────┬──────────┘
│
HTTPS / HTTP3
│
┌─────────▼──────────┐
│ Tunnel Gateway │
└─────────┬──────────┘
│
QUIC Overlay Mesh
│
┌─────────────────┼─────────────────┐
▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐
│ RPC Layer │ │ Gossip Bus │ │ PeerRoute │
└────────────┘ └────────────┘ └────────────┘
│ │ │
└─────────────────┼─────────────────┘
▼
Secure Mesh Nodes
Core Components
MeshNode
Manages encrypted QUIC connectivity between nodes.
Responsibilities:
- peer connection lifecycle
- stream management
- ingress processing
- mesh synchronization
- tunnel coordination
PeerRoute
Concurrent-safe peer registry and routing fabric.
Supports:
- direct peer delivery
- mesh broadcast
- peer registration/removal
- ingress handlers
RPCManager
Distributed RPC execution framework.
Supports:
- request/response messaging
- targeted RPC calls
- broadcast notifications
- timeout enforcement
- async handlers
GossipManager
Distributed state propagation layer.
Supports:
- signed gossip envelopes
- Lamport timestamps
- replay protection
- service-scoped handlers
TunnelManager
Secure reverse ingress gateway.
Supports:
- HTTP reverse tunneling
- QUIC stream forwarding
- authenticated tunnel binding
- secure overlay ingress
Dependencies
Core Infrastructure
-
github.com/gddisney/ultimate_db- transactional embedded database
- WAL-backed persistence
- buffer pool management
-
github.com/gddisney/logger- distributed audit logging
- structured event persistence
-
github.com/gddisney/secure_policy- policy enforcement
- session validation
- authorization controls
-
github.com/gddisney/service_keys- TPM-backed service identity
- hardware signature validation
-
github.com/gddisney/webauthnext- passkey/WebAuthn integration
- session authentication
-
github.com/quic-go/quic-go- QUIC transport layer
- multiplexed encrypted streams
Installation
go get github.com/gddisney/secure_network
Quick Start
Initialize a Secure Node
package main
import (
"log"
"github.com/gddisney/logger"
"github.com/gddisney/secure_network"
"github.com/gddisney/ultimate_db"
)
func main() {
db := &ultimate_db.DB{}
logDispatcher, err := logger.NewLogDispatcher(
"secure_node",
db,
99,
100,
)
if err != nil {
log.Fatal(err)
}
node, err := secure_network.NewSecureNode(
db,
logDispatcher,
"localhost",
"localhost",
"Secure Mesh",
nil,
)
if err != nil {
log.Fatal(err)
}
log.Println(node != nil)
}
RPC Example
Register RPC Handler
rpc.Register(
"ping",
func(
ctx context.Context,
payload []byte,
) ([]byte, error) {
return []byte("pong"), nil
},
)
Execute RPC Call
resp, err := rpc.Call(
ctx,
targetNode,
"ping",
[]byte("hello"),
5*time.Second,
)
Gossip Example
Register Gossip Handler
gossip.RegisterHandler(
"cluster_event",
func(
ctx context.Context,
env *secure_network.GossipEnvelope,
) error {
return nil
},
)
Tunnel Example
Start Tunnel Manager
tm := secure_network.NewTunnelManager(
"443",
logger,
)
err := tm.Start()
Tunnel Agent
cfg := secure_network.TunnelAgentConfig{
GatewayAddr: "gateway.example.com:443",
LocalAddr: "127.0.0.1:8080",
Subdomain: "app",
IdentityType: "human",
SessionToken: "session-token",
}
Security Model
secure_network follows a zero-trust design:
- all peers are authenticated
- all mesh traffic is encrypted
- hardware-backed identity is supported
- sessions can be cryptographically bound
- replay attacks are mitigated
- RPC and gossip traffic can be signed
- tunnels require authenticated registration
Testing
Run standard tests:
go test -v
Run race detection:
go test -race .
Run all packages:
go test ./...
Current Status
Validated:
- QUIC mesh transport
- concurrent routing
- RPC subsystem
- gossip propagation
- tunnel registration
- race-condition safety
- secure session integration
- TPM-backed identity verification
License
MIT
Documentation
¶
Index ¶
- Constants
- func ReadFrame(r io.Reader, maxSize uint32) ([]byte, error)
- func RunMeshTunnelAgent(ctx context.Context, cfg TunnelAgentConfig, tlsConfig *tls.Config) error
- func WriteFrame(w io.Writer, payload []byte) error
- type APIPayload
- type AccessPolicy
- type ContentMeta
- type Gateway
- type GossipEnvelope
- type GossipHandler
- type GossipManager
- func (gm *GossipManager) CleanupSeenCache()
- func (gm *GossipManager) GetLamport() uint64
- func (gm *GossipManager) HandleIngress(ctx context.Context, payload []byte) error
- func (gm *GossipManager) Publish(ctx context.Context, serviceID string, payload []byte, signature []byte) error
- func (gm *GossipManager) RegisterHandler(serviceID string, handler GossipHandler)
- func (gm *GossipManager) SeenCount() int
- func (gm *GossipManager) StartJanitor()
- type MeshNode
- func (m *MeshNode) Close() error
- func (m *MeshNode) Connect(ctx context.Context, gatewayAddr string) error
- func (m *MeshNode) GetDBSCPrivKey() ed25519.PrivateKey
- func (m *MeshNode) GetNoisePubKey() []byte
- func (m *MeshNode) SendAction(payload APIPayload) error
- func (m *MeshNode) SetRPCManager(rpc *RPCManager)
- func (m *MeshNode) VerifyMachineIdentity(username string, nonce string, signature string, scope string) error
- type Module
- type NodeID
- type PeerHandler
- type PeerIdentity
- type PeerMessage
- type PeerRoute
- func (pr *PeerRoute) AddPeer(peer *PeerIdentity)
- func (pr *PeerRoute) Broadcast(ctx context.Context, route string, payload []byte) error
- func (pr *PeerRoute) Dispatch(ctx context.Context, msg *PeerMessage) error
- func (pr *PeerRoute) EvaluateSwarmHandshake(remotePub []byte, intent string) (bool, error)
- func (pr *PeerRoute) GetPeer(nodeID NodeID) (*PeerIdentity, bool)
- func (pr *PeerRoute) HandleIngress(ctx context.Context, payload []byte) error
- func (pr *PeerRoute) HasPeer(nodeID NodeID) bool
- func (pr *PeerRoute) ListPeers() []*PeerIdentity
- func (pr *PeerRoute) PeerCount() int
- func (pr *PeerRoute) RegisterHandler(route string, handler PeerHandler)
- func (pr *PeerRoute) RemovePeer(nodeID NodeID)
- func (pr *PeerRoute) SendToPeer(ctx context.Context, peerID []byte, route string, payload []byte) error
- func (pr *PeerRoute) SetAccessPolicy(nodeID NodeID, policy AccessPolicy)
- func (pr *PeerRoute) SignMessage(serviceID string, payload []byte, priv ed25519.PrivateKey) ([]byte, error)
- func (pr *PeerRoute) TouchPeer(nodeID NodeID)
- type RPCHandler
- type RPCManager
- func (m *RPCManager) Broadcast(ctx context.Context, method string, payload []byte) error
- func (m *RPCManager) Call(ctx context.Context, target []byte, method string, payload []byte, ...) ([]byte, error)
- func (m *RPCManager) Init(router *Router) error
- func (m *RPCManager) Name() string
- func (m *RPCManager) Notify(ctx context.Context, method string, payload []byte) error
- func (m *RPCManager) NotifyPeer(ctx context.Context, target []byte, method string, payload []byte) error
- func (m *RPCManager) Register(method string, handler RPCHandler)
- type RPCPacket
- type Router
- type SecureNode
- func (n *SecureNode) BroadcastRPC(ctx context.Context, method string, payload []byte) error
- func (n *SecureNode) CallPeer(ctx context.Context, target []byte, method string, payload []byte) ([]byte, error)
- func (n *SecureNode) ConnectMesh(ctx context.Context, gatewayAddr string) error
- func (n *SecureNode) IsMeshConnected() bool
- func (n *SecureNode) NotifyRPC(ctx context.Context, method string, payload []byte) error
- func (n *SecureNode) PeerCount() int
- func (n *SecureNode) PublishGossip(ctx context.Context, serviceID string, payload []byte, signature []byte) error
- func (n *SecureNode) RegisterGossip(serviceID string, handler GossipHandler)
- func (n *SecureNode) RegisterRPC(method string, handler RPCHandler)
- func (n *SecureNode) Shutdown() error
- type SystemEvent
- type TunnelAgentConfig
- type TunnelAuthPayload
- type TunnelManager
Constants ¶
View Source
const DefaultRPCTimeout = 15 * time.Second
View Source
const MaxFrameSize = 16 * 1024 * 1024
Variables ¶
This section is empty.
Functions ¶
func RunMeshTunnelAgent ¶
Types ¶
type APIPayload ¶
type AccessPolicy ¶
type AccessPolicy int
const ( Deny AccessPolicy = iota ReadOnly See Write Admin )
type ContentMeta ¶
type Gateway ¶
type Gateway struct {
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewGateway ¶
func (*Gateway) HandleSecureStream ¶
func (*Gateway) ListenAndServe ¶
func (*Gateway) SetApplicationHandler ¶
func (g *Gateway) SetApplicationHandler(handler http.HandlerFunc)
type GossipEnvelope ¶
type GossipHandler ¶
type GossipHandler func(ctx context.Context, env *GossipEnvelope) error
type GossipManager ¶
type GossipManager struct {
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewGossipManager ¶
func NewGossipManager(peerRoute *PeerRoute, sysLog *logger.LogDispatcher) *GossipManager
func (*GossipManager) CleanupSeenCache ¶
func (gm *GossipManager) CleanupSeenCache()
func (*GossipManager) GetLamport ¶
func (gm *GossipManager) GetLamport() uint64
func (*GossipManager) HandleIngress ¶
func (gm *GossipManager) HandleIngress(ctx context.Context, payload []byte) error
func (*GossipManager) RegisterHandler ¶
func (gm *GossipManager) RegisterHandler(serviceID string, handler GossipHandler)
func (*GossipManager) SeenCount ¶
func (gm *GossipManager) SeenCount() int
func (*GossipManager) StartJanitor ¶
func (gm *GossipManager) StartJanitor()
type MeshNode ¶
type MeshNode struct {
SdfEngine *secure_data_format.SecureDataEngine
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewMeshNode ¶
func NewMeshNode(sdf *secure_data_format.SecureDataEngine, gatePub []byte, sysLog *logger.LogDispatcher) (*MeshNode, error)
func (*MeshNode) GetDBSCPrivKey ¶
func (m *MeshNode) GetDBSCPrivKey() ed25519.PrivateKey
func (*MeshNode) GetNoisePubKey ¶
func (*MeshNode) SendAction ¶
func (m *MeshNode) SendAction(payload APIPayload) error
func (*MeshNode) SetRPCManager ¶
func (m *MeshNode) SetRPCManager(rpc *RPCManager)
type PeerHandler ¶
type PeerHandler func(ctx context.Context, msg *PeerMessage) error
type PeerIdentity ¶
type PeerMessage ¶
type PeerRoute ¶
type PeerRoute struct {
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewPeerRoute ¶
func NewPeerRoute(node *MeshNode, sysLog *logger.LogDispatcher) *PeerRoute
func (*PeerRoute) AddPeer ¶
func (pr *PeerRoute) AddPeer(peer *PeerIdentity)
func (*PeerRoute) Dispatch ¶
func (pr *PeerRoute) Dispatch(ctx context.Context, msg *PeerMessage) error
func (*PeerRoute) EvaluateSwarmHandshake ¶
func (*PeerRoute) HandleIngress ¶
func (*PeerRoute) ListPeers ¶
func (pr *PeerRoute) ListPeers() []*PeerIdentity
func (*PeerRoute) RegisterHandler ¶
func (pr *PeerRoute) RegisterHandler(route string, handler PeerHandler)
func (*PeerRoute) RemovePeer ¶
func (*PeerRoute) SendToPeer ¶
func (*PeerRoute) SetAccessPolicy ¶
func (pr *PeerRoute) SetAccessPolicy(nodeID NodeID, policy AccessPolicy)
func (*PeerRoute) SignMessage ¶
type RPCManager ¶
type RPCManager struct {
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewRPCManager ¶
func NewRPCManager(peerRoute *PeerRoute, sysLog *logger.LogDispatcher) *RPCManager
func (*RPCManager) Init ¶
func (m *RPCManager) Init(router *Router) error
func (*RPCManager) Name ¶
func (m *RPCManager) Name() string
func (*RPCManager) NotifyPeer ¶
func (*RPCManager) Register ¶
func (m *RPCManager) Register(method string, handler RPCHandler)
type Router ¶
type Router struct {
Port string
TLSConfig *tls.Config
Mux *http.ServeMux
GUIKit *guikit.GUIKit
SdfEngine *secure_data_format.SecureDataEngine
TargetCookie string
RouteMap map[string]string
Modules map[string]Module
LocalBus chan SystemEvent
ActiveTunnel *quic.Conn // Aligned to proper concrete library pointer values
PolicyEngine *secure_policy.PolicyEngine
SessionManager *secure_policy.SessionManager
Logger *logger.LogDispatcher
// contains filtered or unexported fields
}
func NewRouter ¶
func NewRouter(sdf *secure_data_format.SecureDataEngine, gk *guikit.GUIKit, targetCookie string, pe *secure_policy.PolicyEngine, sm *secure_policy.SessionManager, sysLog *logger.LogDispatcher) (*Router, error)
type SecureNode ¶
type SecureNode struct {
SdfEngine *secure_data_format.SecureDataEngine
PolicyEngine *secure_policy.PolicyEngine
SessionManager *secure_policy.SessionManager
AuthProvider *auth_provider.Provider
Logger *logger.LogDispatcher
Mesh *MeshNode
PeerRoute *PeerRoute
Gossip *GossipManager
RPC *RPCManager
HostID string
Realm string
}
SecureNode acts as the main microkernel engine orchestrating the network plane.
func NewSecureNode ¶
func NewSecureNode( sdf *secure_data_format.SecureDataEngine, sm *secure_policy.SessionManager, gk *guikit.GUIKit, realm string, hostID string, issuerURL string, gatewayPub []byte, ) (*SecureNode, error)
func (*SecureNode) BroadcastRPC ¶
func (*SecureNode) ConnectMesh ¶
func (n *SecureNode) ConnectMesh(ctx context.Context, gatewayAddr string) error
func (*SecureNode) IsMeshConnected ¶
func (n *SecureNode) IsMeshConnected() bool
func (*SecureNode) PeerCount ¶
func (n *SecureNode) PeerCount() int
func (*SecureNode) PublishGossip ¶
func (*SecureNode) RegisterGossip ¶
func (n *SecureNode) RegisterGossip(serviceID string, handler GossipHandler)
func (*SecureNode) RegisterRPC ¶
func (n *SecureNode) RegisterRPC(method string, handler RPCHandler)
func (*SecureNode) Shutdown ¶
func (n *SecureNode) Shutdown() error
type SystemEvent ¶
type TunnelAgentConfig ¶
type TunnelAuthPayload ¶
type TunnelManager ¶
type TunnelManager struct {
Logger *logger.LogDispatcher
PublicPort string
// contains filtered or unexported fields
}
func NewTunnelManager ¶
func NewTunnelManager(publicPort string, sysLog *logger.LogDispatcher) *TunnelManager
func (*TunnelManager) Init ¶
func (t *TunnelManager) Init(r *Router) error
func (*TunnelManager) Name ¶
func (t *TunnelManager) Name() string
func (*TunnelManager) RegisterTunnel ¶
func (t *TunnelManager) RegisterTunnel(conn *quic.Conn, authMsg []byte) error
func (*TunnelManager) Start ¶
func (t *TunnelManager) Start() error
Source Files
Click to show internal directories.
Click to hide internal directories.