Network
M5 Convergence — Shipped (2026-03-30). The Libertaria protocol stack runs natively inside NexusOS. Noise XX handshakes, BLAKE3 identity, XChaCha20-Poly1305 AEAD — all in a freestanding 100KB capsule linked with Monocypher. LWF frames bypass the IP stack entirely. Three QEMU nodes form a sovereign mesh. Zero dependency on LwIP for sovereign traffic.
Nexus OS inverts the traditional network architecture. In Linux, the TCP/IP stack runs inside the kernel – a 30-million-line attack surface where a malformed packet can crash the entire system.
In Nexus: the kernel delivers the mail; it does not read the letter.
Architecture
┌──────────────────────────────────────────────────┐
│ Application (curl, browser, mesh daemon) │
├──────────────────────────────────────────────────┤
│ LPF Ring 2: Deep Loop (DPI, threat intel) │ Membrane
│ LPF Ring 1: Policy Engine (Janus DSL) │ (Userland)
├──────────────────────────────────────────────────┤
│ POSIX Shim (socket, connect, send) │
│ or Native ION Channel API │
├──────────────────────────────────────────────────┤
│ LwIP TCP/IP Stack (Grafted) │ Legacy IP
│ or UTCP Sovereign Transport │ or Sovereign
│ or LWF Capsule (Noise XX, BLAKE3, AEAD) │
├──────────────────────────────────────────────────┤
│ Per-Process ION Rings │ Zero-Copy
│ chan_net_rx/tx, chan_lwf_rx/tx, chan_utcp_rx/tx │
├──────────────────────────────────────────────────┤
│ LPF Ring 0: CellID Gate (bitmap, token bucket) │ L0 Wire Gate
│ NetSwitch (EtherType Demux) │ L0 Switch
│ + CellID Table (64-entry, gateway routing) │
├──────────────────────────────────────────────────┤
│ VirtIO-Net Driver (HAL) │ Raw Frames
└──────────────────────────────────────────────────┘Components
- LPF – Libertaria Packet Filter – Identity-first packet filtering. Three-ring architecture: Wire Gate (Zig L0, line-rate), Policy Engine (Janus DSL, hot-reload), Deep Loop (DPI, cluster overflow). Kills iptables by starting with cryptographic identity instead of anonymous headers.
- Network Membrane – The userland network stack (grafted LwIP + POSIX shim, dual-stack IPv4/IPv6)
- UTCP – Sovereign transport protocol for Nexus-to-Nexus traffic (kernel-native, ION ring integrated)
- UTCP-SBI Wire Protocol – Binary framing for mesh transfer, block exchange, and DAG sync over UTCP (SPEC-710)
- Libertaria Wire Frame – The Libertaria protocol stack wire format (LWF v3, encrypted by default)
- Mesh Transfer – Content-addressed block exchange over WebSocket (MVP shipped)
- Gateway – CellID-based routing and LWF relay forwarding
The NetSwitch — L0 Sovereign Switch
The NetSwitch is a Layer 0 packet switch — it runs at the lowest level of the kernel, between the VirtIO-Net hardware driver and the ION ring fabric. Combined with LPF Ring 0, it forms the sovereign wire gate: identity-verified, rate-limited, line-rate packet routing with zero userspace involvement.
- The VirtIO-Net driver delivers a raw Ethernet frame
- LPF Ring 0 checks the CellID against the allowlist bitmap (O(1)) — unknown CellIDs are dropped before touching any ring
- The NetSwitch reads the EtherType field (2 bytes)
- Based on the EtherType, it places the frame on the correct ION Ring:
| EtherType | Destination | Protocol |
|---|---|---|
0x0800 | Membrane fiber | IPv4 (LwIP) |
0x0806 | Membrane fiber | ARP |
0x86DD | Membrane fiber | IPv6 (LwIP – SLAAC, NDP, MLD) |
0x88B5 | UTCP ION ring (chan_utcp_rx) | Sovereign transport |
0x4C57 | LWF fiber | Libertaria Wire Frame (v3) |
The NetSwitch does not parse headers, compute checksums, or manage connections. It reads two bytes and routes. This is L0 by design — the switch is the wire, not the application. The LPF Ring 0 CellID gate runs inline before the EtherType demux; Ring 1 (Janus policy) and Ring 2 (DPI) run in Membrane userspace after the ION ring handoff.
Gateway Routing
The NetSwitch maintains a 64-entry CellID address resolution table that maps CellIDs to MAC addresses and LWF routing hints. When a UTCP handshake completes, the source CellID is auto-registered in this table. The LWF RELAY_FORWARD service uses this table for kernel-level frame forwarding between cells – see Gateway for details.
IPv6
IPv6 is first-class in Nexus OS. The Membrane runs dual-stack on boot:
- DHCPv4 for legacy connectivity
- IPv6 SLAAC (Stateless Address Autoconfiguration) for link-local and global addresses
- ICMPv6, NDP (Neighbor Discovery Protocol), and MLD (Multicast Listener Discovery) compiled into LwIP
- The mesh daemon listens on
AF_INET6– IPv6 is the preferred transport for mesh peers
LWIP_IPV6=1 is set at kernel compile time. There is no runtime toggle.
Why This Matters
Isolation: If a network-facing application (curl, a web server, the mesh daemon) crashes due to a malformed packet, only that application's fiber dies. The kernel continues running. The NetSwitch continues routing. Other applications are unaffected.
Security: The TCP/IP stack is outside the kernel's trust boundary. A vulnerability in LwIP cannot escalate to kernel privileges because LwIP runs in a userland fiber with a restricted capability set.
Sovereignty: For internal Nexus-to-Nexus traffic, UTCP provides identity-centric transport that does not depend on IP addresses, DNS, or any legacy infrastructure. Nodes know each other by cryptographic identity (CellID), not by IP. LWF v3 encrypts all sovereign traffic by default – cleartext is the exception, not the rule.