FIPS: A Self-Organizing Mesh Network for the Decentralized Internet

FIPS (Free Internetworking Peering System) represents a fundamental reimagining of how networks can organize themselves without central authority. Unlike traditional internet infrastructure that depends on ISPs, backbone providers, DNS, and certificate authorities, FIPS creates a self-organizing mesh network that can operate natively over any physical or logical medium—from local area networks and Bluetooth to serial links or the existing internet as an overlay. The long-term vision is infrastructure that can function alongside or ultimately replace dependence on the Internet itself.

What Makes FIPS Different

Traditional networks are built top-down. A central authority assigns addresses, configures routing tables, provisions hardware, and manages the topology. If that authority disappears or the infrastructure fails, the network fails with it. Nodes cannot reach each other without infrastructure mediating the connection.

FIPS inverts this model entirely. There is no central authority, no address assignment service, no routing table pushed from above. Each node generates its own identity from a cryptographic keypair. Each node independently decides which peers to connect to and which transports to use. From these local decisions alone, the network self-organizes.

Core Design Principles

Self-Sovereign Identity

FIPS nodes generate their own addresses, node IDs, and security credentials without coordination with any central authority. These identities can be long-term fixed or ephemeral, changed at any time. Critically, these identities are not visible to the FIPS network itself—they are used only at the application layer and for end-to-end session encryption.

Infrastructure Independence

While the internet depends on centralized infrastructure, FIPS works over any transport that can carry packets: a serial connection, onion-routed connections through Tor, local area networking, radio links between remote sites, or the existing internet as an overlay. When the internet is unavailable, unreliable, or untrusted, the mesh still works.

Privacy by Design

FIPS provides secure, authenticated, and encrypted communication between any two nodes in the mesh, independent of the mix of transports used along the routed path between them. The mesh itself is designed to minimize metadata exposure—intermediate nodes route packets without learning the identities of the endpoints.

Zero Configuration

Nodes discover each other and build routing automatically. Connect to one peer and you can reach the entire mesh. The network self-heals around failures and adapts to changing topology.

The Self-Organizing Mechanism

The magic of FIPS lies in how it achieves global coordination from purely local decisions. The network self-organizes through three complementary mechanisms:

Spanning Tree: The Coordinate System

Nodes self-organize into a spanning tree through gossip—each node exchanges announcements with its direct peers and independently selects a parent. Because every node applies the same rule (prefer the root with the smallest node address), the network converges on a single agreed-upon root without any voting or coordination.

This is the same principle behind the Spanning Tree Protocol used in Ethernet bridging since the 1980s: purely local decisions that converge to consistent global state. The resulting tree gives every node a coordinate—its path from itself to the root. Using tree coordinates for routing is adapted from Yggdrasil's Ironwood routing library.

These coordinates enable distance calculations between any two nodes: the distance is the number of hops from each node to their lowest common ancestor in the tree. This provides a metric for routing decisions without any node needing to know the full network topology.

Bloom Filters: Candidate Selection

While the spanning tree provides a coordinate system for distance-based routing, on its own each node would only know about its immediate neighbors. Bloom filters complement the tree by distributing reachability knowledge across the entire mesh—each node learns which destinations are reachable through which peers, without any node needing a complete view of the network.

Each node's peer-advertised bloom filter is a compact, fixed-size data structure that answers one question: "can this peer possibly reach destination D?" The answer is either "no" (definitive) or "maybe" (probabilistic—false positives are possible). Because the filter size is constant regardless of how many destinations it represents, bloom filters scale efficiently as the network grows.

Filters propagate transitively through tree edges, with each node computing outbound filters by merging the filters received from its tree peers (parent and children) using a split-horizon technique borrowed from distance-vector routing. All peers—including non-tree mesh shortcuts—receive FilterAnnounce messages, but only tree peers' filters are merged into outgoing computation.

Local Routing Decisions

At each hop, FIPS makes a local forwarding decision using a priority chain: local delivery (the destination is this node), direct peer (the destination is an authenticated neighbor), bloom-guided candidate selection (bloom filters identify peers that can reach the destination; tree coordinates rank them by distance and link quality), greedy routing (fallback when bloom filters haven't converged), and no route (destination unreachable).

Protocol Architecture

FIPS is organized in three protocol layers, each with distinct responsibilities and clean service boundaries:

Transport Layer

Delivers datagrams between endpoints over a specific medium. Each transport type (UDP socket, Ethernet interface, radio modem) implements the same abstract interface: send and receive datagrams, report MTU. The transport layer knows nothing about FIPS identities, routing, or encryption. It provides raw datagram delivery to FMP above.

FIPS Mesh Protocol (FMP)

Manages peer connections, authenticates peers via Noise IK handshakes, and encrypts all traffic on each link. FMP is where the mesh organizes itself—nodes exchange spanning tree announcements and bloom filters with their direct peers, and FMP makes forwarding decisions for transit traffic. FMP provides authenticated, encrypted forwarding to FSP above.

FIPS Session Protocol (FSP)

Provides end-to-end authenticated encryption between any two nodes, regardless of how many intermediate hops separate them. FSP manages session lifecycle (setup, data transfer, teardown), caches destination coordinates for efficient routing, and handles the warmup strategy that keeps transit node caches populated. Session dispatch uses index-based routing inspired by WireGuard, enabling O(1) packet demultiplexing.

IPv6 Adaptation Layer

Sits above FSP and adapts the FIPS datagram service for unmodified IPv6 applications. Provides DNS resolution (npub → fd00::/8 address), identity cache management, MTU enforcement, and a TUN interface. This is the primary way existing applications use the FIPS mesh.

Identity System

FIPS uses Nostr keypairs (secp256k1) as node identities. The public key identifies the node; the private key signs protocol messages and establishes encrypted sessions. The public key (or its bech32-encoded npub form) is the primary means for application-layer software to identify communication endpoints.

Internally, the protocol derives a node_addr (a 16-byte SHA-256 hash of the pubkey) used as the routing identifier in packet headers, and an IPv6 address derived from the node_addr for the TUN adapter. Applications use the pubkey or npub; the routing layer uses node_addr; unmodified IPv6 applications use the derived fd00::/8 address. All three are deterministically derived from the same keypair.

Two-Layer Encryption

FIPS uses independent encryption at two protocol layers:

Link Layer (Hop-by-Hop)

When two nodes establish a direct connection, they perform a Noise IK handshake. This authenticates both parties and establishes symmetric keys for encrypting all traffic on that link. Every packet between direct peers is encrypted—gossip messages, routing queries, and forwarded session datagrams alike.

Session Layer (End-to-End)

FIPS establishes end-to-end encrypted sessions between any two communicating nodes using Noise XK, regardless of how many hops separate them. The initiator knows the destination's npub (required for XK's pre-message); the responder learns the initiator's identity from the third handshake message.

A packet from A to D through intermediate nodes B and C:

1. A encrypts payload with A↔D session key (FSP)
2. A wraps in SessionDatagram, encrypts with A↔B link key (FMP), sends to B
3. B decrypts link layer, reads destination node_addr, re-encrypts with B↔C link key, forwards to C
4. C decrypts link layer, re-encrypts with C↔D link key, forwards to D
5. D decrypts link layer, then decrypts session layer to get payload

Intermediate nodes route based on destination node_addr but cannot read session-layer payloads. Each hop strips one link encryption and applies the next—the session-layer ciphertext passes through untouched.

Metrics Measurement Protocol

Each peer link runs an instance of the Metrics Measurement Protocol, which measures link quality through in-bound report exchange. MMP computes smoothed round-trip time (SRTT), packet loss rate, interarrival jitter, goodput, and one-way delay trend—all derived from counter and timestamp fields already present in the FMP wire format, with no additional probing traffic required.

MMP serves dual roles: operator visibility and cost-based parent selection. Periodic log lines report per-link RTT, loss, jitter, and goodput. MMP computes an Expected Transmission Count (ETX) from bidirectional delivery ratios, which feeds into cost-based parent selection where each node evaluates effective_depth = depth + link_cost using link_cost = etx * (1.0 + srtt_ms / 100.0).

Transport Abstraction

FIPS treats the communication medium as a pluggable component. Every transport—whether a UDP socket, an Ethernet interface, a Tor circuit, or a radio modem—implements the same simple interface: send a datagram to an address, receive datagrams, and report the link MTU. The rest of the protocol stack sees no difference between them.

Transports fall into three categories based on their connectivity model:

• Overlay: UDP/IP, Tor Tunnels (FIPS over existing networks)
• Shared medium: Ethernet, WiFi, Bluetooth, Radio (Local broadcast, peer discovery)
• Point-to-point: Serial, dialup (Fixed connections, no discovery)

These categories differ in addressing, MTU, reliability, and whether they support local discovery, but FMP handles all of them uniformly. A node running multiple transports simultaneously bridges between those networks automatically.

Security Model

FIPS is designed around four classes of adversary:

Transport Observers

A passive observer on the underlying transport—someone monitoring a WiFi network, tapping an Ethernet segment, or inspecting UDP traffic—sees only encrypted packets. The FMP link-layer Noise IK session encrypts all traffic between direct peers, including routing gossip and forwarded session datagrams.

Active Attackers on the Transport

An adversary who can inject, modify, drop, or replay packets on the transport is also defeated by the FMP link-layer Noise IK session. Mutual authentication prevents impersonation, AEAD encryption detects tampering, and counter-based nonces with a sliding replay window reject replayed packets.

Other FIPS Nodes (Intermediate Routers)

The most important adversary class is the operators of other nodes in the mesh—the peers that forward your traffic. FIPS treats every intermediate router as potentially adversarial. The FSP session layer establishes a completely independent Noise XK session between the communicating endpoints, so intermediate nodes cannot read application payloads even though they decrypt and re-encrypt the link-layer envelope at each hop.

Routing headers expose only the destination's node_addr—an opaque SHA-256 hash of the actual public key. Intermediate routers can forward traffic without learning which Nostr identities are communicating.

Adversarial Nodes Disrupting the Mesh

Beyond passive observation, a malicious node could attempt to disrupt routing by injecting false spanning tree announcements, advertising bogus bloom filters, or claiming invalid tree positions. FMP mitigates these through signed TreeAnnounce messages verified by direct peers, transitive ancestry chain validation, replay protection via sequence numbers, and discretionary peering—node operators choose who to peer with.

Prior Art and Influences

FIPS builds on proven designs rather than inventing new cryptography or routing algorithms. Nearly every major design decision has deployed precedent:

Spanning Tree Self-Organization

The idea that distributed nodes can build a spanning tree through purely local decisions—each node selecting a parent based on announcements from its neighbors—dates to the IEEE 802.1D Spanning Tree Protocol (STP, 1985).

Tree Coordinate Routing

The spanning tree coordinates, bloom filter candidate selection, and greedy routing algorithms are adapted from Yggdrasil v0.5 and its Ironwood routing library.

Split-Horizon Bloom Filter Propagation

FIPS distributes reachability information using bloom filters computed with a split-horizon rule: when advertising to a peer, exclude that peer's own contributions. This technique is borrowed from distance-vector routing protocols—RIP (1988) and Babel use split-horizon to prevent routing loops.

Cryptographic Identity as Network Address

FIPS nodes are identified by their Nostr public keys (secp256k1). The network address is the cryptographic identity—there is no separate address assignment or registration step. CJDNS pioneered this approach in overlay meshes, deriving IPv6 addresses from the double-SHA-512 of each node's public key.

Dual-Layer Encryption

FIPS encrypts traffic twice: FMP provides hop-by-hop link encryption (protecting against transport-layer observers), while FSP provides independent end-to-end session encryption (protecting against intermediate FIPS nodes). This layered approach mirrors Tor, where each relay peels one layer of encryption (hop-by-hop) while the innermost layer protects end-to-end payload.

Noise Protocol Framework

FIPS uses the Noise Protocol Framework at both protocol layers, with different handshake patterns chosen for each layer's threat model. FMP link encryption uses Noise IK, providing mutual authentication with a single round trip where the initiator knows the responder's static key in advance. WireGuard uses the same IK base pattern (extended with a pre-shared key as IKpsk2) for VPN tunnels.

Index-Based Session Dispatch

FIPS uses locally-assigned 32-bit session indices to demultiplex incoming packets to the correct cryptographic session in O(1) time, without parsing source addresses or performing expensive lookups. This directly follows WireGuard's receiver index approach.

Transport-Agnostic Overlay Mesh

FIPS is designed to operate over any datagram-capable transport—UDP, raw Ethernet, Bluetooth, radio, serial—through a uniform transport abstraction. Several mesh overlays have demonstrated transport-agnostic design: CJDNS runs over UDP and Ethernet, Yggdrasil supports TCP and TLS transports, and Tor can use pluggable transports to tunnel through various media.

Implementation Status

FIPS is an active open-source project with several components already implemented:

• Transport Layer: UDP/IP is implemented
• Mesh Protocol (FMP): Core peer authentication and routing are implemented
• Session Protocol (FSP): End-to-end encryption is implemented
• IPv6 Adapter: TUN interface and DNS resolution are implemented

Work in progress includes Ethernet and Bluetooth transports, with additional transport types planned for the future.

The Future of Decentralized Networking

FIPS represents a significant step toward truly decentralized networking infrastructure. By combining proven cryptographic primitives, established routing algorithms, and a clean layered architecture, FIPS creates a system that can self-organize, heal around failures, and operate over any transport medium while preserving privacy and enabling end-to-end encrypted communication.

The implications are profound: communities can build their own resilient mesh networks without depending on centralized ISPs; devices can communicate directly without going through cloud servers; and the internet itself can become more distributed and resistant to censorship and surveillance.

As the project matures and more transport implementations are added, FIPS has the potential to become a foundational technology for the next generation of decentralized internet infrastructure.