EC publishes study on Next Generation Internet 2025 2018/10/05

Bob Goudriaan successor of Marc Gauw 2017/10/12

NLnet Labs' Jaap Akkerhuis inducted in Internet Hall of Fame 2017/09/19

NLnet and Gartner to write vision for EC's Next Generation Internet initiative 2017/04/12

Dutch Ministry of Economic Affairs donates 0.5 million to "Internet Hardening Fund" 2016/12/16

Vietsch Foundation and NLnet cooperate in internet R&D for research and education 2016/09/28

  Help grow the future. Donate

Application protocols

0cpm -- 0cpm free calling

SIP is a well-established IETF standard ready to provide telephony and many other advanced services through the internet, but it seems not to be developing to its full extent. Sometimes we even see lock-in arrangements from vendors. This project aims to overcome these barriers and unleash the true power of the underlying technology platform - it designs and builds open source firmware for digital phones.

The project makes full use of the exiting capabilities of DNSSEC, ZRTP and IPv6:

  • DNSSEC secures the information looked up on remote parties;
  • ZRTP secures conversations and if it is missing, this will be explicitly communicated to end users.
  • Direct media streams between IPv4 endpoints can only be built up using sophisticated handling like port forwarding, but remains dependent of many factors, while IPv6 simplifies and improves SIP technology immensely.

Especially the clever usage of IPv6 makes 0cpm an exiting project. Many people see IPv6 as something to avoid as long as they can because they are afraid of technical headache. This project shows that IPv6 is nothing to fear and offers exiting opportunities.

For instance the fact that every RTP media stream can use random end point addresses which can be abandoned after the stream stops. Also it is possible to send IPv6 adresses of different devices in one SIP INVITE message, which is almost impossible to do behind IPv4 NAT. This will allow you to send video of a conversation to your television and simultaneously speak through your telephone.

Ambulant -- Ambulant Open SMIL Player

The Ambulant Open SMIL Player is an open-source, full W3C SMIL player. It is intended for researchers who need source-code access to a complete SMIL player environment. It may also be used as a stand-alone SMIL player for applications that do not need proprietary media formats. The player will support a range of SMIL profiles (including desktop and mobile configurations) and will run under Linux and Win32. A Macintosh OS-X port is also expected.

The target community for the Ambulant Player are developers of multimedia protocols, networks and infrastructures. The Ambulant Player represents the first phase of a multi-year project aimed at improving network level support for multimedia information processing. As one of the results, the Ambulant team contributed considerably to the SMIL 3.0 specification.

Decibel -- Open communication desktop interface

Decibel (formerly known as "OpenCDI") provides a generic infrastructure, which integrates existing communication protocols --like any plugin based solution would do-- without the need for an application which presents everything in one user interface. It creates components and services, each optimized for a special task (or role). When a component realizes user interaction, the service will provide the technology. A service-based architecture will interconnect components to fulfill a given task.

Internet of Coins -- Internet of Coins

Internet of Coins is an environment for personal finance. As a decentralized open source platform it enables an optimally inclusive financial network, interlinking all digital forms of value. It allows you to trade digital assets and currencies peer to peer, with an easy to use interface and the opportunity to earn fees by participating as an allocator.

Jabber/XMMP -- strengthening Trust in Jabber/XMPP Technologies

Jabber Technologies, as formalized in the Extensible Messaging and Presence Protocol (XMPP), are a set of decentralized, open technologies for near-real-time messaging, presence, and streaming XML (now being extended to address multimedia signalling and other advanced use cases). The focus of this project is to improve the security and trust characteristics of Jabber technologies.

Jingle Nodes -- Jingle relay nodes

One of the main goals of the first version of the Jingle Protocol was to create a P2P enabled protocol, depending on XMPP for routing but at the same time able to negotiate sessions and exchange content without main proxy servers. After 5 years we still don't have implementations which supported the current specifications in full.

SIP on the other hand, is not very efficient and simple to use for P2P connections, but is widely deployed. It is much simpler to install and, although with higher costs, does provide media connectivity.

"Jingle Nodes" simplifies the erection of (public) relays, It also makes every buddy in your contact list a potential Node.

An additional positive aspect is that a client does not need to run its own Relay Node, but only configure its "usage specification" (no more than two or three pages), as the application runs on the server side.

Jitsi -- Jitsi SIP Communicator

During the last fifteen months SIP Communicator became a real open source alternative for Skype. It support Audio/Video calls with SIP (and very soon XMPP), and Instant messaging for almost all popular protocols such as XMPP/Jabber/GoogleTalk, MSN, AIM, ICQ, IRC, Yahoo! Messenger, Bonjour, and more to come (like Facebook). Jingle conference calls and Jingle encrypted calls features are also implemented and being tested.

This project is about adding new features to SIP Communicator (soon to be called jitsi) that would take it beyond what's currently possible with Skype, as well as other closed platforms, which would address an even wider span of communications use-cases. Some of these feature, like video conferencing, would make it even more unique than it currently is. Others, like the support for MUJI and new audio/video codecs, add to its wide interoperability.

The list of tasks in this project is:

  • Video conference calls
  • Google mode of operation for Jingle and ICE4J
  • Using HTTPS as a telephony transport
  • Support for H.263plus and VP8
  • Support for G.722
  • Completing audio/video calls support with MSN
  • Cross-protocol conference calls
  • Using Outlook, Address Book, and Thunderbird as sources of contact information
  • LDAP support
  • Support for MUJI conference calls
Jitsi (SIP Comm Phone) -- Jitsi (SIP Communicator) Phone and IM

SIP Communicator is an audio/video Internet phone and Instant Messenger. It supports some of the most popular instant messaging and telephony protocols such as SIP, XMPP/Jabber (and hence GoogleTalk), AIM, ICQ, MSN, Yahoo! Messenger, IRC, Bonjour and new ones will be coming soon.

This particular project concerns a number of tasks needed to be accomplished so that SIP Communicator could become a viable or even better alternative for Skype, but all in Open Source.

The following tasks are to be accomplished within the scope of the project:

  • Developing a Java implementation for the ICE protocol.
  • Audio/video telephony for XMPP/Jabber.
  • Conference calls.
  • File transfer.
Jitsi (SIP-Communicator) Desktop -- Jitsi (SIP Communicator) desktop streaming

The possibility to allow remote access to one's ongoing desktop session has been appealing to users ever since the early days of Internet communication. Especially the Desktop Sharing and Streaming features are of interest to virtually all internet users. This is probably why all commercial instant messengers ship with some form of implementation for this feature. Today it's still one of the major features for Microsoft's Windows Live Messenger, Apple's iChat and more recently Skype who started out with Windows-only support and extended it to Mac OS X with their latest version.

However, the feature is generally unavailable with free/open source communicators, and the only way to share one's desktop in a platform independent way is to use dedicated solutions such as VNC applications and multi-platform clients for the Remote Desktop Protocol.

This project is all about running Desktop Sharing and Streaming, stressing on certain characteristics, like ease of session establishment, interactivity, and privacy protection.

The project was led by dr. Emil Ivov

Jitsi-DNSSEC -- DNSSEC for Jitsi

Jitsi (formerly known as SIP Communicator), is a Java based open source VoIP and Instant Messaging client supporting various protocols such as SIP and XMPP. Trying to not being just another SIP Client it incorporates security mechanisms like ZRTP for encrypted media streams (audio, video, desktop sharing, etc.) and OTR for instant messages.

While these technologies provide a high level of security for the user data, the signaling metadata is blindly sent to the servers returned from DNS a query. Securing the connection to the server through TLS helps, but the connection can still be compromised when a rogue certificate can be obtained (for example from a government CA). At first sight signaling data seems not important, but looking at the newest developments in the Far East and North African countries it implies that some unfriendly people might only be interested in the metadata.

DNS is responsible for converting names into network addresses to locate servers. Users usually receive the addresses of DNS servers from their internet provider. As conventional DNS provides no security mechanisms, a rogue DNS can very easily supply the user with faked responses to requests and therefore redirecting him to an arbitrary server. Jitsi, or any other client application, relies on the replies from the DNS servers. When a VoIP account is configured to use a specific server, it passes all traffic to the address obtained from the possibly rogue DNS server. Transporting the metadata over TLS to the server does not really solve the problem as some governments run certification authorities that are trusted by the operating systems and web browsers. A malicious server would therefore silently be able to listen to all metadata traffic.

This is where DNSSEC comes into play. DNSSEC can guarantee the integrity and authenticity of replies. A DNSSEC aware client can be sure that a validated response is the one intended by the owner of the requested domain name. This avoids nearly all situations where a server tries to redirect the client to a malicious server.

The project will add client side DNSSEC validation and certificate checking to Jitsi, thus making end-to-end SIP communication secure.


Due to its age and design flaws securing email is notoriously hard. Without an easy-to-use e-mail client most users will not be able to adequately protect themselves. LEAP allows easy set-up of secure e-mail providers, but currently LEAP integration into e.g. the popular Thunderbird email client requires manual configuration and does not provide anonymity of the connection from the client to the server via Tor. What if users could profit from automatically encrypting email and retain their privacy?

MU-Jingle -- Multi-User Jingle

When a meeting between a scattered group of people needs to take place, a phone conference is a popular solution, especially in a business context. These calls can become costly especially when participants have to make long distance or international calls to participate. With the advent of cheap and abundant Internet connectivity, there is an opportunity to lower costs by transmitting call data over Internet connections. Additionally, the increasing ubiquity of webcams allows video as well as audio to be transmitted. The proprietary Skype service has become very popular for this purpose.

Jabber's extension for audio/video conferencing is limited to communications between two users. Extending Jabber further to support multi-party audio/video conferences will allow it to match the functionality of proprietary offerings, whilst still providing all the benefits of XMPP.

It is intended that Multi-User Jingle improves over three existing solutions:

  • Jingle: by supporting more than two participants.
  • Skype: by being an open standard with a free software implementation.
  • SIP: by supporting reliable peer-to-peer connectivity, as opposed to requiring dedicated media relay infrastructure, thereby allowing a video stream from each participant without the need for multiplexing.

In general, by adding support for multi-user audio/video to XMPP, users do not have to give up the benefits of XMPP in order to make a multi-user call.


  • A prototype client, using a Jabber-based protocol to negotiate an audio conference between at least three people.
  • An updated prototype client able to negotiate multiple streams (simultaneous audio and video).
  • First draft of XMPP extension document, based on the experience developing the prototype.
  • First draft of Telepathy API allowing creation and management of multi-user calls.
  • A version of Gabble able to negotiate a MU-Jingle call according to the draft standard.
  • The final draft of the MU-Jingle protocol description, incorporating implementation experience.
  • A version of Gabble corresponding to the nal draft of the protocol.
OCS-Asterisk -- connection OCS - Asterisk
An investigation into the feasibility to connect Microsoft Office Communication Server (OCS) with Open Source PABX systems based on Asterisk.
openMSRP -- Implement openMSRP relays

This project aims to implement an Open Source MSRP relay based on IETF specifications RFC4975 and RFC4976. MSRP is the abbreviation of Message Session Relay Protocol, a protocol for transmitting a series of related instant messages in the context of a session.

The aim is to provide a reference server side implementation of the SIP SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions) key component. The project contributes to the convergence of SIP (Session Initiation Protocol) and instant messaging.

The Open Source MSRP relay implementation will have the following features:

  • Open source implementation licensed under LGPL;
  • Code written in Python programming language;
  • Integration with a popular open source SIP Proxy (OpenSER).

Plans for the future include the implementation of a multi-party Instant Message (IM) server and Open Source MSRP IM/File transfer client.

openMSRP(2) -- Implement openMSRP Multi-party IM server

This project aims to implement an open source MSRP multi-party IM chat server that works seamless with the MSRP relay implementation, already under development.

openMSRP(3) -- GUI for Open Source SIP SIMPLE client

This project will implement the Graphical User Internet (GUI) for the open source SIP SIMPLE client. This is the Phase 2 of the works started earlier on the SIP client for IM, Presence and File transfer based on MSRP protocol.

Once completed, the project will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM and Presence based on SIP protocol.


Parselov is a system for the syntactic analysis of documents and protocol messages based on formal descriptions, as well as the analysis and manipulation of such formal descriptions. It makes it easy to build parsers, validators, converters, test case generators, and other tools. It also explains the process of syntactic analysis slightly differently than usual, which has helped me tremendously to "understand parsing". At the heart of the system is a computer program that converts a formal grammar (the IETF standard "ABNF" is used as input for testing, but it is easy to support W3C's "EBNF" format and similar formats thanks to this system) into a graph and additionally computes all possible traversals of this graph. The result is stored in a simple JSON-based data format.

PKCS#11 v3 -- PKCS#11 standardisation
PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11.

Protocol for SYnchronous Conferencing is an efficient text-based protocol for delivery of data to a flexible amount of recipients or people, by unicast or multicast. PSYC2 represents a next iteration of the PSYC framework in conjunction with SecureShare, another NLnet supported project that aims to build a novel social messaging system as part of the GNUnet peer-to-peer system.

realXtend -- realXtend communications

realXtend is an open source project for creating a platform for interconnected virtual worlds. Virtual worlds excel at interpersonal communication and the component that enables textual and voice communications is a vital part of the system.

This is exactly where the NLnet's contribution will be used for development of the communications component for the realXtend platform. This will be done based on the Telepathy framework. The intention is to start working on a voice over IP component and provide a version with basic functionality by Christmas 2009.


The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places.

SecuShare-box -- SecuShare Box

An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices "pair". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords.

SIP-GUI -- GUI for the SIP SIMPLE client

The goal of this project is to finish the GUI for Blink, the communication tool providing a combination of multiple media streams in SIP sessions --a future-proof design that will eventually take over other commercially closed solutions available on the market today.

The Graphical User Interface for the SIP SIMPLE client project is a stand-alone project that is financed by AG Projects and NLnet. The project once completed will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM, file Transfer and Desktop Sharing based on SIP and MSRP protocols.

In fact a fully open source package replacing Skype will appear on the market.

SIPproxy64/6bed4 -- 0cpm free calling

This is an additional project to the ongoing 0cpm project which is building the IPv6-only telephony. This particular projects intends to provide a peering platform allowing for building a network to interconnect telcos, PBX farmers and connections handlers.

What's unique here is systematic deployment of IPv6 and the use of RTT (real-time text) within ordinary telephone systems wherewith e.g. deaf people can communicate as if they are speaking. The use of open source firmware for SIP phones in this project is groundbreaking.


SPEAR is a pilot experiment with the community, studying privacy and mobility aspects of P2PSIP.

Peer-to-peer protocols increasingly appear in commercial data distribution and communication applications. Although several proprietary solutions are highly successful, an open standardized architecture for secure P2P services is only emerging. Many open issues need to be addressed, including peer lookup, scalability and resilience, NAT traversal, interoperating IPv4 and IPv6 peers, and performance on lightweight devices.

The project on Secure Peer-to-peer Services Overlay Architecture of the Helsinki Institute for Information Technologies (HIIT) attempts to develop a generic mechanism to support such distributed services as P2P Session Initiation Protocol (P2PSIP). In contrast to other approaches, security is taken as the corner stone of design, integrating support for Host Identity Protocol (HIP) Based Overlay Networking Environment (HIP-BONE) into the architecture. The architecture can support various P2P services, not limited to P2PSIP, such as P2P HTTP. We envision that P2P HTTP can be used to create a community version of many useful scenarios as plenty of current applications are based on HTTP.

The work is carried out jointly with industrial partners actively involved in developing protocol specifications in the IETF. In particular, the design of a protocol stack combing overlay peer protocol with HIP and IPsec, binding peer identities to host identities, hierarchical P2P systems, and prevention of unwanted traffic are in scope of the project. An existing proof-of-concept demonstration of P2PSIP proxy will be further developed and tested with real users, and its usability will be evaluated.

Swirl -- PPSPP implementation in Erlang/Swirl

Current peer-to-peer traffic on the internet happens in a wide variety of often application-dependent protocols, limiting growth and innovation. A working group of the IETF has in recent years been developing the Peer-to-Peer Streaming Peer Protocol (PPSPP) to establish a safe, modern standard in this area. NLnet considers a mature standard for P2P applications an important building block for the future of the internet.

Swirl is an open source reference implementation of the PPSPP proposed standard in the Erlang programming language. The Swirl project is led by Dave Cottlehuber (Austria).

SylkRTC -- Sylkserver WebRTC

The SylkRTC project entails adding webRTC capabilities to Sylkserver, a polyglot open source conference server that unites the realms of the two IETF standardised internet technologies in the area of real-time communication: SIP and XMPP.

Sylkserver allows anyone with basic computer knowledge to setup a private, conferencing facility that can be used with a large variety of different applications that supports these open standards. By providing a webRTC gateway, the SylkRTC project will additionally allow anyone with just a modern web browser with webRTC capabilities running on a device with a microphone and/or camera to join a conference or contact someone using either protocol.

Visit the SylkRTC demo page

to make a trial call over the internet.

Wormhole -- Project Wormhole

There are two leading internet technologies emerging as the future of real-time communication: SIP and XMPP. This project and its outcome will provide the possibility for users of both universes to use either protocol to interoperate with each other for audio, instant messaging and presence.

If the software is installed on the desktop next to an existing application it can encapsulate or tunnel conversations from one protocol to the other - serving as a wormhole between the two universes. It should work transparently with little or no configuration. It will allow users to share contacts and establish chat and audio sessions without having to bother of the protocol used to address buddies in user@domain format.

If the software is used on a server, one should simply point the appropriate DNS record of a domain to the server, and any session request made with either SIP or XMPP protocol will be bridged to the other side.


Send in your ideas.
Deadline Feb 1st, 2018.

Help fundraising for the open internet with 5 minutes of your time

Project list

Project abstracts