Send in your ideas. Deadline October 1, 2024

Internet Infrastructure

Protocols and software for managing and advancing low-level internet infrastructure

This page contains a concise overview of projects funded by NLnet foundation that belong to Internet Infrastructure (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. If a description on this page is a bit technical and terse, don't despair — the dedicated page will have a more user-friendly description that should be intelligible for 'normal' people as well. If you cannot find a specific project you are looking for, please check the alphabetic index or just search for it (or search for a specific keyword).

ARPA2 — Working towards a decentralised global internet that offers security and privacy by design.

The ARPA2 project is an ambitious attempt to make the internet work the way we all expect it to work: a distributed, secure and private infrastructure that serves as a solid basis for a global information society. The internet brought so many advantages that it grew explosively, but that unprecedented growth of an experimental infrastructure that had many (and sometimes intentional) fundamental weaknesses - in terms of e.g. scalability and more importantly of security - resulted in an ossified network that has a lot of technical debt accumulated. It takes a concerted effort to fix these holes and bring secure internet technologies towards real end-users and deep into the infrastructure where many important upgrades are waiting for adoption.

>> Read more about ARPA2

Atom-Based Routing — Improving global internet routing by implementing atom-based routers.

Atom-Based Routing aims at significantly reducing the growth of BGP table size and updates, in particular in the internet backbone, through the use of BGP policy atoms. The intent is to devise a routing protocol (or adapt a routing protocol such as BGP) which makes use of atoms to achieve a protocol of lower complexity.

>> Read more about Atom-Based Routing

BIND DLZ — BIND 9 Dynamically Loadable Zones implementation

BIND DLZ allows DNS data to be modified without interrupting the DNS server's normal operation. It accomplishes this by moving DNS data out of BIND's in memory database into an external database. BIND DLZ works with a large variety of databases and has made flexibility a priority in its design. Additionally, BIND DLZ makes available an API which can be used to create custom drivers to access nearly any database, or provide other functionality such as DNS load balancing.

>> Read more about BIND DLZ

Bricophone — community-oriented mobile phone infrastructure

The Bricophone is a community-oriented mobile phone infrastructure in Open Source. It is a low cost, low energy, open hardware, open source project built for communities up to ten thousand people within regional distances. The characteristic of the Bricophone infrastructure is that it does not require any static infrastructure like relays, antennas, or digital data centers. This provides the opportunity for special uses in poor communities, mass rescueing in disastered areas, and cultural and social activities like festivals and other mass events.

>> Read more about Bricophone

CeroWRT — an experimental firmware to push forward the state of the art of edge networks and routers.

This project aims to be a reference implementation of the Comprehensive Queue Management Made Easy (CAKE) project based on CeroWrt, the experimental firmware aiming to push forward the state of the art of edge networks and routers.

>> Read more about CeroWRT

CuteHIP — lightweight implementation of Host Identity Protocol (HIP) on Java

The project of the Helsinki Institute for Information Technology (HIIT) will create a lightweight implementation of Host Identity Protocol (HIP) on Java.

Existing HIP implementations have been evolving since 2004 and became complex and hard to maintain and use. There is a need for new simple implementation of RFC5201-5202 that is cross-platform (not bound to any Operating System) and not limited to run on any vendor hardware. The project will make CuteHIP implementation using Java. It will be based on SourceForge open repository for public access and contributions.

Although there are more open-source HIP implementations (HIPL, OpenHIP,, those are limited to certain platforms like Linux; no implementation is written on Java yet. The CuteHIP implementation shall be interoperable with existing implementations but shall be new and hence free of accumulated bugs.

>> Read more about CuteHIP

DNSCCM — DNS NSCP implementation for BIND and NSD

There is a clear need for a common DNS(SEC) name server management and control system. DNS is such a vital part of any organization's network infrastructure that it is common to run multiple different DNS implementations. However, each implementation has its own distinctive configuration and control utilities. A common interface should greatly simplify management of diverse infrastructures.

In 2007, the IETF working group determined there was a need for standardized management of nameservers for DNS and in 2011 the requirements draft addressing this got accepted as RFC6168. An IEFT draft is under development, which proposes a Nameserver Control Protocol (NSCP) to meet these requirements.

The primary focus of this prokect is to develop an implementation of NSCP for current releases of BIND and NSD, the most widely used open source authoritative nameservers.

>> Read more about DNSCCM

Dowse — Dowse is a smart digital network appliance for home based local area networks.

Dowse is a smart digital network appliance for home based local area networks (LAN), but also small and medium business offices, that makes it possible to connect objects and people in a friendly, conscious and responsible manner.

>> Read more about Dowse

eduVPN app — Add Wireguard protocol to federated VPN suite

The project summary for this project is not yet available. Please come back soon!

>> Read more about eduVPN app

eduVPN on Apple — eduVPN for Apple devices

eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. This project aims to improve the security and usability of the macOS- and iOS-apps.

>> Read more about eduVPN on Apple

eduVPN on Apple part II — Improved version of eduVPN for Apple devices

eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. The project is plagued by some nasty bugs that have been found hard to fix by the community. This particular project aims to deliver a new and more user-friendly user interface for the macOS and iOS-app, as well as implement a new server discovery mechanism in these apps.

>> Read more about eduVPN on Apple part II

eduVPN multi-protocol — Review of the eduVPN multi-protocol project.

The project summary for this project is not yet available. Please come back soon!

>> Read more about eduVPN multi-protocol

eduVPN — Making secure VPN network technology available to everyone

eduVPN/Let's Connect is an effort to make VPN technology commonly available, by building better and more user-friendly tools to connect to trusted parts of the internet.

>> Read more about eduVPN

Fairwaves — Fairwaves

Fairwaves project is aiming at removing one more obstacles on the way to cheap and ubiquitous wireless networks --absence of free (open source), yet production quality building blocks for wireless equipment. There are plenty of expensive proprietary solutions you can use for coding.

Fairwaves is set to develop an Open Source framework for PHY and MAC levels of wireless protocols which will allow "free as in beer" development. It should foster innovation in the wireless communications and allow more projects like OpenBTS and Opendigitalradio to emerge.

>> Read more about Fairwaves

FTEproxy — FTE enables developers to build systems resistant to surveillance and censorship.

fteproxy provides transport-layer protection to resist keyword filtering, censorship and discriminatory routing policies. Its job is to relay datastreams, such as web browsing traffic, by encoding streams as messages that match a user-specified regular expression.

>> Read more about FTEproxy

GetDNS — Deliver DNSSEC as a building block in harsh environments

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

>> Read more about GetDNS

GISS — independent infrastructure for streaming radio and TV

G.I.S.S. is an international network of free media activists, joining to build an infrastructure for free media experiences, radios and televisions like the Horitzo TV project (Spanish) in Barcelona. More concretely, right now the G.I.S.S. is an infrastructure with different components and tools for setting up an independent radio or TV channel easily.

New work to be done in the course of the project focuses on the following aspects:

  • Improvement of the topology of the network: currently all transmissions are passing through a main server and the upload to that server is saturated, so we should introduce new main servers and rebuild the architecture of the servers.
  • Development of a specific version of icecast: for now the version we use lacks some essential features for us like the encryption of IPs (anonymizing like requested by the Indymedia network), a more specific load-balancing mechanism (using the instant load of each server) and more complementary features regarding the master/slave configuration.
  • The live CD is in a usable state, but it should be improved to include more audio-visual and streaminig tools, like Cinelerra, free, gstreamer and other useful tool for video editing and broadcasting.
  • Another component of the system is a kind of 'mediabase' archive tool, similar to you-tube but using only free software and Ogg/Theora format. Although a prototype already exists, it should be improved and be customizable for every user. The new GPL package will be called 'Distributed Multimedia Database System' (DMDBS).
  • Most of our activities are located in Europe and South America, we would like to extend that network to other countries (India, Bolivia, Morocco). We already have some contacts to organize some workshops there.

>> Read more about GISS

IIDS — Interactive Intelligent Distributed Systems

The IIDS research group at the Technical University of Delft (TUDelft) initially started as an NLnet initiative in 2000 at the Vrije Universiteit Amsterdam.

The group's research focuses on management of large-scale interactive distributed systems, in particular on mobile agent systems. Self-management is the ultimate goal. The AgentScape framework, services, applications, and analyses of legal implications of the use of agent systems, are all factors to increase the potential of this new technology.

>> Read more about IIDS

ISC BIND 9 — implementation of DNS protocols with full IPv6 and DNSsec support

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System.

The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

>> Read more about ISC BIND 9

iuh-openbsc — An open source implementation of 3G

OpenBSC is a project aiming to create a Free Software, (A)GPL-licensed software implementations for the GSM/3GPP protocol stacks and elements. OpenBSC was created by the Osmocom project, a not-for-profit, community-driven project creating various FOSS projects related to mobile communications.

OpenBSC is not just a standard BSC, but a GSM network in a box software, implementing the minimal necessary parts to build a small, self-contained GSM network.

OpenBSC includes functionality normally performed by the following components of a GSM network: BSC (Base Station Controller), MSC (Mobile Switching Center), HLR (Home Location Register), AuC (Authentication Center), VLR (Visitor Location Register), EIR (Equipment Identity Register).

>> Read more about iuh-openbsc


KORUZA is an innovative open-source open-hardware wireless communication system, employing a new low-cost approach to designing free-space optical network systems, enabling building-to-building connectivity with a highly collimated light beam at a capacity of 1 Gbps (1000 Mbps) at distances up to 100 m. It is designed to be suitable for home as well as professional users, enabling organic bottom-up growth of networks by eliminating the need for wired fiber connections and associated high installation costs. The simplicity of use, low-cost and compact size allow the system to be deployed in any network.

>> Read more about Koruza

LOAP — The DNS: A Life of a Protocol

"The DNS: Life of a Protocol" is the working title for a new project by Carl Malamud. This technopolitical analysis of the Internet from the viewpoint of the life of one protocol attempts to provide some insight into both technology and politics.

>> Read more about LOAP

Meshtool — Mesh network toolkit, database and web-based API.

This project aims to advance open mesh technology by providing the communities behind these networks with a comprehensive toolkit to build and maintain their networks.

Meshtool aims to assist in mesh network monitoring, administration and research. It is designed to aggregating multiple data sources into useful 2D/3D geographic map overlays, provide remote node management and facilitate the use of live mesh segments as protocol testbeds.

Mesh DB (or simply Mdb), provides the data-layer implementation for this task. Mdb aims to make it easier for mesh communities to share data, exposing it through a generic web-based API. This provides a framework against which portable mesh community applications may be developed and shared, much like OpenSocial.

>> Read more about Meshtool

Namecoin — Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities

Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances.

>> Read more about Namecoin

nat64 — Implement a NAT64 gateway to run on open-source operating systems

IPv4 and IPv6 networks are incompatible. The IETF recommendation has usually been to rely on dual-stack deployment: have both networks coexist until IPv6 takes over Ipv4. However, IPv6 growth has been much slower than anticipated. Therefore, new IPv6-only deployments face an interesting challenge communicating with the predominantly IPv4-only rest of the world. A similar problem is encountered when legacy IPv4-only devices will need to reach the IPv6 Internet. This project is about implementing an open-source NAT64 gateway to run on open-source operating systems such as Linux and BSD.

The NAT64 Open Source implementation would benefit the engineering of the solution as well as providing initial implementation feedback. Moreover, an Open Source implementation will become the reference for the whole community, such as end users, network administrators, and protocol designers. Users will finally be able to deploy IPv6 connectivity without fear of being cut off from the rest of the Internet.

In many situations, dual-stack deployment is not possible. For these cases, a gateway such as the proposed one is needed. It will enable completely new deployments, and users will automatically benefit. Moreover, an Open Source implementation will empower users by giving them access to the source code and letting them customize the gateway to accommodate new scenarios.

The implementation will target both Linux and BSD (FreeBSD, NetBSD, OpenBSD). It will be portable to other POSIX systems. DNS ALG functionality will be added to Bind and Unbound. A patch will be produced and submitted to the Bind project and to the Unbound project for inclusion in their main distributions. IPv4/IPv6 translation functionality will be added to the Linux and BSD kernels.

>> Read more about nat64

NetEventKit — building an open source Network Event Kit

The Network Event Kit (NEK) is a kit allowing to quickly and cheaply build a network for various types of events. This kit will offer both cabled and over-the-air infrastructure.

Besides to building an Open Source Network Event Kit, the purpose is to gain knowlegde and experience in a practial setup that has value for Open communities.

>> Read more about NetEventKit

nftables — A modular packet filtering framework providing enhanced userspace control

nftables is the intended successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project aims to introduce powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). Existing packet filtering solutions would require a recompiled kernel module in the same situation. The end result is that users will have more autonomy on what gets filtered and how, which make them less dependent on the technical choices of vendors and communities. The nftables project has been accepted in Linux mainstream kernel.

>> Read more about nftables

Faster and configurable datapath/Linux xfrm — Rewriting nftables to optimise for xfrm

The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems.

>> Read more about Faster and configurable datapath/Linux xfrm

NLnet Labs — Independent lab for Internet infrastructure development

NLnet Labs was originally founded in 1999 by Stichting NLnet to develop, implement, evaluate, and promote new protocols and applications for the Internet. Its activities are focused on topics directly relating to the Internet's infrastructure, such as DNS, DNSsec, IPv6, and routing.

Meanwhile NLnet Labs is an independently governed, public benefit organisation.

>> Read more about NLnet Labs

Nodewatcher — A comprehensive and scalable node management system for community wireless network.

Project aimed at creating a wireless network node management system that can be used to manage and update large amounts of nodes in wireless networks such as community networks.

>> Read more about Nodewatcher

OpenBTS-HW — OpenBTS hardware

This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software.

The network is intended to be built with open-source software, such as OpenBTS, OpenBSC, FreeSwitch, Linux, etc. The hardware part of the project is more complex, because to date there is no open hardware for GSM base-stations.

As a practical implementation this will set up completely open network providing affordable mobile service to people from Mayotte island.

>> Read more about OpenBTS-HW — An open source open hardware security module to protect communications is a project that want to design an open-source hardware cryptographic engine that can be built by anyone from public hardware specifications and open-source firmware. Anyone can then operate it without fees of any kind.

>> Read more about

OSLD — Open-Source LTE Deployment (OSLD)

Wireless communication technology is mostly proprietary, despite that we are using it every day. The mission of the Open-Source LTE Deployment (OSLD) project is promoting open-source radios, to get more people involved in developing software to create modern wireless communications systems.

The project will develop an open-source LTE (Long Term Evolution, an 4G radio standard) library and tools for building sophisticated radios at low cost. LTE provides bandwidth on demand for different amounts of speeds and so improving the quality of service to people on the move.

Available LTE processing chains are either proprietary or unsuitable for commercial products. This project will therefore use the open-source SDR framework ALOE. The primary objective of this OSLD project is promoting open-source SDRs and shared development of software for wireless communications systems. Specificly, the project will develop a modular LTE library for mobile terminals and base stations as well as improve the accessibility of ALOE for building sophisticated radio systems at low cost. Both, ALOE and the open-source LTE library, will leverage open-source R&D, complement university labs, facilitate and encourage shared development, and be a solid basis for innovation and commercialization.

The expected project products are:

  • modular, open-source LTE library for building base stations and mobile terminals on a cluster of general-purpose processors,
  • new ALOE release and improved accessibility for shared development,
  • user guides, installation manuals, frequently asked questions,
  • renewed FlexNets web site containing OSLD section, virtual support office, collaborations, and commercial interest for ALOE and LTE library.

>> Read more about OSLD

Palea — Finding unauthorized routes leaving your network

Palea is a tool to help discover if devices on your (secured and firewalled) network are also unknowingly connected to unknown other networks that would facilitate attacks and information leaks to the outside. Such an unknown network could for instance be a known device on your trusted network that also has a USB dongle in it connected to the open internet over GSM/2G/3G/xG.

By spoofing packets, Palea can be used to trick systems into exposing their connections to the internet. Palea can be run 24/7 on your network to also discover temporary connections.

>> Read more about Palea

RaptorJIT — RaptorJIT is a high-performance Lua virtual machine for network dataplanes.

RaptorJIT is a fork of LuaJIT focused on predictably high performance. RaptorJIT takes a quantitive approach to performance. The value of an optimization must be demonstrated with a reproducible benchmark. Optimizations that are not demonstrably beneficial on recent CPU generations are removed. RaptorJIT was initially developed by the team behind Snabb Switch.

>> Read more about RaptorJIT


The Resource Public Key Infrastructure (RPKI) is a component of secure interdomain routing and has recently been standardized in the IETF SIDR group (RFCs 6810/6811). RPKI is currently being rolled out, and is a significant and necessary step towards fully protecting BGP.

However, the mechanism does incur additional load at BGP routers. In order to reduce that load, RPKI objects can be fetched and cryptographically validated by cache servers. The RPKI/RTR protocol defines a standard mechanism to maintain the exchange of valid RPKI data between cache server and router. RTRlib is one of the two open source reference implementation of RTR, originally created by researchers from the Computer Systems & Telematics group at Freie Universität Berlin and reseachers from the INET research group at Hamburg University of Applied Sciences, under the supervision of dr. Matthias Wählisch and Thomas Schmidt.

The RTRlib is a real-time capable, open-source (MIT licensed) C library that implements the RPKI router part. Basically, it fetches data from an RPKI cache server and allows for prefix origin validation as well as initial steps of BGP path validation (draft 6810bis). The RTRlib can serve as the backend for BGP daemons and monitoring tools in real-world operations, as well as user guidance.

>> Read more about RPKI-RTRlib

SCTP-Linux — A better Linux SCTP

The Internet transport layer has been extremely rigid since its inception. The very diverse requirements of today’s applications are mapped to only two services, provided by the two protocols that are broadly available, TCP and UDP.

The Stream Control Transmission Protocol (SCTP) offers promising benefits to applications, but faces significant deployment problems. One of these problems is certainly related to shortcomings of its Linux implementation ("LKSCTP"), which cause it to perform much worse than TCP under most circumstances. It is obvious that, for SCTP to be an attractive option for application designers, it should always perform at least as good as TCP.

The two most important TCP features that are not required according to the standard are missing in LKSCTP: auto-buffer tuning and pluggable congestion control. In this project:

  1. Auto-buffer tuning will be added to SCTP.
  2. Work towards adding pluggable congestion control will be carried out.
  3. An investigation of other, less significant differences between TCP and SCTP in Linux will be carried out.

>> Read more about SCTP-Linux

SDR PHY — Create a GSM mobile phone consisting of completely open source software and SDR radio

SDR (Software Defined Radio) allows for a low cost setup to serve a wide variety of changing radio protocols in real time. SDR is gaining popularity in the world of Open Source mobile communications. Thanks to the work of projects like Osmocom and OpenBTS, it is already possible to run a custom GSM network using Open Source software. Moreover, there is a few Open Source projects for LTE, such as OpenLTE, srsLTE and OpenAirInterface. However up to now there was no software defined GSM mobile phone. The "SDR PHY for Osmocom BB" project aims to fill this void. The project is focused on the client side of GSM protocol stack, and bridging the gap between existing GSM stack implementation project and SDR hardware.

>> Read more about SDR PHY

Serval — Mobile communication anywhere.

Communicate anywhere, any time ... without infrastructure, without mobile towers, without satellites, without wifi hotspots, and without carriers. Use existing off-the-shelf mobile cell phone handsets.

Serval enables mobile communications no matter what your circumstance: mobile communications in the face of disaster, in the face of poverty, in the face of isolation, in the face of civil unrest, or in the face of network black-spots. In short, Serval provides resilient mobile communications for all people.

This system is the only mesh mobile telephony system that works on ordinary handsets, and is open source. It lets you use existing telephone numbers and can work without needing an internet connection.

>> Read more about Serval

Serval-LR — SERVAL Long-range WiFi Add-on

Serval Project's goal is making mobile phones useful, even when there is no cellular network or internet available. This particular project prototypes a "helper device" for long-range WiFi.

Serval has developed various technologies that allow voice calls, SMS, file sharing and other services in a completely distributed manner. Robust security is being progressively introduced into these technologies, with voice calls already enjoying end to end encryption, and our UDP-like Mesh Datagram Protocol (MDP) also enjoying automatic encryption.

The Serval Project is intended to be useful in disaster and emergency situations anywhere in the world, as well as for people in rural, remote and developing world settings where traditional cellular service may not be available or may be too expensive. The Serval Project's technologies also have obvious application to enabling freedom of speech and communications for people under oppressive regimes.

Serval currently uses ad-hoc WiFi on mobile phones to form the mesh network. This requires root access on Android, and is unlikely to ever be possible on iPhone. Also, ad-hoc WiFi, while useful, has many limitations, including limited range and relatively high power consumption. This particular project aims to prototype a "helper device", that would consist of a WiFi-enabled Arduino-compatible device attached to a low-cost radio module, and then to integrate that hardware with the Serval platform.

The result will be a box that allows any WiFi enabled phone (Android, iPhone, Blackberry, Nokia S60 etc) to connect to the mesh. Some platforms will have a first-class native client, e.g., Android, while others will be able to use an HTML client to access mesh functions.

Moreover, the box will be capable of long-range communications to other such boxes. Current estimates suggest that ranges of 6x-18x WiFi range are possible, allowing line-of-sight range of perhaps 1km or more.

Finally, the box will be able to be integrated with satellite data terminals and short-burst data modules (basically satellite SMS) to allow the connection of mesh networks to the outside world.

>> Read more about Serval-LR

SnabbWall — SnabbWall is a layer-7 network flow detector and firewall application.

Layer-7 firewalls, or application firewalls, empower technical users and administrators near the endpoints of networks. They can provide one centralized, flexible tool to subsume many other ones, simultaneously reducing the burden to learn how to achieve certain ends, and freeing people from the confines of very specific tools.

Software Defined Networking has been revolutionizing the network space over the last couple of years. SDN uses commodity hardware to implement network elements and functionalities which were generally provided by very expensive, and usually inflexible, special-purpose network appliances.

SnabbWall is designed as a modular, application-level (Layer-7) firewall suite built on the foundations of the popular open source SDN Snabb Switch, allowing it to be used with cheap commodity hardware.

As an application-level (Layer-7) firewall, it will be able to:

  • Inspect network traffic and detect flows of related data, and pinpoint which application has produced a certain data flow.
  • Filter (drop, reject, or accept) packets using criteria specified in a set of rules, which can use the information inferred by inspecting the packets.

As a suite, it will include a complete firewall program out of the box.

As a modular system, it will provide a set of components which can be reused in other Snabb Switch designs.

>> Read more about SnabbWall

SocketHUB — A polyglot communication server for the decentralized internet

This project aims to implement a service which enables developers to use common social functions regardless of the 'language' of the various protocols out in the wild. Call it "polyglot" of the social web.

The implementation revolves around a socket server, with a clearly defined protocol/API that the developers can use as a tool to execute actions mainly focused on social interaction on the internet. Identifying users, sending messages, subscribing, sharing, chatting. It will speak whatever language (protocol) necessary to carry out the action, abstracting the implementation details of the various APIs from the developer. Leaving them to focus on creating rich web applications and providing as much compatibility as possible. The app developer can utilize one tool, indicate what they'd like to do, and that tool goes out and 'speaks the right language' to get the job done.

This project is born from the Unhosted community and shares ideologies and goals with projects such as remoteStorage.js.

>> Read more about SocketHUB

Magic Wormhole/SPAKE2 — Securely send files between two computers with minimum fuss

SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS.

The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities.

This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF.

>> Read more about Magic Wormhole/SPAKE2

Stratosphere IPS — A behavioral-based free software Intrusion Prevention System.

The Stratosphere IPS is a free software Intrusion Prevention System that uses Machine Learning to detect and block known malicious behaviors in the network traffic. The behaviors are learnt from highly verified malware and normal traffic connections in our research laboratory. Its goal is to provide the community and especially vulnerable targets with low budgets such as NGO's and civil society groups with an advanced tool that can protect against targeted attacks.

>> Read more about Stratosphere IPS

Stubby — A local DNS Privacy stub resolver using DNS-over-TLS

Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server.

More information about DNS-over-TLS: /html/rfc7858

>> Read more about Stubby

TCP-multipath — Design and empirical evaluation of secure and efficient multipath communication

The goal of the project is to implement open source extension of TCP/IP stack to support multipath communication in the Internet. With this approach, users will be able to improve their connection speed and reliably by utilizing several network interfaces simultaneously and receiving aggregate bandwidth.

Modern mobile devices, equipped with several network interfaces, as well as multihomed residential Internet hosts are capable of maintaining multiple simultaneous attachments to the network. This can be favorable for applications that are aiming to increase the overall throughput or minimize the delays caused by roaming between the networks.

This project will design and evaluate an efficient and secure multipath solution on a wedge-layer. Based on Host Identity Protocol (HIP) the design will support multihoming, mobility, NAT traversal, advanced security features, network coding for efficiency in lossy networks and will match the requirements of the most modern applications.

Who will benefit? General network users requiring faster Internet access e.g. over two ADSL lines at home, service provides in Internet requiring higher fault tolerance for their services, network operators providing high speed connectivity e.g. over WLAN and 3G combined.

>> Read more about TCP-multipath

Timesheets — Adaptive time-based application development Platform

This project aims to create a platform to develop Adaptive Time-based web applications. This is applied to developing Single-Page Interfaces (SPIs). A SPI can reduce network bandwidth needs, specially important in the fast-growing use of mobile networks. Despite its importance, use of SPIs has not proliferated because it is highly complicated to develop and maintain.

A novel approach based on a W3C specification is proposed: SMIL Timesheets. This approach simplifies the design of time-based web applications and web sites. These interactive applications use time as a major structuring paradigm, i.e. time and events dictate which parts of the application are presented.

SMIL Timesheets are the time counterparts of layout focussed Stylesheets. SMIL Timesheets use the W3C standard SMIL Timing & Synchronization. Timesheets are a perfect match for CSS styles and CSS3 Transitions/Animations. Also, it is designed to synchronize multimedia (HTML5's audio and video) with web content.

In addition the following issue is tackled: wasting network bandwidth is common in multi-device applications. This project aims to dynamically adapt to the capabilities of devices, to save bandwidth and processing power. Such adaptation is achieved via capability-based resource loading for different devices (e.g. media resources, CSS3 emulation, and other).

>> Read more about Timesheets

TLS-KDH — Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS

This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH ( that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future.

Additionally, TLS-KDH relies on RFC7250 ( The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys.

This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library).

The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated still enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance.

>> Read more about TLS-KDH

Uberflow — An Open-Source OpenFlow Controller Implementing the North-Bound Interface

OpenFlow is a cornerstone and the de-facto standard protocol for software-defined networking (SDN). The API for manipulating the network state is currently being standardised by the Open Networking Foundation (ONF) as NBI (which stands for 'North-Bound Interface'). As an emerging standard NBI has significant potential to create the ecosystem for network architectures.

>> Read more about Uberflow

UmTRX — UmTRX, cheaper mobile communication

Mission of the UmTRX project is to radically drop price of mobile communications in developing, rural and remote areas. UmTRX aims at providing an open-source, inexpensive yet carrier grade transceiver for GSM Base Station.

This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software. UmTRX will be the first open hardware to work within the core telecom networks.

This open hardware is being designed specifically to work with OpenBTS and OsmoBTS/OpenBSC open-source projects. While those software projects enjoy quick growth, the hardware side is remaining proprietary. The main reason for this is that such hardware is extremely hard to develop, it requires specific skills and specialists like high-profile RF designers and lots of effort to be put in it.

The results of this project have been used to provision affordable mobile service to people at Mayotte island.

>> Read more about UmTRX

WireGuard — A fast and modern VPN that utilizes state-of-the-art cryptography

In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry.

>> Read more about WireGuard

Wisper — long distance wifi internet infrastructure

Wisper is a concept (an idea) in the field of long distance wifi network infrastructures with a practical and concrete internet service provision goal. Wisper is the buzz word in order to stimulate concrete project proposals and cooperative initiatives focussed on creating a new mesh-type: solely based on wifi and IPv6 internet connections.

The access nodes in Wisper are projected to be low cost (US$ 100) wifi boxes some Public Domain (fully self-configuring) networking software (probably on Linux and/or BSD OS's). Access and usage to the Wisper network should be free of charge. The plan is to create clouds of Wisper nodes. And then clouds of Wisper-clouds, expanding all over the globe.

>> Read more about Wisper