§15. Layer 1 – Reachability: Communications & Transport
Copy/paste (plain text):
Jason St George. "§15. Layer 1 – Reachability: Communications & Transport" in Next‑Gen Store of Value: Privacy, Proofs, Compute. Version v1.0. /v/1.0/read/part-iii/15-layer-1/§15. Layer 1 – Reachability: Communications & Transport
All of this math still travels as packets.
Every proof, every private swap, every verified FLOP ultimately crosses a handful of cables and radios that a small number of operators can see and shape. The Create → Prove → Settle → Verify loop assumes that machines can reach one another cheaply enough that verification and settlement remain public acts. In a world of deep‑packet inspection, traffic shaping, and “pull the plug” orders to carriers, that assumption becomes fragile. A store of value that survives yield‑curve control but dies when a few IXPs collude is not a store of value; it is an overlay.
The twentieth century treated networks as neutral plumbing. In practice, they were centrally owned, but their job was to deliver bits, not enforce policy. That is no longer true. The very forces that made information abundant (ubiquitous IP, programmable routers, hyperscaler clouds) have made it trivial to fingerprint and throttle particular protocols. DNS and SNI filtering, BGP blackholing, traffic classification, and targeted shutdowns give states and large platforms a menu of levers to pull whenever capital or speech moves in ways they dislike. A triad that claims censorship‑resistance must therefore take communications seriously, not as a background assumption but as a first‑class part of its threat model.
Three facts follow.
First, neutral settlement and lawful privacy can be undone one layer down, at the transport. If miners, provers, and wallets are forced onto clear‑text, easily classified channels, the system quietly regresses to “compliance‑backed” rails: traffic is observable, endpoints are doxxable, and blocking becomes a configuration change, not a scandal.
Second, receiver identity is itself a chokepoint. A world of static addresses, reusable invoices, and long‑lived endpoints lets adversaries map who is being paid and where, even if the ledger surface is shielded.
Third, verification becomes a privilege if only a small priesthood of well‑connected nodes can still reach the network under pressure. Cheap verification in principle is useless if the pipes are selectively clogged in practice.
Comms resistance is the stack’s oxygen: the property that air still flows when someone leans on the hose.
The baseline posture is simple: encrypt everything that moves, avoid being interesting on the wire, and keep multiple ways to get packets through. On the monetary side, Bitcoin Core’s move to BIP‑324 (v2 encrypted P2P transport enabled by default) illustrates the shape of this transition: peer‑to‑peer traffic that once looked like a distinctive protocol now blends into the background of encrypted sessions and leaks far less metadata to observers.
On the Lightning side, BOLT12 “Offers” push in the same direction for endpoints: receiver‑private, reusable payment coordinates that no longer reveal a static invoice graph every time someone gets paid. Together, they sketch the right intuition: transports should be encrypted and boring; addresses should be reusable without doxxing the payee’s entire topology.
This section treats Layer 1 (communications resilience) as the stack’s oxygen. Its job is simple and unforgiving: keep packets flowing between honest nodes even when someone is leaning on the hose.
15.1 Threat model: what we must survive
The comms threat model has four main faces, each of which quietly undermines the loop.
Backbone controls. At the coarse‑grained end, operators and regulators can simply make certain traffic cease to exist. IP and prefix blocking, BGP blackholing, and coarse‑grained firewalling can make nodes in a region unreachable or isolate them behind a handful of upstreams. At the fine‑grained end, DNS and SNI filtering, DPI‑based resets, and QoS throttles on known P2P handshakes can turn participation into a stuttering, latency‑spiked mess. In both cases the result is the same: Create/Compute and Prove become privileges for those close to favored routes; everyone else sees timeouts.
Exposure and linkage. Even when traffic flows, it may leak enough metadata to make repression trivial. Static addresses and reusable invoices let adversaries map who is getting paid and where; mempool‑ and gossip‑layer surveillance reveal patterns long before anything lands in a block; timing and size correlation across relays can deanonymize senders and receivers even if payloads are encrypted. In that world, “private settlement” on a shielded ledger is partially undone one layer down: the network itself becomes the main surveillance surface.
Eclipse and routing capture. A node that only ever talks to a small set of peers in the same ASN or jurisdiction is one permission letter away from being effectively isolated. Adversaries can bias peer selection, crowd out honest connections, or preferentially relay and suppress messages in a way that gives them de facto control over what that node sees as “the network.” In the extreme, proof‑verifying nodes or miners can be eclipsed and fed a curated view of reality.
Platform risk at the edge. Finally, even if the protocol stack is well designed, the distribution layer can turn into a chokepoint: app‑store takedowns, CDN‑ or L7 firewalls that strip “non‑standard” traffic, corporate endpoint policies that classify P2P clients as malware. In that world, the ability to speak the protocol at all is contingent on a small set of institutional decisions. Participation is technically “permissionless” but practically permissioned.
A communications layer that ignores these forces leaves the triad at the mercy of routers, registries, and app reviewers. The goal of Layer 1 is not to pretend those levers do not exist, but to make them expensive and noisy enough that the path of least resistance remains “let the packets through.”
15.2 Design rules: protocol posture under pressure
Given that threat model, the posture for Layer 1 is straightforward to state, and hard to implement: encrypt everything, avoid looking interesting, keep multiple ways to speak, never centralize the front door, and measure what actually happens.
First, transports must be encrypted by default and boring on the wire. Clear‑text, distinctive handshakes invite classification and throttling; transports that resemble the background noise of ordinary encrypted sessions are far harder to single out. Bitcoin Core’s move to BIP‑324 (v2 encrypted P2P transport enabled by default) is a template here: a previously distinctive protocol is now just another stream of ciphertext with minimal metadata leakage. We assume this posture as the baseline, not the upgrade path.
Second, the stack must be transport‑agile. No single path (TCP/TLS over well‑known ports, Tor v3 onions, I2P/NTCP2, QUIC) should be a single point of failure. Clients must be able to fall back and sideways, swapping transports and handshakes when one class is filtered or degraded, without user heroics. The right question is never “do you support Tor or not?” but “how many different ways can you get a proof or settlement through when one channel is misbehaving?”
Third, receiver privacy must be the default, not an optional extra. Static addresses and one‑use invoices that live forever are a surveillance goldmine. Payment rendezvous should be “addressless” in the sense that the receiver can advertise a reusable, non‑doxxing pointer (Offers, aliases, proofs of inbox ownership) without spraying a stable graph into the network. Path‑blinding and “last‑mile” sinks like ecash or shielded pools give endpoints breathing room: the network sees movement, not identities.
Fourth, settlement must be refund‑safe under squeeze. If an authoritarian operator can simply hold swaps half‑open until participants give up, non‑custodial corridors become de facto custodial choke points. All cross‑asset payouts, especially those bridging public and privacy assets, should be built around atomic, adaptor‑signature flows with clear timeout and refund semantics. Users must be able to abort and reclaim funds safely when corridors are interdicted.
Fifth, edge admission must remain open. No “special” relays or whitelisted entry points: any honest node should be able to join, relay, and be relayed to. Anti‑Sybil defenses and rate limits are necessary, but they must not morph into gatekeeper APIs that a single jurisdiction can turn off.
Finally, comms health is part of the same telemetry regime as proofs. If reachability silently degrades, neutrality and verifiability degrade with it. Layer 1 must be instrumented; it is not enough to say “we route around damage” and hope.
15.3 Mechanisms: what needs to ship
Design rules are only as good as the code paths and defaults that embody them. For Layer 1, several classes of mechanism are non‑negotiable.
Encrypted, multi‑path P2P transports. At the base, full nodes and relays should speak an encrypted P2P protocol by default, with minimal metadata exposure and no reliance on exotic ports. BIP‑324‑class v2 encrypted transport is the right shape: peers authenticate handshakes with minimal fingerprints, payloads are opaque, and on‑path observers see little more than a stream of ciphertext. On top of that baseline, clients should expose Tor and I2P modes as first‑class citizens, not “advanced” toggles: if clearnet handshakes start to exhibit DPI resets or suspicious SYN drop patterns, transports shift automatically. Where adversaries lean on handshake signatures rather than payloads, camouflage layers (Noise‑style patterns, obfs‑class shims) allow relays in high‑interdiction ASNs to keep moving traffic even when naive classification is in play.
Receiver‑private routing for payments. On the value layer, wallets and merchant stacks should adopt patterns where the receiver does not spray a static endpoint into the world. BOLT12 Offers are exemplary: receiver‑private, reusable invoices that allow long‑lived payment coordinates without exposing a shockingly detailed graph of “who gets paid when” to watchers. Where feasible, path‑blinding and rendezvous routing ensure that intermediaries see only their hop, not the full path. At the far edge, federated ecash and shielded pools provide “endpoint firebreaks”: users can cash in or out of the public graph into instruments whose internal flows are much harder to map.
Settlement survivability and user‑level safety. For cross‑asset payouts, especially BTC↔XMR/ZEC corridors and other privacy rails, adaptor‑signature atomic swaps should be the default, not the exotic path. Wallets must treat “abort & refund” as a first‑class, well‑signposted action, with typed failure modes (liquidity exhaustion, timeout, counterparty offline) rather than ambiguous “something went wrong” errors. Under pressure, success and safe failure are the only two acceptable outcomes; hung trades and stuck funds are indistinguishable from theft.
Topology and anti‑eclipse hardening. At the network graph level, clients should pursue peer‑set diversity and rotation as a matter of course: connections spread across geographies and ASNs, randomized peer selection, quotas on how many inbound slots any single remote can occupy. Gossip protocols should favor multiplicity of paths over minimal bandwidth: the cost of a few extra copies is low compared to the risk of a single compromised relay. Meanwhile, light‑client modes (browser, mobile, enclave) that can verify receipts over any reachable path (including HTTP gateways or bespoke relays) keep verification cheap and accessible even when full node connectivity is impaired.
None of these mechanisms is speculative. They exist, often in rough form, in today’s protocol and wallet ecosystems. The job of Layer 1 is to treat them not as optional “privacy features” but as core infrastructure: to set the defaults, wire them into the SDKs, and make their health visible.
SLOs and telemetry. To know whether any of this is working, we need simple, brutally honest metrics. At minimum: p50/p95 success rates for reaching a verifier over at least two distinct transports; time‑to‑first‑connection for a new node; swap success and refund rates across key corridors; fraction of traffic that remains encrypted and indistinguishable in jurisdictions known to censor. These figures should sit on the same public dashboards as VerifyPrice: if they are drifting, the system is becoming less neutral and less verifiable, regardless of how elegant the cryptography looks on paper.
15.4 How Layer 1 anchors the triad
Communications resilience is not an orthogonal concern; it is the medium in which the triad either lives or suffocates.
For Privacy, encrypted transports and receiver‑private endpoints are what keep the network itself from nullifying ledger‑level secrecy. Shielded pools and privacy coins are only as private as their membrane to the outside world. If every shielded payout can be traced to a stable IP graph and a static address, “lawful privacy” collapses into a thin veneer over a rich flow‑of‑funds analysis. Layer 1’s job is to ensure that settlement paths are as hard to pin down as the flows they carry: private not only in state, but in motion.
For Proofs, communications resilience keeps verification a public act rather than a priestly privilege. A world where only a small set of well‑positioned nodes can fetch and check proofs is a world where VerifyPrice has quietly become an internal KPI rather than a public commodity. If any honest machine with modest connectivity can still reach a verifier over at least one path, proof markets and receipt ledgers remain subject to universal scrutiny. When reachability fragments, the “public” in public verification becomes aspirational.
For Compute, Layer 1 ensures that useful‑work mining and verified inference do not devolve into “whoever still has a clear line to the router wins.” Proof‑of‑Useful‑Work schemes depend on open admission: a wide, geographically and topologically diverse set of provers and miners competing to satisfy claims. If adversaries can choke ingress to a few ASNs or clouds, PoUW degenerates into a club good. Comms health metrics and open‑admission design at the edge keep compute supply neutral and keep the token’s claim (“backed by globally demanded work”) from turning into “backed by whichever datacenter the regulator likes.”
All of this math still travels as packets. Layer 0 keeps the machines honest and powered; Layer 1 keeps them in conversation when it is no longer convenient for them to be. The triad’s monetary ambitions depend on both. Without verifiable machines, we do not know what happened. Without resilient communications, we do not know it in time, or at all.
15.5 VerifyReach: communications telemetry
Layer 1 introduces VerifyReach as the communications analogue of VerifyPrice:
- Reachability metrics: fraction of vantage points (ISPs, ASNs, countries) from which key services (full nodes, corridors, proof factories, routers) are reachable.
- Degradation patterns: which networks experience blocking, throttling, or high failure rates.
- Transport diversity: what percentage of traffic flows over each transport class (clearnet, Tor, I2P, satellite).
Target SLOs:
- “Core infrastructure reachable from ≥ X% of sampled ASNs.”
- “No country‑level view sees more than Y% persistent reachability degradation without triggering incident handling.”
VerifyReach feeds into Layer 6 governance: if reachability collapses in a region, incident response kicks in (alternative transports are promoted, routing is adjusted, and the degradation is visible on public dashboards).
15.5.1 VerifyReach measurement specification
Like VerifyPrice, VerifyReach requires a rigorous measurement methodology to prevent gaming and ensure credibility.
Sampling Frame:
| Dimension | Minimum Coverage | Rationale |
|---|---|---|
| ASNs | ≥500 distinct ASNs globally | Captures ISP-level blocking |
| Regions | ≥50 countries; ≥10 in each of: Americas, Europe, Asia, Africa, Oceania | Detects regional censorship |
| Censorship regimes | Explicit coverage of known filtering states (CN, IR, RU, etc.) | Tests worst-case reachability |
| Network types | Residential, mobile, enterprise, datacenter | Different filtering at each |
Vantage Points:
- Community nodes: Volunteer-run measurement agents (similar to OONI probes). Incentivized via small WC rewards.
- Independent labs: At least 3 organizations (academic, NGO, commercial) run measurement infrastructure. No single operator controls >30% of vantage points.
- Diversity requirement: Vantage points must span ≥20 countries and ≥100 ASNs for measurements to be considered valid.
Metrics:
| Metric | Definition | Target SLO |
|---|---|---|
| succ₁(N,R) | Fraction of vantage points in region R that can reach service N via primary transport within 30s | ≥95% for uncensored regions; ≥70% for known-censored |
| succ₂(N,R) | Fraction that can reach via any transport (including fallbacks) within 60s | ≥99% uncensored; ≥85% censored |
| ttfc(N,R) | Time-to-first-connection (p50, p95) | p95 < 10s uncensored; p95 < 30s censored |
| failure_class | Taxonomy: DNS, TCP RST, TLS, timeout, active probe, unknown | Published per region |
Adversarial Robustness:
| Threat | Mitigation |
|---|---|
| Spoofed vantage points | Vantage points must solve periodic challenges (e.g., fetch and sign specific data); anomalous behavior triggers exclusion |
| Selective treatment | Measurements include “canary” requests that should succeed; if canaries fail but targets succeed, vantage point is flagged |
| Measurement capture | Results from different operators are cross-checked; divergence >10% triggers investigation |
| Temporal gaming | Measurements are continuous (not just snapshots); 24-hour rolling averages published |
Publication:
- Raw measurement data (anonymized to protect vantage point operators) published daily.
- Aggregated dashboards updated hourly.
- Quarterly reports summarizing regional trends, incidents, and transport effectiveness.
- All measurement code is open-source and reproducible.
Monetary Consequences:
If VerifyReach for a region falls below thresholds:
- WC minted by operators in that region may face regional risk premiums (higher collateral requirements).
- Corridors primarily serving that region are flagged; users see warnings before transacting.
- Incident response is triggered: alternative transports promoted, routing adjusted.
This makes VerifyReach not just a dashboard metric, but an input to economic risk pricing.
Tip: hover a heading to reveal its permalink symbol for copying.