--- sidebar_position: 4 --- # Mycelium Network Architecture Understanding Mycelium's architecture reveals why it's fundamentally different from traditional networking solutions. ## Core Innovation: Identity = Address Mycelium's architecture revolves around **peers**. Each peer has a cryptographic private/public keypair, and these are used to encrypt all messages in an end-to-end fashion. The hash of the public key is used as an **IPv6 address**. This means that the cryptographic identity and the network address of each peer are **inherently linked**. ### What This Means in Practice Think of it like a postal system where you can send a secret message to anyone just by knowing their address. The recipient can read it simply because they reside at the intended destination, without requiring any additional coordination or precommunication. - **Your address IS your identity** - No separation between who you are and where you are - **Automatic encryption** - Messages are encrypted to the destination by design - **No key exchange needed** - The address itself contains the encryption key
### πŸ” Technical Lineage This innovation was pioneered by the **cjdns** network, which later inspired **Yggdrasil**, from which Mycelium is inspired. Each generation has refined and improved upon this fundamental concept.
## Why This Is More Secure Than TLS/HTTPS Compare this to the regular web, where most traffic is encrypted using TLS/HTTPS: ### The TLS Problem In traditional TLS/HTTPS: - ❌ **No inherent link** between a TLS cryptographic identity (certificate) and the destination of the traffic - ❌ **Self-signed certificates** are rare and not considered secure (without identity-destination link, impossible to know if created by a MITM attacker) - ❌ **Centralized certificate authorities** - Internet devices must be loaded with a list of trusted CAs - ❌ **Single points of failure** - CAs can be compromised, fail, or be coerced ### The Mycelium Solution βœ… **Cryptographic identity = Network address** - MITM attacks are cryptographically impossible βœ… **No trusted intermediaries** - No certificate authorities to compromise βœ… **Decentralized by design** - No single point of failure βœ… **Improved security AND resiliency** - Both benefits simultaneously ## Network Architecture: Underlay & Overlay Mycelium creates a **mesh network** to deliver encrypted IP overlay traffic. But how do peers actually connect? ### The Underlay Network Mycelium peers must connect somehow to form the mesh. Most commonly, peers connect **over the regular internet**, using it as an **underlay network**. This is enabled by **public peers** - special nodes that are open to receive connections on the regular internet. ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Regular Internet (Underlay) β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Public β”‚ β”‚ Public β”‚ β”‚ Public β”‚ β”‚ β”‚ β”‚ Peer A β”‚ β”‚ Peer B β”‚ β”‚ Peer C β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β–²β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”΄β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”΄β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”΄β”€β”€β”€β”€β” β”‚ Your │◄─────►│ Your │◄─────►│ Your β”‚ β”‚Device 1β”‚ Mesh β”‚Device 2β”‚ Mesh β”‚Device 3β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ Encrypted Mycelium Overlay Network ``` ### The Overlay Network On top of the underlay, Mycelium creates an **encrypted overlay** where: - All traffic between your devices is end-to-end encrypted - Routing is handled by the mesh protocol - Your devices appear to be on the same local IPv6 network ## Resilient Multi-Path Routing Here's where Mycelium achieves **more resilient routing than the regular internet**: ### How It Works Each peer generally connects to **multiple public peers**, each offering a **different potential path** for traffic. ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Your Device β”‚ β””β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”¬β”˜ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ └────────┐ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β–Όβ”€β”€β”€β”€β” β”Œβ”€β”€β”€β–Όβ”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β” β”‚Public β”‚ β”‚Public β”‚ β”‚Public β”‚ β”‚Peer 1 β”‚ β”‚Peer 2 β”‚ β”‚Peer 3 β”‚ β”‚Germany β”‚ β”‚Belgium β”‚ β”‚Finland β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ Route A Route B Route C ``` ### Real-World Resilience If the route via one public peer is interruptedβ€”such as by an **undersea cable cut**β€”there's a possibility to find another route via another public peer.
### 🌊 Real Example This isn't just theoretical. We have experienced interruptions that were traceable with good certainty to **undersea cable cuts** happening at the same time. The network automatically routed around the failure using alternative paths.
**Why the regular internet can't do this:** - Most internet connections have a single ISP path - BGP routing changes slowly and requires coordination - No automatic multi-path at the user level - Cable cuts can disconnect entire regions **Why Mycelium can:** - You're connected to multiple geographically diverse peers - Mesh routing adapts automatically in seconds - No coordination neededβ€”it's peer-to-peer - Traffic flows through available paths automatically ## Key Architectural Components ### 1. Cryptographic Keypair Every Mycelium node generates: - **Private key** - Kept secret, never shared - **Public key** - Shared openly, identifies your node ### 2. IPv6 Address Derived from your public key: - **Format**: Standard IPv6 (e.g., `5c4:c176:bf44:b2ab:5e7e:f6a:b7e2:11ca`) - **Unique**: Cryptographically guaranteed to be unique - **Persistent**: Doesn't change unless you generate new keys ### 3. Peer Connections Your node maintains connections to: - **Public peers** - For internet connectivity and routing - **Direct peers** - Other nodes you explicitly connect to - **Discovered peers** - Nodes found through the mesh ### 4. Routing Table Each node maintains: - **Known peers** and their addresses - **Path costs** to reach each peer - **Multiple routes** to most destinations - **Automatic updates** as the network changes ## Message Encryption Flow When you send data to another Mycelium address: 1. **Lookup destination** - Find the IPv6 address 2. **Derive public key** - Extract from the address 3. **Encrypt message** - Using the destination's public key 4. **Route through mesh** - Via optimal path 5. **Decrypt at destination** - Using their private key Only the destination can decryptβ€”not even the public peers can read the content. ## Benefits of This Architecture ### Security Benefits - **End-to-end encryption** - Built into the protocol - **No MITM attacks** - Identity = Address prevents it - **No trusted third parties** - Fully peer-to-peer - **Private by default** - Encryption isn't optional ### Resilience Benefits - **Multi-path routing** - Automatic failover - **Self-healing** - Network adapts to failures - **No single point of failure** - Fully distributed - **Works behind NAT** - Firewall traversal built-in ### Simplicity Benefits - **Zero configuration** - Just run and connect - **Automatic key management** - No manual setup - **Plug and play** - Works immediately - **Cross-platform** - Same protocol everywhere ## Comparison with Other Technologies | Feature | Mycelium | Traditional VPN | TLS/HTTPS | Tor | |---------|----------|----------------|-----------|-----| | **Identity = Address** | βœ… Yes | ❌ No | ❌ No | ❌ No | | **Decentralized** | βœ… Yes | ❌ Central server | ❌ Needs CAs | βœ… Yes | | **Multi-path routing** | βœ… Yes | ❌ Single path | ❌ Single path | βœ… Yes | | **Direct connections** | βœ… When possible | ❌ Via server | βœ… Yes | ❌ Via relays | | **Zero config** | βœ… Yes | ❌ Needs setup | βœ… Browser only | ❌ Complex | | **Performance** | βœ… Fast | ⚠️ Moderate | βœ… Fast | ❌ Slow | ## Technical Resources For more technical details: - **Source Code**: [github.com/threefoldtech/mycelium](https://github.com/threefoldtech/mycelium) - **Yggdrasil Network**: [yggdrasil-network.github.io](https://yggdrasil-network.github.io/) - **cjdns Project**: [github.com/cjdelisle/cjdns](https://github.com/cjdelisle/cjdns) --- :::tip Understanding Makes It Powerful Now that you understand how Mycelium works, you can appreciate why it's not just another VPNβ€”it's a fundamentally different approach to secure networking that eliminates entire classes of security problems. :::