9.3 KiB
sidebar_position
| sidebar_position |
|---|
| 4 |
Mycelium Network Architecture
Understanding Mycelium's architecture reveals why it's fundamentally different from traditional networking solutions.
Core Innovation: Identity = Address
Mycelium's architecture revolves around peers. Each peer has a cryptographic private/public keypair, and these are used to encrypt all messages in an end-to-end fashion.
The hash of the public key is used as an IPv6 address. This means that the cryptographic identity and the network address of each peer are inherently linked.
What This Means in Practice
Think of it like a postal system where you can send a secret message to anyone just by knowing their address. The recipient can read it simply because they reside at the intended destination, without requiring any additional coordination or precommunication.
- Your address IS your identity - No separation between who you are and where you are
- Automatic encryption - Messages are encrypted to the destination by design
- No key exchange needed - The address itself contains the encryption key
🔐 Technical Lineage
This innovation was pioneered by the cjdns network, which later inspired Yggdrasil, from which Mycelium is inspired. Each generation has refined and improved upon this fundamental concept.
Why This Is More Secure Than TLS/HTTPS
Compare this to the regular web, where most traffic is encrypted using TLS/HTTPS:
The TLS Problem
In traditional TLS/HTTPS:
- ❌ No inherent link between a TLS cryptographic identity (certificate) and the destination of the traffic
- ❌ Self-signed certificates are rare and not considered secure (without identity-destination link, impossible to know if created by a MITM attacker)
- ❌ Centralized certificate authorities - Internet devices must be loaded with a list of trusted CAs
- ❌ Single points of failure - CAs can be compromised, fail, or be coerced
The Mycelium Solution
✅ Cryptographic identity = Network address - MITM attacks are cryptographically impossible
✅ No trusted intermediaries - No certificate authorities to compromise
✅ Decentralized by design - No single point of failure
✅ Improved security AND resiliency - Both benefits simultaneously
Network Architecture: Underlay & Overlay
Mycelium creates a mesh network to deliver encrypted IP overlay traffic. But how do peers actually connect?
The Underlay Network
Mycelium peers must connect somehow to form the mesh. Most commonly, peers connect over the regular internet, using it as an underlay network.
This is enabled by public peers - special nodes that are open to receive connections on the regular internet.
┌──────────────────────────────────────────────────┐
│ Regular Internet (Underlay) │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Public │ │ Public │ │ Public │ │
│ │ Peer A │ │ Peer B │ │ Peer C │ │
│ └────▲─────┘ └────▲─────┘ └────▲─────┘ │
│ │ │ │ │
└───────┼────────────────┼────────────────┼────────┘
│ │ │
┌───┴────┐ ┌───┴────┐ ┌───┴────┐
│ Your │◄─────►│ Your │◄─────►│ Your │
│Device 1│ Mesh │Device 2│ Mesh │Device 3│
└────────┘ └────────┘ └────────┘
Encrypted Mycelium Overlay Network
The Overlay Network
On top of the underlay, Mycelium creates an encrypted overlay where:
- All traffic between your devices is end-to-end encrypted
- Routing is handled by the mesh protocol
- Your devices appear to be on the same local IPv6 network
Resilient Multi-Path Routing
Here's where Mycelium achieves more resilient routing than the regular internet:
How It Works
Each peer generally connects to multiple public peers, each offering a different potential path for traffic.
┌────────────────┐
│ Your Device │
└───┬─────┬─────┬┘
│ │ │
┌────────┤ │ └────────┐
│ │ │
┌───▼────┐ ┌───▼────┐ ┌────▼───┐
│Public │ │Public │ │Public │
│Peer 1 │ │Peer 2 │ │Peer 3 │
│Germany │ │Belgium │ │Finland │
└────────┘ └────────┘ └────────┘
Route A Route B Route C
Real-World Resilience
If the route via one public peer is interrupted—such as by an undersea cable cut—there's a possibility to find another route via another public peer.
🌊 Real Example
This isn't just theoretical. We have experienced interruptions that were traceable with good certainty to undersea cable cuts happening at the same time. The network automatically routed around the failure using alternative paths.
Why the regular internet can't do this:
- Most internet connections have a single ISP path
- BGP routing changes slowly and requires coordination
- No automatic multi-path at the user level
- Cable cuts can disconnect entire regions
Why Mycelium can:
- You're connected to multiple geographically diverse peers
- Mesh routing adapts automatically in seconds
- No coordination needed—it's peer-to-peer
- Traffic flows through available paths automatically
Key Architectural Components
1. Cryptographic Keypair
Every Mycelium node generates:
- Private key - Kept secret, never shared
- Public key - Shared openly, identifies your node
2. IPv6 Address
Derived from your public key:
- Format: Standard IPv6 (e.g.,
5c4:c176:bf44:b2ab:5e7e:f6a:b7e2:11ca) - Unique: Cryptographically guaranteed to be unique
- Persistent: Doesn't change unless you generate new keys
3. Peer Connections
Your node maintains connections to:
- Public peers - For internet connectivity and routing
- Direct peers - Other nodes you explicitly connect to
- Discovered peers - Nodes found through the mesh
4. Routing Table
Each node maintains:
- Known peers and their addresses
- Path costs to reach each peer
- Multiple routes to most destinations
- Automatic updates as the network changes
Message Encryption Flow
When you send data to another Mycelium address:
- Lookup destination - Find the IPv6 address
- Derive public key - Extract from the address
- Encrypt message - Using the destination's public key
- Route through mesh - Via optimal path
- Decrypt at destination - Using their private key
Only the destination can decrypt—not even the public peers can read the content.
Benefits of This Architecture
Security Benefits
- End-to-end encryption - Built into the protocol
- No MITM attacks - Identity = Address prevents it
- No trusted third parties - Fully peer-to-peer
- Private by default - Encryption isn't optional
Resilience Benefits
- Multi-path routing - Automatic failover
- Self-healing - Network adapts to failures
- No single point of failure - Fully distributed
- Works behind NAT - Firewall traversal built-in
Simplicity Benefits
- Zero configuration - Just run and connect
- Automatic key management - No manual setup
- Plug and play - Works immediately
- Cross-platform - Same protocol everywhere
Comparison with Other Technologies
| Feature | Mycelium | Traditional VPN | TLS/HTTPS | Tor |
|---|---|---|---|---|
| Identity = Address | ✅ Yes | ❌ No | ❌ No | ❌ No |
| Decentralized | ✅ Yes | ❌ Central server | ❌ Needs CAs | ✅ Yes |
| Multi-path routing | ✅ Yes | ❌ Single path | ❌ Single path | ✅ Yes |
| Direct connections | ✅ When possible | ❌ Via server | ✅ Yes | ❌ Via relays |
| Zero config | ✅ Yes | ❌ Needs setup | ✅ Browser only | ❌ Complex |
| Performance | ✅ Fast | ⚠️ Moderate | ✅ Fast | ❌ Slow |
Technical Resources
For more technical details:
- Source Code: github.com/threefoldtech/mycelium
- Yggdrasil Network: yggdrasil-network.github.io
- cjdns Project: github.com/cjdelisle/cjdns
:::tip Understanding Makes It Powerful
Now that you understand how Mycelium works, you can appreciate why it's not just another VPN—it's a fundamentally different approach to secure networking that eliminates entire classes of security problems. :::