# ant-quic
A QUIC transport protocol implementation with advanced NAT traversal capabilities, optimized for P2P networks and the Autonomi ecosystem.
[](https://docs.rs/ant-quic/)
[](https://crates.io/crates/ant-quic)
[](LICENSE-MIT)
[](LICENSE-APACHE)
[](https://github.com/dirvine/ant-quic/actions/workflows/quick-checks.yml)
[](https://github.com/dirvine/ant-quic/actions/workflows/security.yml)
[](https://github.com/dirvine/ant-quic/actions/workflows/cross-platform.yml)
[](https://codecov.io/gh/dirvine/ant-quic)
## ๐ Documentation
Comprehensive documentation is available in the [`docs/`](docs/) directory:
- [Architecture Overview](docs/architecture/)
- [Getting Started Guide](docs/guides/)
- [API Reference](docs/api/)
- [Development Guide](docs/development/)
## Features
- **Advanced NAT Traversal**: ICE-like candidate discovery and coordinated hole punching
- **P2P Optimized**: Designed for peer-to-peer networks with minimal infrastructure
- **High Connectivity**: Near 100% connection success rate through sophisticated NAT handling
- **QUIC Address Discovery**: Automatic peer address detection via IETF draft standard
- **Post-Quantum Ready**: Support for ML-KEM-768 and ML-DSA-65 hybrid cryptography
- **IPv4/IPv6 Dual Stack**: Full support for both protocols with automatic selection
- **Built on Quinn**: Leverages the proven Quinn QUIC implementation as foundation
- **Automatic Bootstrap Connection**: Nodes automatically connect to configured bootstrap nodes
- **Production-Ready Binary**: Full-featured `ant-quic` binary for immediate deployment
## System Requirements
### Minimum Requirements
- **Operating System**:
- Linux (kernel 3.10+)
- Windows 10/11 or Windows Server 2016+
- macOS 10.15+
- Android API 21+ / iOS 13+
- **Memory**: 64MB minimum, 256MB recommended per node
- **CPU**: Any x86_64 or ARM64 processor
- **Network**: UDP traffic on chosen port (default: random)
### Platform-Specific Features
- **Linux**: Native netlink interface for network discovery
- **Windows**: Windows IP Helper API for interface enumeration
- **macOS**: System Configuration framework integration
- **WASM**: Experimental support via `quinn-proto`
## Key Capabilities
- **Symmetric NAT Penetration**: Breakthrough restrictive NATs through coordinated hole punching
- **QUIC-based Address Discovery**: Automatic detection of peer addresses using OBSERVED_ADDRESS frames
- **Multi-path Connectivity**: Test multiple connection paths simultaneously for reliability
- **Automatic Role Detection**: Nodes dynamically become coordinators when publicly reachable
- **Bootstrap Node Coordination**: Decentralized discovery and coordination services
- **Connection Migration**: Seamless adaptation to changing network conditions
- **Path Validation**: Robust verification of connection paths before use
- **Peer Authentication**: Ed25519-based cryptographic authentication with challenge-response protocol
- **Secure Chat Messaging**: Encrypted peer-to-peer messaging with protocol versioning
- **Real-time Monitoring**: Built-in statistics dashboard for connection and performance metrics
- **Address Change Detection**: Automatic notification when peer addresses change
- **Rate-Limited Observations**: Configurable observation rates to prevent network flooding
## Network Configuration
### Port Requirements
- **Listen Port**: Configurable (default: random port 1024-65535)
- **Protocol**: UDP only (QUIC requirement)
- **Firewall Rules**:
```bash
# Linux (iptables)
sudo iptables -A INPUT -p udp --dport 9000 -j ACCEPT
# Windows (PowerShell as Administrator)
New-NetFirewallRule -DisplayName "ant-quic" -Direction Inbound -Protocol UDP -LocalPort 9000 -Action Allow
# macOS
# Add to System Preferences > Security & Privacy > Firewall > Firewall Options
```
### Bootstrap Node Requirements
- **Public IP**: Static or dynamic with DNS
- **Open UDP Port**: Must be reachable from internet
- **Bandwidth**: Minimum 10 Mbps symmetric recommended
- **CPU**: 2+ cores recommended for high-traffic nodes
## Quick Start
### Installation
#### Pre-built Binaries
Download from [GitHub Releases](https://github.com/dirvine/ant-quic/releases):
- Linux: `ant-quic-linux-x86_64`, `ant-quic-linux-aarch64`
- Windows: `ant-quic-windows-x86_64.exe`
- macOS: `ant-quic-macos-x86_64`, `ant-quic-macos-aarch64`
```bash
# Linux/macOS
chmod +x ant-quic-linux-x86_64
./ant-quic-linux-x86_64 --help
```
#### From Source
```bash
# Install via cargo
cargo install ant-quic
# Or build from source
git clone https://github.com/autonomi/ant-quic
cd ant-quic
cargo build --release
# Docker installation (example Dockerfile available in repository)
docker run -p 9000:9000/udp autonomi/ant-quic:latest --listen 0.0.0.0:9000
```
### Basic Usage
```bash
# Run as P2P node with QUIC protocol
ant-quic --listen 0.0.0.0:9000
# Connect to bootstrap nodes for peer discovery (automatic connection on startup)
ant-quic --bootstrap quic.saorsalabs.com:9000
# Discover your external address (requires bootstrap node)
ant-quic --bootstrap 159.89.81.21:9000
# Will print: ๐ Discovered external address: YOUR.PUBLIC.IP:PORT
# Or if unable to discover: โ ๏ธ CANNOT_FIND_EXTERNAL_ADDRESS
# Run as coordinator with NAT traversal event monitoring
ant-quic --force-coordinator --listen 0.0.0.0:9000
# Run with dashboard for real-time statistics
ant-quic --dashboard --listen 0.0.0.0:9000
# Run multiple nodes locally for testing
ant-quic --listen 0.0.0.0:9000 # Bootstrap node
ant-quic --listen 0.0.0.0:9001 --bootstrap 127.0.0.1:9000 # Client node
# Check NAT traversal status while running
# Type /status to see discovered addresses and coordination sessions
# Type /help for available commands
```
### Complete CLI Reference
```bash
ant-quic [OPTIONS] [SUBCOMMAND]
OPTIONS:
--listen <ADDR> Listen address (default: 0.0.0.0:0)
--bootstrap <ADDR1,ADDR2,...> Bootstrap nodes (comma-separated)
--coordinator Enable coordinator services
--force-coordinator Force coordinator mode (even behind NAT)
--minimal Minimal output for testing
--debug Enable debug logging
--dashboard Enable statistics dashboard
--dashboard-interval <SECS> Dashboard update interval (default: 2)
-h, --help Print help information
-V, --version Print version information
SUBCOMMANDS:
connect Connect to specific peer via coordinator
--coordinator <ADDR> Coordinator address
<PEER_ID> Target peer ID (hex)
coordinator Run as pure coordinator node
chat Run as chat client
--nickname <NAME> Chat nickname
help Print detailed help information
```
### How It Works
ant-quic automatically detects its network reachability and adapts its role:
- **Public IP + Reachable**: Becomes full coordinator providing bootstrap services to other nodes
- **Limited Reachability**: Provides limited coordinator services while also acting as client
- **Behind NAT**: Client-only mode, connects to others through NAT traversal
This creates a **decentralized bootstrap network** where any publicly reachable node automatically helps coordinate connections for nodes behind NATs.
### Library Usage
```rust
use ant_quic::{
nat_traversal_api::{NatTraversalEndpoint, NatTraversalConfig, EndpointRole},
CandidateSource, NatTraversalRole,
};
// Create NAT traversal endpoint (address discovery enabled by default)
let config = NatTraversalConfig {
role: EndpointRole::Client,
bootstrap_nodes: vec!["quic.saorsalabs.com:9000".parse().unwrap()],
max_candidates: 8,
coordination_timeout: Duration::from_secs(10),
discovery_timeout: Duration::from_secs(5),
};
let endpoint = NatTraversalEndpoint::new(config).await?;
// Connect to peer through NAT traversal
let peer_id = PeerId([0x12; 32]);
let connection = endpoint.connect_to_peer(peer_id).await?;
// Access discovered addresses
let discovered = endpoint.discovered_addresses();
println!("Discovered addresses: {:?}", discovered);
```
### Configuration
#### Address Discovery Configuration
Address discovery is enabled by default and can be configured via:
```rust
use ant_quic::config::{EndpointConfig, AddressDiscoveryConfig};
let mut config = EndpointConfig::default();
// Configure address discovery
config.set_address_discovery_enabled(true); // Default: true
config.set_max_observation_rate(30); // Max 30 observations/second
config.set_observe_all_paths(false); // Only observe active path
// Or use environment variables
// ANT_QUIC_ADDRESS_DISCOVERY_ENABLED=false
// ANT_QUIC_MAX_OBSERVATION_RATE=60
```
Bootstrap nodes automatically use aggressive observation settings:
- Maximum observation rate (63 observations/second)
- Observe all paths regardless of configuration
- Immediate observation on new connections
#### Detailed Address Discovery Specifications
**Transport Parameter (0x1f00)**:
- **Bit Layout**: `[enabled:1][observe_all_paths:1][max_rate:6]`
- **Max Rate Range**: 0-63 observations per second
- **Default Values**: enabled=true, rate=10/sec, observe_all_paths=false
**OBSERVED_ADDRESS Frame (0x43)**:
- **Frame Format**: `[type:varint][ip_version:1][address:4/16][port:2]`
- **IP Version**: 4 (IPv4) or 6 (IPv6)
- **Max Frame Size**: 20 bytes
- **Allowed In**: 1-RTT packets only
**Rate Limiting**:
- **Algorithm**: Token bucket per path
- **Burst Capacity**: Equal to configured rate
- **Token Precision**: Floating-point for accuracy
- **Bootstrap Multiplier**: 6.3x (63/10) for bootstrap nodes
### Examples
The repository includes several example applications demonstrating various features:
- **[simple_chat](examples/simple_chat.rs)**: Basic P2P chat with authentication
- **[chat_demo](examples/chat_demo.rs)**: Advanced chat with peer discovery and messaging
- **[dashboard_demo](examples/dashboard_demo.rs)**: Real-time connection statistics monitoring
Run examples with:
```bash
cargo run --example simple_chat -- --listen 0.0.0.0:9000
cargo run --example chat_demo -- --bootstrap quic.saorsalabs.com:9000
cargo run --example dashboard_demo
```
### Running Tests
```bash
# Run all tests including address discovery
cargo test --all
# Run specific test suites
cargo test address_discovery # Test QUIC address discovery
cargo test nat_traversal # Test NAT traversal
cargo test auth # Test authentication
# Run benchmarks
cargo bench observed_address # Benchmark address discovery performance
```
### Real-World Testing Status
#### Completed Tests โ
- **Home Network NAT Traversal**: Successfully connected through typical home router to cloud bootstrap node
- Connection time: < 200ms
- Stability: Excellent
- Success rate: 100%
#### Pending Tests ๐ง
- **Mobile Network (4G/5G)**: Requires physical device with hotspot capability
- **Enterprise Network**: Requires access to corporate network with strict firewall
- **Carrier-Grade NAT (CGNAT)**: Requires specific ISP environment
- **Long-running Stability**: 1+ hour continuous connection test
Test results are being tracked in `phase6_test_log.md`.
## Architecture
ant-quic extends the proven Quinn QUIC implementation with sophisticated NAT traversal capabilities:
### Core Components
- **Transport Parameter Extensions**: RFC-style negotiation of NAT traversal and address discovery
- NAT Traversal Parameter (0x58): Negotiates NAT traversal capabilities
- Address Discovery Parameter (0x1f00): Configures observation rates and behavior
- **Extension Frames**: Custom QUIC frames for address advertisement and coordination
- `ADD_ADDRESS` (0xBAAD): Advertise candidate addresses
- `PUNCH_ME_NOW` (0xBEEF): Coordinate simultaneous hole punching
- `REMOVE_ADDRESS` (0xDEAD): Remove invalid candidates
- `OBSERVED_ADDRESS` (0x43): Report observed peer addresses (IETF draft standard)
- **ICE-like Candidate Pairing**: Priority-based connection establishment
- **Round-based Coordination**: Synchronized hole punching protocol
- **Address Discovery Engine**: Automatic detection and notification of peer addresses
### NAT Traversal Process
1. **Candidate Discovery**: Enumerate local addresses and receive QUIC-observed addresses
2. **Bootstrap Coordination**: Connect to bootstrap nodes for peer discovery
3. **Address Advertisement**: Exchange candidate addresses with peers
4. **Priority Calculation**: Rank candidate pairs using ICE-like algorithms
5. **Coordinated Hole Punching**: Synchronized transmission to establish connectivity
6. **Path Validation**: Verify connection paths before promoting to active
7. **Connection Migration**: Adapt to network changes and path failures
### Protocol Timeouts and Constants
- **Connection Timeout**: 30 seconds
- **Coordination Timeout**: 10 seconds
- **Discovery Timeout**: 5 seconds
- **Retry Token Lifetime**: 15 seconds
- **Keep-Alive Interval**: 5 seconds (bootstrap nodes)
- **Max Idle Timeout**: 60 seconds
- **Dashboard Update**: 2 seconds (configurable)
- **Stats Collection**: 30 second intervals
- **Rate Limit Window**: 60 seconds
### Address Discovery Process
1. **Connection Establishment**: Peers connect and negotiate address discovery support
2. **Address Observation**: Endpoints observe the source address of incoming packets
3. **Frame Transmission**: Send OBSERVED_ADDRESS frames to notify peers
4. **Rate Limiting**: Token bucket algorithm prevents observation flooding
5. **Change Detection**: Monitor for address changes and notify accordingly
6. **NAT Integration**: Discovered addresses automatically become NAT traversal candidates
### Network Topology Support
- **Full Cone NAT**: Direct connection establishment
- **Restricted Cone NAT**: Coordinated hole punching with address filtering
- **Port Restricted NAT**: Port-specific coordination protocols
- **Symmetric NAT**: Advanced prediction and multi-path establishment
- **Carrier Grade NAT (CGNAT)**: Relay-assisted connection fallback
## Specifications
ant-quic implements and extends the following IETF specifications and drafts:
### 1. QUIC Core Specification
- **RFC 9000** โ "QUIC: A UDP-Based Multiplexed and Secure Transport"
https://datatracker.ietf.org/doc/rfc9000/
(Companion RFCs: RFC 9001 for TLS integration and RFC 9002 for loss detection)
### 2. Raw Key Encoding / Key Schedule Used by QUIC
- **RFC 9001** โ "Using TLS to Secure QUIC" (see ยง5 Key Derivation)
https://datatracker.ietf.org/doc/rfc9001/
- **RFC 7250** โ "Using Raw Public Keys in TLS/DTLS"
https://www.rfc-editor.org/rfc/rfc7250
Used for raw public key support instead of X.509 certificates
### 3. QUIC Address Discovery Extension
- **draft-ietf-quic-address-discovery-00** โ "QUIC Address Discovery"
https://datatracker.ietf.org/doc/draft-ietf-quic-address-discovery-00/
Enables endpoints to learn the public IP:port a peer sees for any QUIC path
### 4. Native NAT Traversal for QUIC
- **draft-seemann-quic-nat-traversal-02** โ "Using QUIC to traverse NATs"
https://datatracker.ietf.org/doc/draft-seemann-quic-nat-traversal/
Describes hole-punching and ICE-style techniques directly over QUIC, including new frames such as ADD_ADDRESS and PUNCH_ME_NOW
### 5. Post-Quantum Cryptography Standards
- **FIPS 203** โ "Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)"
https://csrc.nist.gov/pubs/fips/203/final
Defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 (formerly Kyber)
- **FIPS 204** โ "Module-Lattice-Based Digital Signature Standard (ML-DSA)"
https://csrc.nist.gov/pubs/fips/204/final
Defines ML-DSA-44, ML-DSA-65, and ML-DSA-87 (formerly Dilithium)
- **NIST SP 800-56C Rev. 2** โ "Recommendation for Key-Derivation Methods in Key-Establishment Schemes"
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
Provides key derivation functions for combining classical and post-quantum secrets
### 6. Post-Quantum TLS/QUIC Integration
- **draft-ietf-tls-hybrid-design-14** โ "Hybrid key exchange in TLS 1.3"
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
Framework for combining classical and post-quantum algorithms in TLS 1.3
- **draft-ietf-tls-mlkem-04** โ "ML-KEM Post-Quantum Key Agreement for TLS 1.3"
https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
Pure post-quantum key agreement using ML-KEM
- **draft-ietf-tls-ecdhe-mlkem-00** โ "Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3"
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
Hybrid key exchange combining ECDHE with ML-KEM
### 7. Post-Quantum Certificate Support
- **draft-ietf-lamps-kyber-certificates-10** โ "Algorithm Identifiers for ML-KEM"
https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/
X.509 certificate support for ML-KEM public keys
- **draft-ietf-lamps-dilithium-certificates-11** โ "Algorithm Identifiers for ML-DSA"
https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
X.509 certificate support for ML-DSA signatures
## Future Work & Roadmap
### Current Implementation Status
โ
**Completed**:
- Core QUIC protocol with NAT traversal extensions
- Transport parameter negotiation (ID 0x58 for NAT, 0x1f00 for address discovery)
- Extension frames (ADD_ADDRESS, PUNCH_ME_NOW, REMOVE_ADDRESS, OBSERVED_ADDRESS)
- QUIC Address Discovery Extension (draft-ietf-quic-address-discovery-00)
- ICE-like candidate pairing with priority calculation
- Multi-path packet transmission
- Round-based coordination protocol
- High-level NAT traversal API with Quinn integration
- Candidate discovery framework with QUIC integration
- Connection establishment with fallback
- Comprehensive test suite (580+ tests including auth, chat, and security tests)
- Test binaries: coordinator, P2P node, network simulation
- Automatic bootstrap node connection on startup
- Peer authentication with Ed25519 signatures
- Secure chat protocol with version negotiation
- Real-time monitoring dashboard
- Address discovery enabled by default with configurable rates
- 27% improvement in connection success rates with address discovery
- 7x faster connection establishment times
- Performance benchmarks showing < 15ns overhead for address discovery
- Security validation tests completed
- Real-world NAT traversal validation (Phase 6) in progress
๐ง **In Progress/TODO**:
- Session state machine polling implementation
- Relay connection logic for fallback scenarios
- Mobile network NAT traversal testing (requires physical device testing)
- Enterprise firewall testing (requires corporate network environment)
### Roadmap
#### v0.1.0 - Foundation Release โ
- โ
Core NAT traversal functionality
- โ
Basic binary tools
- โ
Full Quinn endpoint integration
- โ
Complete platform-specific interface discovery
- ๐ Performance benchmarking and optimization
#### v0.2.0 - Authentication & Security โ
- โ
Peer authentication with Ed25519
- โ
Secure chat protocol implementation
- โ
Challenge-response authentication protocol
- โ
Message versioning and protocol negotiation
#### v0.3.0 - Production Features โ
- โ
Real-time monitoring dashboard
- โ
Automatic bootstrap node connection
- โ
Comprehensive error handling
- โ
GitHub Actions for automated releases
- โ
Binary releases for multiple platforms
#### v0.4.0 - Bootstrap & Connectivity โ
- โ
Automatic bootstrap connection on startup
- โ
Multi-bootstrap node support
- โ
Connection state management
- โ
Improved peer ID generation
- ๐ง Platform-specific optimizations
#### v0.4.3 - QUIC Address Discovery โ
- โ
IETF draft-ietf-quic-address-discovery-00 implementation
- โ
OBSERVED_ADDRESS frame (0x43) support
- โ
Transport parameter negotiation (0x1f00)
- โ
Per-path rate limiting for observations
- โ
Integration with NAT traversal for improved connectivity
- โ
27% improvement in connection success rates
- โ
Address discovery enabled by default
#### v0.5.0 - Post-Quantum Cryptography (Planned)
- ๐ ML-KEM-768 (Kyber) key encapsulation mechanism
- ๐ ML-DSA-65 (Dilithium) digital signatures
- ๐ Hybrid X25519+ML-KEM-768 key exchange
- ๐ Hybrid Ed25519+ML-DSA-65 signatures
- ๐ Backward compatibility with classical cryptography
- ๐ NIST FIPS 203/204 compliance
- ๐ Extended raw public key support for PQC algorithms
#### v0.6.0 - Advanced Features (Planned)
- ๐ Adaptive retry strategies based on network conditions
- ๐ Advanced relay selection algorithms
- ๐ Protocol optimizations from real-world usage data
- ๐ Enhanced debugging and diagnostic tools
- ๐ Performance profiling and bottleneck analysis
#### v1.0.0 - Autonomi Integration (Future)
- ๐ Native Autonomi network protocol integration
- ๐ Decentralized bootstrap node discovery
- ๐ Enhanced security features for P2P networks
- ๐ Integration with additional discovery mechanisms
- ๐ Production-ready defaults and configurations
### Technical Debt & Improvements
**High Priority (Blocking v0.1.0)**:
- Replace placeholder implementations with real peer ID management
- Implement comprehensive session lifecycle management
- Add adaptive timeout mechanisms based on network conditions
- Complete path validation with sophisticated algorithms
**Medium Priority (v0.2.0)**:
- Enhance connection migration optimization strategies
- Add support for IPv6 dual-stack configurations
- Implement connection quality-based path selection
- Add comprehensive error recovery mechanisms
**Low Priority (v0.3.0+)**:
- Optimize memory usage in high-throughput scenarios
- Add advanced congestion control for P2P networks
- Implement sophisticated relay overlay networks
- Add machine learning-based NAT prediction
### Known Limitations
- Relay selection algorithms need real-world testing and optimization
- IPv6 support needs enhancement for production deployment
- Performance optimization required for high-scale deployments
## Troubleshooting
### Common Issues and Solutions
#### Connection Failures
```bash
# Issue: Cannot connect to bootstrap nodes
# Solution 1: Check firewall rules
sudo iptables -L -n | grep 9000 # Linux
netsh advfirewall firewall show rule name=all | findstr 9000 # Windows
# Solution 2: Verify bootstrap node is reachable
nc -u -v quic.saorsalabs.com 9000 # Test UDP connectivity
# Solution 3: Enable debug logging
ant-quic --debug --bootstrap quic.saorsalabs.com:9000
```
#### NAT Traversal Issues
- **Symmetric NAT**: Use multiple bootstrap nodes for better prediction
- **CGNAT**: May require relay assistance (fallback mechanism)
- **Strict Firewall**: Ensure UDP traffic is allowed bidirectionally
#### Address Discovery Problems
- **No OBSERVED_ADDRESS frames**: Check transport parameter negotiation
- **Rate limiting**: Increase `max_observation_rate` if needed
- **Path changes**: Enable `observe_all_paths` for multi-path scenarios
### Debugging Commands
While running ant-quic, use these commands:
- `/status` - Show current connections and discovered addresses
- `/peers` - List connected peers
- `/stats` - Display connection statistics
- `/debug` - Toggle debug output
- `/help` - Show all available commands
## Production Deployment
### Bootstrap Node Setup
```bash
# Recommended systemd service file (/etc/systemd/system/ant-quic-bootstrap.service)
[Unit]
Description=ant-quic Bootstrap Node
After=network.target
[Service]
Type=simple
User=ant-quic
ExecStart=/usr/local/bin/ant-quic --force-coordinator --listen 0.0.0.0:9000 --dashboard
Restart=always
RestartSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
```
### Scaling Considerations
#### Bootstrap Node Capacity
- **Connections**: ~10,000 concurrent with 4GB RAM
- **Bandwidth**: 1 Mbps per 100 active connections
- **CPU**: 1 core per 5,000 connections
- **Storage**: Minimal (< 1GB for logs)
#### High Availability Setup
```bash
# Run multiple bootstrap nodes behind DNS round-robin
quic.saorsalabs.com A 1.2.3.4
quic.saorsalabs.com A 5.6.7.8
quic.saorsalabs.com A 9.10.11.12
# Client configuration
ant-quic --bootstrap quic.saorsalabs.com:9000
```
### Monitoring
#### Metrics Export
```bash
# Enable Prometheus metrics (when available)
ant-quic --metrics-port 9100
# Dashboard mode for real-time monitoring
ant-quic --dashboard --dashboard-interval 5
```
#### Key Metrics to Monitor
- Connection success rate
- Address discovery effectiveness
- NAT traversal success by type
- Bootstrap node load
- Bandwidth utilization
## Performance
ant-quic is designed for high-performance P2P networking with minimal overhead:
### Key Performance Metrics
- **Low Latency**: Minimized connection establishment time through parallel candidate testing
- **High Throughput**: Leverages Quinn's optimized QUIC implementation
- **Scalability**: Linear scaling up to 5000+ concurrent connections
- **Reliability**: Multiple connection paths and automatic failover
- **Address Discovery Overhead**: < 15ns per frame processing
- **Connection Success**: 27% improvement with QUIC address discovery enabled
- **Establishment Speed**: 7x faster connection times with discovered addresses
### Benchmark Results
#### Frame Processing Performance
- **OBSERVED_ADDRESS Encoding**:
- IPv4: 15.397 ns (ยฑ0.181 ns)
- IPv6: 15.481 ns (ยฑ0.036 ns)
- **OBSERVED_ADDRESS Decoding**:
- IPv4: 6.199 ns (ยฑ0.015 ns)
- IPv6: 6.267 ns (ยฑ0.018 ns)
- **Round-trip overhead**: ~22ns total
#### Memory Usage
- **Per-connection state**: 560 bytes average
- Base state: 48 bytes
- Address tracking: 512 bytes (HashMap storage)
- **Per-path overhead**: 128 bytes
- **1000 connections**: ~547 KB total memory
#### Scalability Testing
- **100 connections**: Linear performance maintained
- **500 connections**: No degradation observed
- **1000 connections**: Consistent sub-microsecond operations
- **5000 connections**: Linear scaling continues
#### Connection Establishment
- **Without address discovery**: Multiple attempts, 60% success after 3 tries
- **With address discovery**: Single attempt, immediate success
- **Performance gain**: 7x faster establishment, 27% higher success rate
## Security
ant-quic implements comprehensive security measures for safe P2P communication:
### Security Features
- **Cryptographic Authentication**: Ed25519-based peer authentication
- **Address Spoofing Prevention**: All OBSERVED_ADDRESS frames are cryptographically authenticated
- **Rate Limiting**: Token bucket algorithm prevents observation flooding
- **Connection Isolation**: Each connection maintains independent state
- **Constant-Time Operations**: Timing attack resistance in critical paths
### Security Properties Validated
#### Address Spoofing Protection
- Only authenticated peers can send address observations
- Cryptographic binding between peer identity and observations
- Invalid observations automatically rejected
#### Rate Limiting Defense
- Configurable per-path rate limits (default: 10 observations/second)
- Bootstrap nodes use higher limits (63/second) for efficiency
- Token bucket ensures burst protection
#### Information Leak Prevention
- Address type detection uses constant-time operations
- Private address checking via bitwise operations
- No timing differences between IPv4/IPv6 processing
#### Attack Resistance
- **Connection Hijacking**: Protected via cryptographic isolation
- **Memory Exhaustion**: Limited to 100 addresses per connection
- **Port Prediction**: Strong randomization prevents guessing
- **Amplification**: Frame size (28 bytes) < typical request (100 bytes)
### Security Testing
Run security tests with:
```bash
cargo test --test address_discovery_security
```
### Benchmark Methodology
All benchmarks run on:
- **Hardware**: AMD Ryzen 9 5900X, 32GB RAM
- **Network**: 1 Gbps symmetric, <1ms local latency
- **OS**: Ubuntu 22.04 LTS, kernel 5.15
- **Methodology**:
- Criterion.rs for micro-benchmarks
- 1000 connection attempts for success rate
- 10,000 iterations for timing measurements
## Documentation
- [NAT Traversal Integration Guide](docs/NAT_TRAVERSAL_INTEGRATION_GUIDE.md) - Complete guide for integrating NAT traversal
- [Security Considerations](docs/SECURITY_CONSIDERATIONS.md) - Security analysis and best practices
- [Troubleshooting Guide](docs/TROUBLESHOOTING.md) - Common issues and solutions
- [Architecture Overview](ARCHITECTURE.md) - System architecture and design
## API Stability and Versioning
### Stable APIs (1.0 guarantee)
- `NatTraversalEndpoint` - High-level NAT traversal API
- `EndpointRole` - Node role configuration
- Transport parameters 0x58 (NAT) and 0x1f00 (Address Discovery)
- Extension frame types (0x40, 0x41, 0x42, 0x43)
### Experimental APIs (subject to change)
- Low-level frame manipulation APIs
- Internal state machine interfaces
- Platform-specific discovery modules
### Version Policy
- **Major**: Breaking changes to stable APIs
- **Minor**: New features, backwards compatible
- **Patch**: Bug fixes only
- **Pre-1.0**: Breaking changes in minor versions
## Contributing
Contributions are welcome! Please see our [contributing guidelines](CONTRIBUTING.md) for details.
### Development Setup
```bash
git clone https://github.com/autonomi/ant-quic
cd ant-quic
cargo test --all-features
# Run the QUIC binary
cargo run --bin ant-quic -- --help
```
### Testing
```bash
# Run all tests
cargo test
# Run with verbose output
cargo test -- --nocapture
# Run specific test categories
cargo test nat_traversal
cargo test candidate_discovery
cargo test connection_establishment
# Run benchmarks
cargo bench
```
## License
This project is licensed under either of
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
at your option.
## Acknowledgments
- Built on the excellent [Quinn](https://github.com/quinn-rs/quinn) QUIC implementation
- Implements NAT traversal based on [draft-seemann-quic-nat-traversal-01](https://www.ietf.org/archive/id/draft-seemann-quic-nat-traversal-01.html)
- Inspired by WebRTC ICE protocols and P2P networking research
- Developed for the [Autonomi](https://autonomi.com) decentralized network ecosystem
## Contributors
We are deeply grateful to all our [contributors](CONTRIBUTORS.md) who have helped make this project possible. These true heroes dedicate their time and expertise to help others at their own cost. Thank you for your contributions to open source!
See our [CONTRIBUTORS.md](CONTRIBUTORS.md) file for a full list of amazing people who have contributed to this project.
## Security
For security vulnerabilities, please email security@autonomi.com rather than filing a public issue.