fastnet 0.2.3

Ultra-low latency encrypted networking for real-time games. TLS 1.3 + ChaCha20-Poly1305 with ~15µs RTT.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in FastNet, please report it by sending an email to **security@filipefreitas.dev**.

Please include:

1. **Description** of the vulnerability
2. **Steps to reproduce** the issue
3. **Potential impact** assessment
4. **Suggested fix** (if any)

### Response Timeline

- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Fix Timeline**: Depends on severity (critical: 24-48h, high: 7 days, medium: 30 days)

## Security Model

FastNet uses a layered security approach:

### 1. Key Exchange (TLS 1.3)

- Initial connection uses TLS 1.3 over TCP
- Server authenticates with X.509 certificate
- Ephemeral keys generated per session
- Forward secrecy guaranteed

### 2. Packet Encryption (ChaCha20-Poly1305)

- All UDP packets encrypted with AEAD
- 256-bit keys derived from TLS handshake
- 64-bit nonces (counter-based, no reuse)
- 128-bit authentication tags

### 3. Protocol Security

- Per-peer encryption keys (compromise isolation)
- Sequence numbers prevent replay attacks
- No plaintext metadata exposure

## Known Limitations

1. **Certificate Validation**: Client currently accepts self-signed certificates for development convenience. In production, implement proper certificate validation.

2. **DoS Protection**: No built-in rate limiting. Implement at application layer.

## Key Rotation

FastNet implements automatic key rotation for forward secrecy:

- **Packet-based rotation**: Every 1,000,000 packets
- **Time-based rotation**: Every 1 hour
- **BLAKE3 derivation**: New keys derived from old keys + nonce
- **Forward secrecy**: Compromised keys cannot decrypt previous traffic

Key rotation happens transparently during normal operation with no performance impact.

## Best Practices

### For Server Operators

```bash
# Generate production certificates
openssl req -x509 -newkey rsa:4096 \
    -keyout key.pem -out cert.pem \
    -days 365 -nodes \
    -subj "/CN=your-game-server.com"

# Use Let's Encrypt for public servers
certbot certonly --standalone -d your-game-server.com
```

### For Developers

- Never commit certificates to version control
- Use environment variables for certificate paths
- Implement connection timeouts
- Log security events (failed handshakes, invalid packets)

## Cryptographic Dependencies

FastNet relies on well-audited cryptographic libraries:

- **rustls** (v0.23) - TLS implementation
- **chacha20poly1305** (v0.10) - AEAD cipher
- **blake3** (v1.5) - Key derivation and file hashing
- **rand** (v0.9) - Secure random number generation
- **lz4_flex** (v0.11) - Fast compression for assets

All dependencies are pure Rust with no C bindings, reducing attack surface.