fynx-proto 0.1.0-alpha.3

Production-ready SSH and IPSec/IKEv2 protocol implementations with comprehensive testing and high-level APIs
Documentation

Fynx Proto - Network Security Protocols

Crates.io Documentation License

Production-ready SSH and IPSec protocol implementations in Rust, designed for the Fynx security ecosystem.

๐ŸŽฏ Protocols

SSH (Secure Shell) โœ… Production Ready

Complete SSH protocol implementation with modern cryptography:

  • SSH Transport Layer (RFC 4253): Version exchange, key exchange, packet encryption
  • Key Exchange: Curve25519 (curve25519-sha256), DH Groups 14/15
  • Host Keys: Ed25519, RSA, ECDSA (P-256/384/521)
  • Authentication: Password, public key (Ed25519, RSA, ECDSA)
  • Encryption: ChaCha20-Poly1305, AES-128/256-GCM
  • Advanced: Private key loading (PEM, OpenSSH), known_hosts, authorized_keys
  • Testing: 178 tests passing (100%)

IPSec/IKEv2 (IP Security) โœ… Production Ready

Enterprise-grade VPN protocol with comprehensive features:

  • IKEv2 Protocol (RFC 7296): IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA
  • ESP Protocol (RFC 4303): Transport & Tunnel modes
  • Encryption: AES-128/256-GCM, ChaCha20-Poly1305 (AEAD)
  • Authentication: Pre-Shared Keys (PSK)
  • Advanced: NAT-T (RFC 3948), Dead Peer Detection (DPD), SA Rekeying
  • High-Level APIs: IpsecClient, IpsecServer with builder pattern
  • Production: Structured logging (tracing), metrics (18 counters), error handling
  • Testing: 567 tests passing + 12 benchmarks + 10 interop tests

โšก Quick Start

SSH Client

Add to your Cargo.toml:

[dependencies]

fynx-proto = { version = "0.1.0-alpha.2", features = ["ssh"] }

tokio = { version = "1.35", features = ["full"] }

Connect to an SSH server:

use fynx_proto::ssh::client::SshClient;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Connect and authenticate
    let mut client = SshClient::connect("127.0.0.1:22").await?;
    client.authenticate_password("username", "password").await?;

    // Execute command
    let output = client.execute("whoami").await?;
    println!("Output: {}", String::from_utf8_lossy(&output));

    Ok(())
}

IPSec VPN Client

Add to your Cargo.toml:

[dependencies]

fynx-proto = { version = "0.1.0-alpha.2", features = ["ipsec"] }

tokio = { version = "1.35", features = ["full"] }

Create a VPN connection:

use fynx_proto::ipsec::{IpsecClient, ClientConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Configure client
    let config = ClientConfig::builder()
        .with_local_id("client@example.com")
        .with_remote_id("server@example.com")
        .with_psk(b"my-secret-key")
        .build()?;

    // Connect to VPN server
    let mut client = IpsecClient::new(config);
    client.connect("10.0.0.1:500".parse()?).await?;

    // Send encrypted data
    client.send_packet(b"Hello, VPN!").await?;
    let response = client.recv_packet().await?;
    println!("Received: {:?}", response);

    // Graceful shutdown
    client.shutdown().await?;
    Ok(())
}

๐Ÿ“š Features

SSH Protocol Features

Core Protocol

  • โœ… RFC 4253: SSH Transport Layer Protocol
  • โœ… RFC 4252: Authentication Protocol
  • โœ… RFC 4254: Connection Protocol
  • โœ… Version exchange and algorithm negotiation
  • โœ… Key exchange with signature verification
  • โœ… Encrypted packet transport

Key Exchange

  • โœ… Curve25519-SHA256 (modern, recommended)
  • โœ… Diffie-Hellman Group 14 (2048-bit)
  • โœ… Diffie-Hellman Group 15 (3072-bit)

Host Key Algorithms

  • โœ… ssh-ed25519 (Ed25519 signatures)
  • โœ… rsa-sha2-256, rsa-sha2-512 (RSA with SHA-2)
  • โœ… ecdsa-sha2-nistp256/384/521 (ECDSA)

Authentication

  • โœ… Password authentication (RFC 4252)
  • โœ… Public key authentication (Ed25519, RSA, ECDSA)
  • โœ… Private key loading (PEM, PKCS#1, PKCS#8, OpenSSH formats)
  • โœ… Encrypted private keys (AES-128/192/256, bcrypt-pbkdf)
  • โœ… authorized_keys file parsing
  • โœ… known_hosts management (add, verify, update)
  • โœ… StrictHostKeyChecking modes

Encryption (AEAD)

MAC Algorithms

  • โœ… hmac-sha2-256
  • โœ… hmac-sha2-512

IPSec Protocol Features

IKEv2 Protocol (RFC 7296)

  • โœ… IKE_SA_INIT: Initial handshake + DH key exchange
  • โœ… IKE_AUTH: PSK authentication + first Child SA
  • โœ… CREATE_CHILD_SA: Rekeying and new tunnels
  • โœ… INFORMATIONAL: DELETE notifications, DPD

ESP Protocol (RFC 4303)

  • โœ… Transport mode (host-to-host)
  • โœ… Tunnel mode (network-to-network VPN)
  • โœ… Anti-replay protection (sequence numbers)
  • โœ… Automatic rekeying before SA expiration

Encryption Algorithms

  • โœ… AES-128-GCM (AEAD)
  • โœ… AES-256-GCM (AEAD)
  • โœ… ChaCha20-Poly1305 (AEAD, RFC 8750)

Key Exchange

  • โœ… Diffie-Hellman Group 14 (2048-bit MODP)
  • โœ… Diffie-Hellman Group 15 (3072-bit MODP)
  • โœ… Curve25519 (ECDH)

Advanced Features

  • โœ… NAT Traversal (NAT-T, RFC 3948)
  • โœ… Dead Peer Detection (DPD)
  • โœ… Traffic Selectors (subnet-based tunnels)
  • โœ… Multiple cipher suite negotiation
  • โœ… Cookie-based DoS protection

Production Features

  • โœ… High-level APIs (IpsecClient, IpsecServer)
  • โœ… Configuration builders with validation
  • โœ… Structured logging (tracing, 20+ instrumented functions)
  • โœ… Metrics collection (18 atomic counters)
  • โœ… Enhanced error handling (error codes, context, retry detection)
  • โœ… Comprehensive documentation (500+ lines user guide)

๐Ÿ—๏ธ Architecture

fynx-proto/
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ ssh/                    # SSH Protocol (178 tests)
โ”‚   โ”‚   โ”œโ”€โ”€ client.rs           # SSH client with host key verification
โ”‚   โ”‚   โ”œโ”€โ”€ server.rs           # SSH server with authentication
โ”‚   โ”‚   โ”œโ”€โ”€ transport.rs        # Transport layer state machine
โ”‚   โ”‚   โ”œโ”€โ”€ kex.rs              # Key exchange (Curve25519, DH)
โ”‚   โ”‚   โ”œโ”€โ”€ hostkey.rs          # Host keys (Ed25519, RSA, ECDSA)
โ”‚   โ”‚   โ”œโ”€โ”€ auth.rs             # Authentication (password, pubkey)
โ”‚   โ”‚   โ”œโ”€โ”€ privatekey.rs       # Private key loading
โ”‚   โ”‚   โ”œโ”€โ”€ known_hosts.rs      # known_hosts file management
โ”‚   โ”‚   โ”œโ”€โ”€ authorized_keys.rs  # authorized_keys parsing
โ”‚   โ”‚   โ””โ”€โ”€ crypto.rs           # Cryptographic primitives
โ”‚   โ”‚
โ”‚   โ””โ”€โ”€ ipsec/                  # IPSec Protocol (567 tests)
โ”‚       โ”œโ”€โ”€ client.rs           # High-level IpsecClient API
โ”‚       โ”œโ”€โ”€ server.rs           # High-level IpsecServer API
โ”‚       โ”œโ”€โ”€ config.rs           # Configuration builders
โ”‚       โ”œโ”€โ”€ ikev2/              # IKEv2 protocol implementation
โ”‚       โ”œโ”€โ”€ esp/                # ESP protocol implementation
โ”‚       โ”œโ”€โ”€ crypto/             # AEAD ciphers, key derivation
โ”‚       โ”œโ”€โ”€ logging.rs          # Structured logging
โ”‚       โ””โ”€โ”€ metrics.rs          # Performance metrics
โ”‚
โ”œโ”€โ”€ tests/
โ”‚   โ”œโ”€โ”€ ssh_integration.rs      # SSH integration tests (6 tests)
โ”‚   โ”œโ”€โ”€ ipsec_integration.rs    # IPSec integration tests (25 tests)
โ”‚   โ”œโ”€โ”€ ipsec_client_server.rs  # API tests (6 tests)
โ”‚   โ””โ”€โ”€ interop_strongswan.rs   # strongSwan interop (10 tests, ignored)
โ”‚
โ”œโ”€โ”€ benches/
โ”‚   โ””โ”€โ”€ ipsec_bench.rs          # IPSec benchmarks (12 benchmarks)
โ”‚
โ””โ”€โ”€ docs/
    โ”œโ”€โ”€ ssh/                    # SSH documentation
    โ””โ”€โ”€ ipsec/                  # IPSec documentation

๐Ÿงช Testing

Comprehensive test coverage with 745+ tests:

# Run all tests

cargo test --all-features


# SSH tests (178 passing)

cargo test --features ssh


# IPSec tests (567 passing)

cargo test --features ipsec


# Run benchmarks

cargo bench --features ipsec


# With output

cargo test -- --nocapture

Test Breakdown

Category Tests Status
SSH Unit Tests 172 โœ… 100%
SSH Integration 6 โœ… 100%
IPSec Unit Tests 536 โœ… 100%
IPSec Integration 25 โœ… 100%
IPSec API Tests 6 โœ… 100%
Total Library Tests 745 โœ… 100%
IPSec Benchmarks 12+ โœ… Running
Interop Tests 10 ๐Ÿ“‹ Framework ready

๐Ÿ”’ Security

Memory Safety

  • Zero unsafe code: 100% safe Rust
  • Zeroization: Sensitive data (keys, passwords) securely wiped
  • No memory leaks: RAII and automatic cleanup

Cryptographic Security

  • Modern algorithms: Curve25519, Ed25519, ChaCha20-Poly1305
  • Constant-time operations: Timing attack resistant
  • Strong RNG: Using ring for cryptographic randomness
  • Anti-replay protection: Sequence number validation in ESP

Protocol Security

  • Host key verification: Prevent MITM attacks (SSH)
  • Signature verification: Authenticate server identity (SSH, IKEv2)
  • Cookie-based DoS protection: Resist resource exhaustion (IKEv2)
  • Dead Peer Detection: Detect unresponsive peers (IPSec)

๐Ÿ“– Documentation

Examples

Run examples with:

# SSH client example

cargo run --example simple_client --features ssh


# IPSec client example

cargo run --example ipsec_client --features ipsec -- 10.0.0.1:500 client@example.com server@example.com "my-secret-key"


# IPSec server example (requires root/administrator for port 500)

cargo run --example ipsec_server --features ipsec -- 0.0.0.0:500 server@example.com "my-secret-key"

โš™๏ธ Feature Flags

[features]

default = ["ssh"]



# SSH protocol support (RFC 4253/4252/4254)

# - 178 tests, production-ready

# - Client, server, authentication

ssh = []



# IPSec/IKEv2 VPN protocol (RFC 7296, RFC 4303)

# - 567 tests, production-ready

# - IKEv2 key exchange, ESP encryption

# - High-level APIs, metrics, logging

ipsec = []



# DTLS protocol (planned)

dtls = []



# TTY password input for SSH

tty-password = ["rpassword"]

๐Ÿš€ Performance

Benchmarks (IPSec)

Run with: cargo bench --features ipsec --bench ipsec_bench

  • IKE Handshake: Complete IKE_SA_INIT + IKE_AUTH exchange
  • ESP Encryption: 64B, 512B, 1500B packet throughput
  • ESP Decryption: 64B, 1500B packet throughput
  • Key Derivation: IKE SA and Child SA key generation
  • Serialization: Packet encoding/decoding performance

Async Runtime

  • Built on Tokio for efficient async I/O
  • Non-blocking operations throughout
  • Supports thousands of concurrent connections

Memory Efficiency

  • Zero-copy buffer operations with bytes crate
  • Efficient packet parsing
  • Automatic cleanup with RAII

๐Ÿ“‹ Roadmap

Completed โœ…

  • SSH Transport Layer (RFC 4253)
  • SSH Authentication (password, public key)
  • SSH Connection Protocol (command execution)
  • Private key loading (PEM, OpenSSH formats)
  • known_hosts management
  • authorized_keys parsing
  • IKEv2 Protocol (RFC 7296)
  • ESP Protocol (RFC 4303)
  • NAT Traversal (NAT-T)
  • Dead Peer Detection (DPD)
  • High-level IPSec APIs
  • Production hardening (logging, metrics)

Planned ๐Ÿ“‹

  • SSH: Port forwarding (Local, Remote, Dynamic)
  • SSH: SFTP protocol
  • SSH: Session management (multiplexing, connection pool)
  • SSH: ssh-agent support
  • SSH: SCP support
  • IPSec: X.509 certificate authentication
  • IPSec: Additional cipher suites
  • IPSec: MOBIKE (RFC 4555)
  • DTLS: Protocol implementation

๐Ÿค Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Development Setup

# Clone repository

git clone https://github.com/Rx947getrexp/fynx

cd fynx/crates/proto


# Build

cargo build --all-features


# Run tests

cargo test --all-features


# Run specific protocol tests

cargo test --features ssh

cargo test --features ipsec


# Run clippy

cargo clippy --all-features


# Format code

cargo fmt


# Generate documentation

cargo doc --all-features --open

๐Ÿ“„ License

Dual-licensed under MIT or Apache-2.0.

๐Ÿ”— References

SSH

IPSec

๐Ÿ’ฌ Support

Note: This is an alpha release. While extensively tested, please conduct security audits before production deployment.