Skip to content

feat: PSK / pnet (private networks) #171

Description

@ch4r10t33r

Problem

libp2p PSK / pnet is unimplemented. Embedders who want a closed network (PoC chains, testnets that should not leak into public bootnodes, internal infra) can't gate inbound/outbound connections on a 32-byte shared key the way go-libp2p `pnet.NewProtector` does.

Today the only authentication is the libp2p TLS / Noise identity layer (per-peer), not a network-wide secret.

Scope

  • New module `src/security/pnet.zig` implementing V1 PSK:
    • 24-byte nonce + ChaCha20 XOR wrap around the post-handshake transport.
    • Loader for the magic `/key/swarm/psk/1.0.0/` PEM-like format.
  • Optional knob on `host.HostConfig` to attach a PSK; when set, transports refuse plain connections.
  • Both TCP (post-Noise) and QUIC (negotiated at multistream layer before app streams) paths.
  • Round-trip + cross-impl test against go-libp2p `pnet` once available.

Open question

QUIC + PSK is awkward — the libp2p PSK spec was written for plaintext post-TCP. The standard approach is don't apply PSK to QUIC since TLS already authenticates. Decide here whether we ship PSK as a TCP-only feature, or extend it.

Acceptance

  • Module + PEM loader + tests.
  • Documented behaviour for QUIC (likely "not applicable / use the libp2p TLS extension's peer set").
  • README "Supported" matrix updated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions