| Internet-Draft | POOL | July 2026 |
| Davis | Expires 5 January 2027 | [Page] |
This document describes the Protected Orchestrated Overlay Link (POOL), an experimental secure transport protocol. POOL provides mandatory mutual authentication, always-on authenticated encryption with no plaintext mode, a stateless handshake resistant to resource exhaustion attacks, cryptographically unpredictable sequence numbers, self-describing 256-bit addresses, active path MTU discovery, per-flow telemetry, atomic configuration changes with automatic rollback, and an append-only hash-chained change journal. POOL operates either as an overlay above TCP (over IPv4 or IPv6) or directly over IP using experimental protocol number 253; the raw-IP transport is specified for IPv4 only in this document.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an implementation are maintained at https://github.com/amosdavis/POOL.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
TCP/IP was designed for a cooperative network and acquired its security, observability, and operational-safety mechanisms as afterthoughts. The consequences are well documented: trust-by-default transport, spoofable sources, resource-exhausting handshakes, predictable sequence numbers, unauthenticated control packets, plaintext defaults, silent path MTU failures, and configuration changes with no protocol-level audit trail or rollback.¶
POOL (Protected Orchestrated Overlay Link) is an experimental transport protocol that makes the opposite defaults mandatory:¶
This document specifies the POOL version 1 wire protocol and the normative hardening requirements labeled P01 through P13 and N02. It is published as an Experimental document to solicit review of the design and operational experience from independent implementations.¶
POOL was designed by inversion: before any mechanism was specified, the ways the system could fail were cataloged, and that catalog was adopted as a set of binding design tenets. No protocol mechanism is accepted if it creates a new path to a documented failure mode. Four failure catalogs govern this document:¶
| Failure Category | TCP/IP Problem | POOL Mechanism |
|---|---|---|
| No built-in security | Trust by default | Mandatory mutual authentication and encryption |
| IP spoofing | Unverified source | Challenge-response proves reachability |
| SYN flood | Stateful handshake | Stateless challenge; zero pre-allocation |
| Sequence prediction | Predictable ISN | CSPRNG-derived sequence numbers |
| RST injection | Unauthenticated control | Every packet HMAC-authenticated |
| No encryption | Plaintext default | ChaCha20-Poly1305, always on |
| Man-in-the-middle | No channel binding | Ephemeral ECDH plus per-packet HMAC |
| Header manipulation | No header authentication | HMAC-SHA256 covers the entire packet |
| Address exhaustion | 32-bit IPv4 | 256-bit self-describing addresses |
| Address conflicts | DHCP/static clashes | Cryptographically derived unique node IDs |
| MTU silent drops | PMTUD failures | Active authenticated probing; mandatory fragmentation |
| No monitoring | External tools only | Built-in per-flow telemetry |
| Configuration drift | No versioning | Atomic versioned configuration with rollback |
| No audit trail | External logging | Built-in hash-chained change journal |
| Unsaved configuration | Volatile state | Persistent versioned configuration |
| Vendor lock-in | Proprietary behavior | Single open canonical specification |
| Route origin forgery | No route authentication | Addresses cryptographically bound to node identity |
| Name-service dependency | Separate DNS service | Embedded peer discovery |
| Cascading failure | No backpressure | OVERLOAD signal and built-in flow control |
| Change-window risk | No automatic rollback | Deadline-based automatic rollback |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
All POOL packets share a common 80-byte header. Multi-byte fields are big-endian (network byte order).¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version (4) | Type (4) | Flags (16) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID (128) | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (64) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length (16) | Channel (8) | Reserved (8)| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HMAC (256) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value | Name | Description |
|---|---|---|
| 0x0 | INIT | Connection initiation (carries client ephemeral public key) |
| 0x1 | CHALLENGE | Server challenge (carries puzzle and server ephemeral key) |
| 0x2 | RESPONSE | Client puzzle solution and key-agreement completion |
| 0x3 | DATA | Encrypted application data |
| 0x4 | ACK | Pure acknowledgment |
| 0x5 | HEARTBEAT | Keepalive with embedded telemetry |
| 0x6 | REKEY | Session key rotation |
| 0x7 | CLOSE | Graceful authenticated close |
| 0x8 | CONFIG | Configuration change announcement |
| 0x9 | ROLLBACK | Atomic rollback to previous configuration |
| 0xA | DISCOVER | Network/MTU/peer discovery |
| 0xB | JOURNAL | Change journal synchronization |
| 0xC | INTEGRITY | Peer cryptographic challenge-response (runtime behavioral verification) |
| 0xD-0xF | RESERVED | Reserved for future use |
| Bit | Name | Description |
|---|---|---|
| 0 | ENCRYPTED | Payload is encrypted (always set after the handshake) |
| 1 | COMPRESSED | Payload was compressed before encryption (see Section 15.10) |
| 2 | PRIORITY | High-priority packet |
| 3 | FRAGMENT | Packet is a fragment of a larger message |
| 4 | LAST_FRAG | Packet is the last fragment |
| 5 | REQUIRE_ACK | Sender requires explicit acknowledgment |
| 6 | TELEMETRY | Heartbeat carries telemetry data |
| 7 | ROLLBACK_READY | Node supports atomic rollback |
| 8 | CONFIG_LOCKED | Configuration changes are frozen |
| 9 | JOURNAL_SYNC | Journal synchronization in progress |
| 10-15 | RESERVED | MUST be zero on transmission and ignored on receipt |
Unlike TCP's three-way handshake, which allocates server resources upon SYN receipt, POOL uses a stateless challenge-response in which the server allocates no per-connection state until the client has proven that it can receive replies at its claimed address and has solved a computational puzzle.¶
Client Server | | |--- INIT (client ephemeral pubkey) ->| Server allocates NOTHING | | Challenge derived from | | hash(client_addr, time, | | server_secret) |<-- CHALLENGE (puzzle, server key) --| Still ZERO server state | | | Client solves puzzle | | Client derives shared secret | | | |--- RESPONSE (solution, proof) ----->| Server verifies solution | | Server derives shared secret | | NOW session state is created |<-- DATA (first payload) ------------| | |
The server derives the challenge from a keyed hash over the client's address, a timestamp, and a rotating server secret (Section 15.2); it can therefore regenerate and verify the challenge statelessly. The puzzle is a hash-preimage search whose difficulty is adjustable under load (Section 15.8).¶
This construction resists SYN-flood-style resource exhaustion because unanswered INITs consume no server memory, and it resists source-address spoofing because a client that cannot receive the CHALLENGE cannot proceed.¶
The proof-of-work puzzle input binds the full 16-byte client address (IPv4 addresses are represented as IPv4-mapped IPv6, Section 12), an 8-byte server secret, and a 4-byte timestamp.¶
Key agreement uses X25519 [RFC7748] with ephemeral key pairs generated per session by both sides. The shared secret is processed with HKDF-SHA256 [RFC5869] to derive the session encryption key, the HMAC key, and the sequence key, using distinct info labels for each.¶
All payload encryption uses the ChaCha20-Poly1305 AEAD [RFC8439] with a 256-bit session key. The 96-bit nonce is constructed from session-unique material and the packet sequence number as specified normatively in Section 15.1; a nonce value is never reused under the same key.¶
Every packet carries an HMAC-SHA256 [RFC2104] computed over the header and the plaintext payload using the session HMAC key, which is derived separately from the encryption key. This prevents header manipulation, reset injection, and sequence corruption. Verification timing requirements are given in Section 15.3.¶
Sessions rekey automatically after 2^28 packets or one hour, whichever comes first, via a new ephemeral X25519 exchange carried inside the encrypted session. Old key material MUST be zeroed immediately after rotation. Simultaneous-initiation tie-breaking is specified in Section 15.6.¶
The initial sequence number is drawn from a cryptographically secure random number generator. Sequence numbers are unpredictable to external observers, which prevents the prediction and injection attacks that plague cleartext transports. The 64-bit space removes wraparound concerns in practice; rekeying is required well before exhaustion (Section 15.1). Anti-replay requirements are given in Section 15.12.¶
POOL uses 256-bit self-describing addresses:¶
[32-bit : address type + version] [64-bit : organization/network ID] [64-bit : subnet/segment ID] [64-bit : node ID (derived from the node's public key hash)] [32-bit : checksum]¶
Properties:¶
Every HEARTBEAT packet (default interval: 5 seconds) carries a telemetry block:¶
struct pool_telemetry {
uint64_t rtt_ns; /* round-trip time, nanoseconds */
uint64_t jitter_ns; /* RTT variance */
uint32_t loss_rate_ppm; /* packet loss, parts per million */
uint32_t throughput_bps; /* current throughput estimate */
uint16_t mtu_current; /* current path MTU */
uint16_t queue_depth; /* local send queue depth */
uint64_t uptime_ns; /* session uptime */
uint32_t rekey_count; /* completed key rotations */
uint32_t config_version; /* current configuration version */
uint32_t state_digest; /* CRC32 of session state, for
cross-peer consistency checks */
uint64_t journal_head; /* truncated journal chain head
commitment (see Section 10) */
};
¶
Both peers timestamp heartbeats and independently compute RTT, jitter, and loss, giving each side a view it can cross-check against the other's reported values. The state_digest and journal_head fields support the cross-peer integrity mechanisms described in Section 17.¶
POOL nodes maintain a versioned configuration state consisting of a monotonically increasing version, the previous version, SHA-256 hashes of the serialized current and previous configurations, an application timestamp, and a rollback deadline.¶
Every POOL node maintains an append-only journal of protocol state changes. Each entry records a timestamp, the configuration versions before and after, a change type, serialized change detail, and a SHA-256 entry hash. Entry hashes are chained: each entry's hash includes the previous entry's hash, so modification of any past entry invalidates all subsequent hashes.¶
The chain head is a commitment to the entire journal history. Implementations SHOULD publish the chain head outside the node (for example, to remote logging infrastructure) and carry a truncated chain head in heartbeat telemetry so that each peer retains an independent replica; divergence between a node's journal and externally held commitments indicates tampering.¶
Journals synchronize between peers via JOURNAL packets and provide a complete audit trail with before/after hashes for every change.¶
POOL never silently drops packets. Every error condition produces a journal entry and a telemetry counter increment, and MAY produce an encrypted error notification to the peer.¶
| Code | Category | Description |
|---|---|---|
| 0x01 | AUTH_FAIL | Authentication or HMAC verification failed |
| 0x02 | DECRYPT_FAIL | Decryption failed |
| 0x03 | SEQ_INVALID | Sequence number outside the valid window |
| 0x04 | FRAG_TIMEOUT | Fragment reassembly timed out |
| 0x05 | MTU_EXCEEDED | Packet exceeds the negotiated MTU |
| 0x06 | CONFIG_REJECT | Configuration change rejected by policy |
| 0x07 | REKEY_FAIL | Key rotation failed |
| 0x08 | JOURNAL_FULL | Journal storage exhausted |
| 0x09 | OVERLOAD | Node is overloaded (backpressure signal) |
| 0x0A | VERSION_MISMATCH | Protocol version incompatible |
POOL runs over two transports:¶
IP addresses are not carried in POOL packet headers; the underlying transport handles network addressing, so the wire protocol is identical over IPv4 and IPv6. Internally, implementations represent all addresses as 128-bit values, storing IPv4 addresses in IPv4-mapped IPv6 form (::ffff:a.b.c.d). A single dual-stack listener accepts both families. The handshake puzzle binds the full 16-byte client address for both families (Section 4). The raw IP transport is currently specified for IPv4 only.¶
Every transport that has tried to replace TCP failed in part because it demanded a flag-day cutover: both endpoints had to change simultaneously, and neither side had an incentive to move first. POOL is designed so that no adopter ever has to be first, through three coexisting mechanisms that can be deployed independently and rolled back independently. TCP continues to work at every stage.¶
A bridge daemon terminates TCP from legacy clients at the network edge, establishes a POOL session to the destination, and forwards traffic in both directions:¶
TCP client -> [tcp2pool] -> POOL -> [pool2tcp] -> TCP server¶
Neither the client nor the server changes. The operator immediately gains encrypted and mutually authenticated internal transport, per-flow telemetry, and the audit journal on the bridged path. Rollback is stopping the bridge; traffic reverts to direct TCP.¶
Because the bridge decrypts and re-encrypts, it handles plaintext and MUST be operated as a hardened, trusted node; see Section 17.¶
A dynamic-linker interposition library (for example, an LD_PRELOAD shared object) intercepts POSIX socket calls and routes TCP connections through POOL transparently. Existing applications run unmodified; interception can be limited to selected destination ports; optional fallback to TCP covers peers without POOL. Rollback is removing the interposition.¶
Applications built directly against a POOL API gain access to all protocol features (channels, telemetry, journaling) with no TCP involvement. This phase is reached only after phases 1 and 2 have established operational confidence, and phase 2's fallback mechanism remains available.¶
The intended order is: encrypted east-west traffic via edge bridges first; per-service interposition next; inter-organization relaying and native applications last. All phases operate dual-stack (Section 12); the raw IP protocol 253 transport is an optimization adopted last and only on networks that permit it, because middlebox tolerance is itself an adoption requirement (Section 14).¶
The historical record of stalled and abandoned transport protocols is itself a failure catalog, and POOL treats it as binding: each documented cause of death is answered by a specific design decision.¶
| Adoption failure mode | Protocols it killed or stalled | POOL countermeasure |
|---|---|---|
| Flag-day requirement: both endpoints must upgrade simultaneously | CurveCP, MinimaLT, SST, tcpcrypt, HIP | Three-phase migration with per-phase rollback (Section 13); no adopter is ever required to move first |
| Middlebox ossification: NATs and firewalls drop unknown protocols | DCCP, SCTP, CurveCP (UDP-blocked), raw-protocol designs | Default transport is a TCP overlay that traverses existing middleboxes; raw protocol 253 is optional |
| Applications must be rewritten for a new API | SST, XTP, IL | Bridge and socket-interposition phases require no application changes |
| Opportunistic security without authentication invites active MITM and undermines the value proposition | tcpcrypt | Authentication is mandatory; there is no unauthenticated or plaintext mode to fall back into |
| Complexity without a deployment story; no reference implementation or OS support | MinimaLT, XTP, NEAT | A complete open reference implementation (kernel module, bridge, interposition library, tooling) is maintained with the specification |
| Per-flow state in the network core does not scale | RSVP/IntServ | All POOL state is end-to-end; the network core carries opaque traffic |
| Identifier-locator split requires new infrastructure (rendezvous, DNS records) | HIP | POOL addresses are self-describing and self-authenticating; no new global infrastructure is required for basic operation |
| A better-backed alternative absorbed the design space | SST, Minion, DCCP (absorbed by QUIC and HTTP/2) | POOL targets properties no deployed protocol provides (see below) rather than re-solving multiplexing or 0-RTT |
Conversely, POOL deliberately targets capabilities that no widely deployed transport provides: protocol-level atomic configuration with automatic rollback, a transport-level audit journal, built-in per-flow telemetry, self-describing cryptographically bound addresses, MTU discovery with no silent drops, mandatory (non-negotiable) authentication and encryption, and integrated backpressure signaling.¶
The following requirements address protocol-level failure modes identified during security analysis of POOL version 1. All are normative for compliant implementations.¶
The 96-bit nonce for ChaCha20-Poly1305 MUST be constructed as:¶
nonce[0:3] = hmac_key[0:4] (session-unique prefix) nonce[4:11] = big-endian(seq) (64-bit sequence number)¶
Implementations MUST trigger rekeying before the sequence counter reaches 2^63 to prevent nonce reuse. After rekeying, the new HMAC key provides a fresh prefix, guaranteeing nonce uniqueness across key epochs.¶
Rationale: using zero bytes for nonce[0:3] would reduce the effective nonce space by 32 bits, increasing collision probability across concurrent sessions.¶
The server MUST rotate its challenge secret at least every 300 seconds. During rotation, the server MUST accept challenges generated with the previous secret for a grace period of twice the rotation interval, to avoid rejecting in-flight handshakes.¶
Rationale: without rotation, captured challenge parameters could be solved offline and replayed indefinitely.¶
All HMAC verification MUST use constant-time comparison. Variable-time memory comparison MUST NOT be used for any authentication tag or HMAC comparison.¶
Rationale: variable-time comparison leaks tag bytes through timing side channels, enabling byte-by-byte forgery.¶
Implementations MUST enforce all of the following:¶
Rationale: without limits, an attacker can exhaust reassembly memory with many small fragment sequences that are never completed.¶
DISCOVER packets used for MTU probing MUST be rate-limited to at most one probe per second per peer. Probe responses MUST only be accepted from peers with established sessions, authenticated by the session HMAC.¶
Rationale: unauthenticated probes can be amplified by spoofing, causing probe storms between peers.¶
When both peers initiate REKEY simultaneously, the peer with the lexicographically lower Session ID MUST proceed as the rekey initiator; the other peer MUST abort its own attempt and process the received REKEY as a responder. Each rekey MUST include a monotonically increasing epoch number to disambiguate key material.¶
If no configuration confirmation is received within the rollback deadline, implementations MUST treat silence as confirmation, not as failure. The CONFIG sender MUST retry the confirmation request at least three times with exponential backoff (1, 2, and 4 seconds) before the deadline expires.¶
Rationale: an attacker who can suppress a single packet must not be able to force a rollback to a less secure configuration.¶
INIT packets MUST include a 64-bit nanosecond timestamp. The server MUST reject INIT packets whose timestamps deviate more than 30 seconds from the server's current time. The puzzle difficulty MUST be at least 16, requiring 2^16 hash operations on average.¶
Rationale: without timestamps, captured INIT packets can be replayed indefinitely; without a difficulty floor, INIT-to- CHALLENGE reflection has zero computational cost for the sender.¶
This document specifies POOL version 1 only. Downgrade prevention applies once a higher protocol version exists: after a successful handshake with a peer at a version greater than 1, a POOL version 1 implementation that also supports the higher version MUST record that peer's maximum supported version and MUST reject subsequent connection attempts from that peer at a lower version with a CLOSE packet carrying a version-downgrade error. A version 1-only implementation has no higher version to protect and takes no downgrade-prevention action.¶
The version 2 wire format (hybrid X25519 + ML-KEM-768 key agreement) is not specified in this document; the downgrade- prevention requirement above is stated normatively so that version 1 implementations that later add version 2 support are conformant from first deployment. Rationale: an active attacker could otherwise strip version negotiation and force peers into the X25519-only mode, which lacks post-quantum protection.¶
When the COMPRESSED flag is set, compression occurs before encryption, and ciphertext length therefore leaks plaintext information (a CRIME/BREACH-style oracle). Applications handling secrets SHOULD either disable compression for sensitive channels or pad compressed output to fixed block sizes (for example, 256-byte blocks).¶
The CRC32 checksum used in POOL address derivation (Section 6) has a birthday bound of approximately 2^16 addresses before a 50% collision probability. Deployments exceeding 10,000 nodes SHOULD upgrade to SHA-256 truncated to its first 4 bytes for address derivation in protocol version 2 and later.¶
Implementations MUST maintain a sliding window of at least 64 sequence numbers. Packets with sequence numbers older than the highest seen minus 64 MUST be silently discarded, as MUST duplicate sequence numbers within the window.¶
This document has no IANA actions.¶
POOL's raw IP transport uses IP protocol number 253, which is reserved for experimentation and testing by [RFC3692]; this document requests no permanent assignment. The TCP overlay transport uses port 9253 by local convention; no port assignment is requested at Experimental status. Should the protocol advance, a dedicated protocol number and a registered port would be requested, and registries for POOL packet types, flags, and error codes would be established.¶
This entire document concerns security; this section summarizes the threat model, residual risks, and the runtime-integrity design that accompanies the protocol.¶
Source-address spoofing is countered by the reachability proof inherent in the challenge-response handshake (Section 4). Resource-exhaustion attacks on the handshake are countered by statelessness and proof-of-work. Sequence prediction, reset injection, and header manipulation are countered by CSPRNG-seeded sequence numbers and per-packet HMAC. Passive interception is countered by mandatory AEAD encryption. On-path key compromise exposure is bounded by ephemeral keys and automatic rekeying.¶
The POOL design includes a companion runtime-integrity threat model that assumes running code can be modified after it has been loaded and verified: live patching of code pages, hardware "overlay" interception of instruction or data flow, microcode or firmware modification, and memory-bus interception. Under this model, twenty failure modes are cataloged in four classes:¶
Eight design tenets counter these: continuous (not only load-time) attestation; behavioral verification over binary verification (verify what code does, not what it is); a hardware root of trust where available; replicated execution with cross-peer consensus; cryptographic execution proofs; self-verifying code; append-only external audit logs; and assuming compromise while designing for detection and recovery.¶
Protocol-visible mechanisms implementing these tenets include: the INTEGRITY packet type (a peer sends a random challenge that must be returned encrypted under the session key, proving the remote crypto path's behavior end to end); the state_digest and journal_head fields in heartbeat telemetry (Section 8), which let each peer hold an independent replica of the other's state and audit-log commitments; and the hash-chained journal with external chain-head publication (Section 10). Implementation-level mechanisms include periodic re-execution of known-answer self-tests with reference-digest comparison, code-section checksumming, continuous statistical health tests on all randomness, startup self-hash attestation of userspace tools, and a measurement chain forwarded to a hardware TPM when one is present. A node that fails any of these checks marks itself compromised, alerts through channels outside the potentially compromised code path, and refuses new sessions.¶
Honest limits: a verifier co-located with the system under test can itself be overlaid; hardware-level interception that faithfully emulates correct behavior is undetectable from inside. Cross-peer replication and hardware roots of trust bound, but do not eliminate, this residual risk.¶
Implementation status of the tenets varies. The reference implementation realizes Tenets T1, T2, T6, T7, and T8 in code (periodic self-tests, code-section checksumming, journal chaining with external chain-head publication, compiler hardening, and fail-closed integrity handling). Tenets T3 (hardware root of trust), T4 (replicated execution with consensus), and T5 (cryptographic execution proofs such as zero-knowledge attestation) are specified normatively for future implementations but are only partially realized today: T3 forwards measurements to a hardware TPM when one is present but cannot verify the TPM's integrity from the module; T4 exists in the partial form of cross-peer HMAC verification and state-digest replication; T5's Merkle-chained journal is implemented, but general cryptographic execution proofs are not. The full threat model, its mitigation matrix, and implementation status are maintained with the reference implementation.¶
POOL version 1 deliberately ships a single fixed cipher suite (X25519, HKDF-SHA256, ChaCha20-Poly1305, HMAC-SHA256) and no runtime negotiation, eliminating downgrade surface within a version. Algorithm migration happens only through whole protocol versions. A version 2 with hybrid X25519 + ML-KEM-768 key agreement is planned; its wire format is not specified in this document. Downgrade prevention between versions is specified in Section 15.9.¶
This appendix collects POOL-specific terms used in the body of this document that are not defined in Section 2. Core protocol terms (Session, Channel, Node identity key, Ephemeral key) are defined in Section 2.¶
journal_head field).¶
state_digest field of heartbeat telemetry, allowing each
peer to hold an independent replica of the other's state
commitment.¶
.text section at init and re-verified periodically as a
continuous runtime attestation mechanism (Tenet T1).¶
The failure-mode-driven design method used throughout POOL — documenting the ways a system can fail and treating that list as binding design tenets — shaped every normative requirement in Section 15.¶