跳至主要内容

Threat Model

What Zeq VPN protects

  • Wire confidentiality + integrity. Every packet is AES-256-GCM-wrapped with a key the network never sees. Forgery requires the shared key, which is HMAC-derived from ZEQ_MESH_SECRET plus a fresh per-handshake nonce.
  • DNS-leak resistance. Default dns_via_peer = true routes resolution through the peer's resolver (address pulled from ZSC, not env).
  • Kill-switch on drop. Optional pf-firewall block prevents any non-tunnel egress while the tunnel is down.
  • Traffic-analysis resistance (opt-in). Cover traffic at 12.87 packets/Zeqond — exactly 10× HulyaPulse — fills the channel with random-bytes packets encrypted the same way, so an observer cannot distinguish real from cover.
  • At-rest privacy. The shared key never lands in vpn_tunnels; only the ZSC purpose pointer does. The key itself is AES-256-GCM encrypted in zsc_secrets.

What Zeq VPN does NOT protect

  • Endpoint compromise. If your peer (or your own machine) is rooted, the tunnel does not help. The Zeq AV agent is the right tool there.
  • Side-channel correlation across the public internet. With cover traffic off and a global passive adversary, byte-count + timing fingerprints can still match flows. Turn cover traffic on if that's in your threat model.
  • Legal compulsion against the relay operator. The relay sees encrypted bytes only — it cannot decrypt — but it can be compelled to log + share metadata (peer IPs, tunnel start/stop Zeqonds). Pick relays in jurisdictions you trust.
  • Trusted-third-party-free key escrow. ZSC holds the shared key encrypted-at-rest with the framework's ZEQ_FIELD_KEY. If you do not control that key, a sufficiently-privileged operator could decrypt past sessions. Self-host the api-core if that's unacceptable.

≤ 0.1 % gate

The framework's tolerance contract applies here as everywhere:

  • Time constants (F_H, TAU_ZQ, ALPHA_K) imported from zeq-kernel-constants.ts. Never inlined.
  • Cover traffic rate derived from PULSE_HZ * 10 at runtime; Rust unit test asserts the value lands within 0.001 of 12.87.
  • Settlement math is integer-only (Math.floor + Math.ceil) — no rounding drift possible.

Trust assumptions

State machine identity (slug ↔ owner ZID)Trusted via existing state_machines table + zsm_ bearer auth.
Shared-key derivation HMAC secret (ZEQ_MESH_SECRET)Same secret the existing mesh-gossip layer signs with. Rotation = framework-wide rotation.
POHC tier scoresRead from /api/protocol/pohc — peers with low POHC trust scores can still list, but the marketplace UI surfaces the tier badge so requesters can choose.
Relay operatorUntrusted; sees only ciphertext. Can log metadata.

Phase 3 hardening

  • Forward-secrecy via per-Zeqond key ratcheting (currently one shared key per tunnel; FS would rotate every 60 Zeqonds).
  • Optional Onion routing through 3-hop chains (the multi_hop_chain column is already provisioned in vpn_tunnels).
  • Probabilistic-padding cover-traffic mode (instead of constant-rate).