Playground

Interactive Simulations

The hands-on widgets from the lessons, on one page, in order of appearance. Each one links back to the lesson it lives in so you can read the prose around it.

Identity Generator

Lesson 2: Identity →

Generate a keypair and watch it derive into a 16-byte node_addr and a .fips hostname.

Identity Derivation

Click the button to generate a real secp256k1 keypair and watch each derived identifier appear.

Mesh Simulator

Lesson 5: Spanning Tree & Routing →

A live spanning tree with greedy-coordinate routing, bloom-filter hints, random routes, and a tidy-layout button.

Mesh Simulator

SelectedRoute fromRoute to

Tip: click a node to select it, then use arrow keys to nudge it (Shift = larger steps, Esc to deselect). Screen reader users can pick a source and destination above and press Show route.

tree edge mesh edge route root

Bloom Filter

Lesson 5: Spanning Tree & Routing →

Insert and query node addresses against a bloom filter and watch false positives light up the bit array.

Bloom Filter

Same ten demo nodes as the mesh simulator. Insert a few, then query a name you never inserted to see when the filter lies.

InsertQuery

Quick insert:

Bits: 2048Hashes: 5Inserted: 0Fill: 0.0%Est. FPR: 0.000%

Routing Decision

Lesson 5: Spanning Tree & Routing →

Walk through the find_next_hop priority chain (self, direct peer, bloom, tree, fail) one case at a time.

Routing Decision: `find_next_hop()`

Source:Dest:

#1Local delivery check
Is A === D?
No. Continue.
#2Direct peer check

Step 1 of 2

Topology: A—B—C—D, A—D, B—E. Root: smallest node_addr.

Packet Journey

Lesson 6: Encryption →

A packet's two encryption layers (FMP hop-by-hop, FSP end-to-end) across three hops, step by step.

Packet Journey: A → D

Payload

FSP (end-to-end)

FMP (hop-by-hop)

Step 1/7: Application sends payload

App on node A sends data to node D. Raw payload is handed to FSP.

Error Recovery

Lesson 8: When Things Go Wrong →

Replay CoordsRequired, PathBroken, and MtuExceeded signals and watch the mesh heal around the failure.

Warmup has finished. A transit router lost the destination's coordinates (cache expired, or the router just joined). It has no way to forward the packet.

CP counter: 0 / 5frame 1 / 16

Steady state, then R2 drops its cache

The session has been running. Warmup is done (CP counter is 0). R2's coordinate cache for Dst has just expired. R2 still has all its FMP link sessions, it just no longer knows where Dst sits in the tree.

Packet Inspector

Lesson 9: Reading the Wire →

Toggle FIPS packet fields and watch the byte layout and per-layer overhead update in real time.

An IPv6 ping inside FSP inside SessionDatagram inside FMP. Toggle CP to watch the cleartext coordinates appear between the FSP header and the ciphertext.

CP flag clearTree depth3Upper payload64B

FMP outer (AAD)32BFMP inner (AEAD plaintext)5BSessionDatagram35BFSP cleartext12BFSP inner (AEAD plaintext)26BApplication71BTotal: 181 bytes

Click any block above to see what the field is and what it means on the wire.

Link Cost Lab

Lesson 10: Measuring the Mesh →

Tune RTT, loss, and jitter on a candidate parent and see how MMP-weighted cost changes the tree.

Fibercurrent parent

pick as current

SRTT (ms)1 msLoss0%peer.depth2

ETX: 1.00
link_cost: 1.01
eff. depth: 3.01

Long-range radio

pick as current

SRTT (ms)500 msLoss5%peer.depth1

ETX: 1.11
link_cost: 6.65
eff. depth: 7.65

parent_hysteresis20%

threshold = 3.01 × (1 − 0.20) = 2.41

Fiber is already the current parent with effective depth 3.01. No switch needed.

Threat Lens

Lesson 11: Who Sees What →

Pick an adversary class and see what they can actually read off a FIPS frame.

Adversary

A mesh node that forwards your FSP session but is not its endpoint. Sees routing envelope only.

Artifact	Visibility
Packet timing and sizes Wire-level volume and inter-arrival gaps.	visible
Transport endpoints Underlying WiFi BSSID, IP:port pair, Bluetooth MAC, serial tty.	metadata
FMP payload (routing gossip, session datagrams) TreeAnnounce, BloomGossip, LookupRequest, MMP reports, forwarded SessionDatagrams.	visible
node_addr of the endpoints The 128-bit SHA-256 of the public key carried in the session routing envelope.	visible
npub of the endpoints The bech32 Nostr public key; the application-layer identity.	opaque
FSP payload (application data) The encapsulated IPv6 packet, stream chunk, or control message.	opaque

What stops them

FSP session AEAD hides the payload even as each hop decrypts and re-encrypts FMP.
The routing envelope carries node_addr only; a transit router cannot derive npub from it.
Multi-path candidate selection spreads sessions across peers, limiting any one router's view.

Adapter MTU Lab

Lesson 12: Talking to Legacy Apps →

Play with transport_mtu and watch effective_ipv6_mtu and clamped TCP MSS recompute in lockstep.

Transport MTU1472 B

Outbound IPv6 packet size1400 B

transport MTU

1472B

FIPS envelope

106B

port header (+)

IPv6 compression (−)

-33B

effective IPv6 MTU

1395B

Effective IPv6 MTU: 1395 B
Clamped TCP MSS: 1335 B
IPv6 viable?: yes

1400B exceeds the effective IPv6 MTU (1395B). The adapter returns ICMPv6 Packet Too Big to the sending application (rate-limited to one per 100ms per source).

Interactive Simulations

Identity Generator

Identity Derivation

Mesh Simulator

Mesh Simulator

Bloom Filter

Bloom Filter

Routing Decision

Routing Decision: find_next_hop()

Packet Journey

Packet Journey: A → D

Error Recovery

Packet Inspector

Link Cost Lab

Threat Lens

Adapter MTU Lab

Routing Decision: `find_next_hop()`