Transport Composition Roadmap

Last updated: 2026-05-10

Goal

NexusNet transport configuration must describe three separate concepts:

• Payload protocol: tcp, udp, or ip
• Outer transport: tcp, udp, or quic
• Security layer: raw, tls, reality, or noise

This avoids overloading the legacy mode field and lets the control plane express mixed modes before every data-plane kernel exists.

Layer 3 point-to-point tunnel planning lives in l3ptp-reality.md. L3 should be represented as payload=ip instead of being modeled as a fake TCP or UDP route.

Long-term kernel data channel offload planning lives in quic-reality-kernel-dco.md.

Support Matrix

Profile	Control Plane	Agent Data Plane
TCP over TCP RAW	supported	supported
TCP over TCP TLS	supported	supported through legacy ENC/TLS
TCP over TCP REALITY	supported	supported
UDP over UDP RAW	supported	supported
UDP over UDP Noise	supported	supported through legacy ENC/Noise
TCP over QUIC REALITY	saved as planned	planned
UDP over TCP RAW	saved as planned	planned
TCP over UDP Noise	saved as planned	planned
IP over QUIC REALITY DATAGRAM	saved as planned	planned

planned profiles can be saved in the frontend/backend so future routes are not blocked by schema churn. Deploying a planned profile should return a clear error until the corresponding agent kernel exists.

Current Control-Plane Shape

Each chain node may carry one profile or multiple per-payload profiles:

{
  "transportProfile": {
    "payload": "tcp",
    "outer": "quic",
    "security": "reality",
    "credentialId": "..."
  }
}

For tcp+udp chains, prefer:

{
  "transportProfiles": [
    { "payload": "tcp", "outer": "quic", "security": "reality", "credentialId": "..." },
    { "payload": "udp", "outer": "tcp", "security": "raw" }
  ]
}

The backend still writes legacy fields for backward compatibility:

• mode = RAW | ENC | REALITY
• enc_key_id

Agent proto now includes TransportProfile on TcpProxyRule, UdpRule, and QuicRule, but current agent routing still primarily uses the legacy rule fields.

Next Data-Plane Milestones

1. Add a TCP stream multiplexer over QUIC REALITY.
2. Map payload=tcp, outer=quic, security=reality to a real QuicRule instead of a deploy-time planned error.
3. Add UDP-over-TCP framing for payload=udp, outer=tcp, security=raw.
4. Add TCP-over-UDP Noise reliability/framing or explicitly decide it must use QUIC instead.
5. Move backend deployment from legacy mode inference to direct TransportProfile dispatch once all supported kernels are present.