Path-Aware Sovereignty — Integrating SCION into the Univrs Stack

Why this paper exists

Univrs makes one structural claim above all others:

Centralized infrastructure produces centralized power. Distributed infrastructure produces distributed power. So we change the topology, and let the politics follow.

Almost every layer of our stack honors that claim — except the one underneath all of them. The network layer of today’s Internet is the most centralized substrate we depend on: a handful of tier-1 carriers decide how every packet travels, using BGP, a protocol with no built-in authentication, no path choice for the endpoints, and a long history of route hijacks and accidental blackholes. We have built distributed finance, distributed cloud, and distributed coordination on top of a centralized routing plane we do not control.

SCION changes that. This paper explains what SCION is, where it honestly fits in the Univrs architecture, the three structural resonances that make it more than a transport upgrade, and a phased roadmap a small community can actually execute — starting this quarter, without owning a single backbone link.

Part 1 — What SCION actually is (and isn’t)

SCION — Scalability, Control, and Isolation On Next-Generation Networks — is a clean-slate, path-aware inter-domain routing architecture from ETH Zurich (Adrian Perrig et al., in development since 2009). The pieces that matter for us:

Isolation Domains (ISDs)

An ISD is a logical grouping of Autonomous Systems under a common trust root. Each ISD is an independent routing plane and failure domain that interconnects with others for global reach. A compromise, misconfiguration, or coercion inside one ISD does not cascade into another. This is sovereignty expressed as network topology.

Packet-carried forwarding state (PCFS)

The path lives in the packet header. SCION border routers forward based on the path the packet already carries — they do not consult large inter-domain forwarding tables, and they stay effectively stateless. The packet is self-describing; the core is dumb and fast.

Host-driven multipath

End hosts learn the available path segments (up-segments toward the ISD core, core-segments between ISDs, down-segments to the destination) and combine them into end-to-end paths themselves — subject to the route policies that ISPs and receivers advertise. The endpoint, not an opaque carrier, chooses the route. Multiple paths can be used at once for availability and attack resistance: as long as one attacker-free path exists, it can be found and used.

Control-plane PKI anchored per ISD

Trust roots live in each ISD’s Trust Root Configuration (TRC). Because SCION does not use BGP for inter-domain routing, it is structurally immune to prefix hijacks — there is no global routing table to poison. Each AS cryptographically signs the Path Construction Beacons (PCBs) it propagates, and per-hop forwarding fields are MAC-protected.

The critical framing point

SCION is L3 inter-domain routing — it is not a peer-to-peer overlay, and it does not compete with libp2p. It runs natively or over any underlay (IP, MPLS, even exotic links), and it bridges to today’s Internet through a SCION-IP Gateway (SIG) that tunnels ordinary IP packets through SCION paths.

Maturity — the honest reality check

SCION has been in production since 2017 (first secured a Swiss bank’s connectivity; today underpins the Swiss Secure Finance Network, SSFN). Roughly seven ISPs commercially offer SCION today (mostly Swiss), and Anapaya Systems remains essentially the only commercial implementation — a genuine adoption catch-22. It is real and battle-tested, but not globally routable. Your realistic entry is SCIONLab + SIG tunneling, not native backbone deployment. We name this plainly so the roadmap is credible.

Part 2 — Where SCION slots into the Univrs stack

The cleanest mental model is that SCION sits underneath the p2p layer, not beside it:

DOL / Skills Framework            ← semantic + capability   (learn.univrs.io)
VUDO (WASM runtime, IPFE lenses)  ← application / agent plane (vudo.univrs.io)
ENR economics (credit gradients)  ← convergence plane    (univrs-enr: ResourceGradient)
libp2p (Gossipsub + Kademlia)     ← peer + transport      (univrs-network: mycelial-*)
─────────────────────────────────────────────────────────
SCION (ISD, path-aware, PCFS)     ← secure path substrate     ← NEW
underlay: IP / MPLS / LoRa (mycelial-meshtastic)

Our p2p layer is libp2p — confirmed in univrs-network (the mycelial-network crate runs libp2p 0.54 with Gossipsub, Kademlia DHT, mDNS, QUIC/TCP, Noise, and Yamux). So SCION does not replace it — it composes with it. A libp2p multiaddr can carry a SCION ISD-AS address. libp2p keeps doing peer routing, content addressing, and Gossipsub pub/sub; SCION supplies path-awareness and trust at the network layer beneath it. That composition — not a migration — is the entire opportunity. Nothing on top has to be rewritten.

Part 3 — Three structural resonances

These are why SCION is more than a faster pipe. Each is a place where SCION’s design rhymes with something we already believe.

1. ISD ↔ compute-commons sovereignty (the headline)

The ISD is almost a drop-in substrate analog for our sovereignty thesis. Each federated community — or the Univrs / Sepahsalar / Imaginarium boundary itself — becomes an ISD with its own trust root. Jurisdictional and trust isolation move down into the network layer instead of being bolted on in application logic. A hostile transit provider, a coercive jurisdiction, or a compromised peer in another ISD cannot reach into yours. For a project born from the lived experience of displacement — “what infrastructure would you build if you could no longer trust governments, banks, or borders?” — this is the answer at the packet level. This is the headline fit, and the strongest argument for the whole effort.

2. PCFS ↔ Nexus gossip-gradients (shared philosophy)

Both are “no authoritative central table” designs. SCION pushes forwarding state into the packet and the edge; the univrs-network stack pushes convergence across the mesh via Gossipsub-propagated credit gradients — the ResourceGradient / NexusTopology model in univrs-enr, where credits and reputation flow peer-to-peer between nodes (the mycelial topology), with no coordinator. State lives at the edge; the core is stateless. This is not a loose analogy — it means a SCION path policy and a Nexus credit-gradient rule can be reasoned about with the same lens we already use for computational ontogenesis (Assembly Theory): both describe how coherent global behavior assembles from local, edge-held rules without a central authority. Even the failure semantics rhyme — and here it is enforced in code: univrs-enr’s CreditConservation invariant and SeptalGate mean an isolated node cannot participate in credit flow; in SCION, a node cut off from every honest path is simply unreachable. Connectivity is participation, at both layers. The network substrate and the data substrate finally share an epistemology.

3. Host multipath ↔ VUDO lens-filtered pub/sub (structural identity)

An end host selecting among available paths is structurally the same move as a VUDO agent choosing a lens (an IPFE filter) over a pub/sub stream. In both cases an endpoint exercises sovereign selection over a menu of legitimate options exposed by the substrate, rather than accepting a single route chosen for it. Path selection and lens selection are the same gesture at two layers — which means VUDO’s “creation as invocation” can extend cleanly down into the routing fabric: an invocation can choose not just what it filters but over which trusted path it travels.

Part 4 — What this buys the community (advantages)

Plain-language payoffs, mapped to the manifesto:

Advantage	What it means in practice	Manifesto tie
Route sovereignty	We choose the path our packets take; no carrier silently reroutes or inspects us.	”Change the topology, let the politics follow.”
Hijack immunity	No BGP, no global routing table to poison. Prefix hijacks structurally can’t touch us.	”Build no master.”
Failure isolation	A problem in another ISD — outage, attack, censorship — stays in that ISD.	”Sovereignty is plural.”
Censorship resistance	Multipath means as long as one honest path exists, we stay reachable, with guaranteed bandwidth.	Resilience = a healthier forest.
Federation-ready trust	Each co-op is its own ISD; peering is deliberate and cryptographically explicit.	”Many small communities.”
Verifiable provenance	Cryptographic path authentication: an invocation can prove which trust domain it crossed.	”Reputation, not bureaucracy.”
Migratable identity	Locator/identifier split lets a VUDO Spirit move hosts while keeping its identity.	The para-social layer, made mobile.

Part 5 — The orthogonal channel: SCION × IPFE, and the meta-tools that bind them

Here is the cleanest way to see why SCION and our application layer are complementary rather than redundant:

SCION gives you which network path the packet takes. Your IPFE layer gives you what the receiver is able to decrypt. Stacking them yields path-policy and functional-encryption as two orthogonal axes of the same agent-to-agent channel.

One axis is about routing and trust (where does this travel, through whose domains, over how many honest paths). The other is about capability and disclosure (what function of the plaintext is this specific receiver permitted to compute). Neither subsumes the other. A VUDO agent channel can independently dial both knobs: route over an ISD I trust and reveal only the lens-filtered projection the receiver is entitled to. That product space — path × function — is a richer security model than either layer alone, and it falls out naturally once SCION sits beneath the existing IPFE/lens machinery.

Can the learn.univrs.io meta-tools support VUDO here?

Yes — and SCION actually sharpens the role of each meta-tool rather than complicating it:

DOL (Domain Ontology Language) is the natural place to express ISD trust policy and path constraints semantically. SCION’s TRC/policy model becomes ontology that VUDO lenses consume — the same “federated semantic alignment” spearhead framed elsewhere in our work, now with a concrete network-layer referent. A path policy stops being opaque router config and becomes a first-class, machine-reasoned statement in the same ontology an agent already speaks.

LLVM Translation Tools are the load-bearing piece. The blocker for VUDO is that the mature SCION endpoint stack (scionproto/scion) is Go. To open SCION paths from inside the WASM sandbox — in browser and at the edge — you want a Rust SCION dataplane / snet binding compiled to WASI. That is exactly the “WASM expanding at both ends simultaneously” thesis, and the LLVM toolchain is what makes the endpoint-stack-to-WASM translation tractable. This is the single highest-leverage, highest-risk engineering bet in the whole integration.

Skills Framework lets us model “select SCION path under policy X” as a first-class agent skill. Path-awareness becomes a composable capability an agent can invoke, compose, and reason about — not infrastructure plumbing bolted on beneath it. The lens ↔ path duality (Part 3) becomes literal: choosing a path and choosing a lens are both just skills.

Pressure-tests (don’t oversell)

Three places this thesis must be stress-tested before it earns a roadmap commitment:

A full SCION endpoint stack in WASM is genuinely hard. WASI networking is still maturing. The realistic near-term shape is likely a host-side SCION daemon with WASM agents talking to it over a capability interface — not a pure in-sandbox dataplane. Scope this honestly before promising in-browser SCION.
SCION’s value is inter-domain. If Nexus clustering is mostly intra-datacenter (AKS-style), SCION buys little inside one cluster. Its payoff is at the federation boundary between commons, not within a single deployment. (This is why the roadmap puts ISDs at the seams, not the center.)
Don’t oversell multipath. It yields throughput gains, but at the cost of higher per-path latency and reduced reliability from path churn — which specifically hurts chatty gossip convergence. Nexus’s Gossipsub gradient traffic is already multi-path at the overlay; a single stable SCION path beneath it may beat aggressive multipath. Measure before defaulting.

How the network actually converges: Convergence is not classic CRDTs (Automerge/Yjs) — univrs-network runs Gossipsub over libp2p, and economic state converges via univrs-enr’s credit gradients (ResourceGradient) (credit + reputation flowing peer-to-peer between nodes). This strengthens the SCION fit: gradient gossip is even more edge-held and coordinator-free than a CRDT replica set. The open empirical question is narrower — measure whether SCION multipath helps or hurts Gossipsub gradient convergence specifically, since gossip is already multi-path at the overlay layer and path churn underneath could perturb it.

Part 6 — Integration roadmap (phased, executable)

Staged so a small team gets value early and never boils the ocean. Each phase is independently useful; stop at any phase and you still keep the gains.

Phase 0 — Learn & prove (weeks, ~zero cost)

Stand up a node on SCIONLab (the global research testbed). No ISP cooperation needed.
Tunnel real traffic between two Univrs machines using a SCION-IP Gateway (SIG) over the public Internet underneath.
Deliverable: a working SCION path between two of our boxes + a short internal write-up of observed multipath/failover behavior.
Exit criterion: we can demonstrate endpoint-chosen, authenticated paths end to end.

Phase 1 — Compose with libp2p (the key experiment)

Carry a SCION ISD-AS address inside a libp2p multiaddr. Confirm libp2p peer routing rides over SCION paths unchanged.
Deliverable: a libp2p pub/sub demo where peer transport is SCION-pathed, with no changes to anything above libp2p.
Exit criterion: the stack diagram in Part 2 is real, not theoretical.

Phase 2 — One Univrs ISD (sovereignty, first taste)

Define a single Univrs ISD with its own TRC. Bring up border nodes at each Univrs site (home lab, colo, any peer hardware).
Run inter-site Nexus traffic over SCION instead of a flat WireGuard/VPN mesh.
Deliverable: multi-site Nexus coordination over a sovereign, isolation-bounded substrate.
Exit criterion: an outage or hostile route in the public Internet between two sites is survived via SCION multipath.

Phase 3 — Federation as ISDs (the political payoff)

Model each collective / co-op as its own ISD. Establish explicit TRC-based peering between Univrs and the first partner community.
Deliverable: the literal network-topology expression of “many small communities, sovereignty is plural.”
Exit criterion: two independently-governed communities interoperate without either being able to coerce or surveil the other at the network layer.

Phase 4 — VUDO Runtime, SCION-aware by design (when the Runtime lands)

Design the Spirit invocation fabric to lean on SCION’s locator/identifier split for migratable Spirit identity, and on ISD scoping to enforce cultural-sovereignty boundaries (the “second canopy”) at the transport layer rather than only in UX.
Extend the lens ↔ path identity from Part 3: an invocation chooses both its IPFE lens and its trusted path.
Deliverable: a VUDO-native networking design doc; a Vudo-specific /about page once the Runtime is deployed (an open follow-up we already flagged).
Exit criterion: a Spirit migrates between clusters across ISDs while keeping a stable, verifiable identity.

Part 7 — Honest risks

Adoption catch-22. One commercial vendor (Anapaya); ~7 ISPs; not globally routable. SCIONLab + SIG overlays mitigate this but add operational weight.
Inter- vs intra-domain mismatch. SCION solves a problem we don’t fully have until we span multiple sites/collectives. Inside a single cluster it is overkill — the CNI/mesh already handles pod traffic. ROI appears at the seams, not the center. Don’t adopt prematurely.
Operational burden. ASes, TRCs, beacon servers, border routers — real infrastructure work. Worth it for federation; not for a lone home cluster.
Overlay-vs-substrate interaction. Nexus already runs a Gossipsub overlay that is multi-path by design. Layering SCION multipath beneath it is promising but must be measured — gossip convergence is sensitive to path churn, so the two multipath layers could either reinforce or fight each other. Validate at the Phase 2 inter-site step before defaulting it on.

Conclusion

SCION will not replace the Univrs stack. It gives the ecosystem something rarer: a transport layer whose politics already match our manifesto. Isolation Domains are compute-commons sovereignty. Packet-carried forwarding state is the same edge-held, coordinator-free philosophy as our CRDTs. Host multipath is the same sovereign-selection gesture as a VUDO lens.

We have been building a regenerative civilization on top of a routing plane owned by a handful of carriers. SCION is how we finally change the topology all the way down — and let the politics follow.

The forest gets roots.

Ecosystem

Part of the Univrs regenerative-infrastructure ecosystem — Mycelial Economics · Human Shine.

Research: metalearn.org · ardeshir.io · sepahsalar.org · univrs.io Learn: learn.univrs.io Creative / Product: imagine.univrs.io · vudo.univrs.io · shine.univrs.io · tarot.univrs.io Code: github.com/univrs · github.com/ardeshir

“Le réseau est Bondieu — the network is you.”