The proposal for IPv8 has released (link), and it’s bad. Really bad. Normally it would be hyperbolic to cry “end of the free internet“, but it would be harder to design a more surveillance-friendly structure for the next generation of the internet than what is contained within.
THE GOOD:
IPv4 backward compatibility is genuinely elegant. Setting
r.r.r.rto0.0.0.0makes an IPv8 address identical to an IPv4 add, processed by the standard rules (#1.5 p3, #3.3). This alone is the best contribution of the draft and should be lauded. It single-handedly kills any further incentive to push IPv6, which has struggled for decades to find adoption due to dual-stack, flag day, and forced migration (#1.2 p3, #2.2 p2). Any draft that replaces this initial iteration of IPv8 should include this design choice.Address exhaustion is resolved as an architectural consequence, not as a bolt-on. Every ASN gets a full 2^32 host address space (#1.5 p2, #3.2). CGNAT becomes unnecessary for address conservation. This is an objectively cleaner solution than the IPv6 approach. 128 bits wasn’t too many, it was the cost of dual-stacking, losing backwards compatibility, and the lack of any management improvements just to solve one problem that has prevented its adoption (#1.2 p3, #2.2 p2).
The routing table bound seems structurally sound. I’m unfamiliar with how this works currently but it seems like a step in the right direction.
WHOIS8 route validation addresses legitimate BGP security concerns. Prefix hijacking and route leaks are legit threats today because BGP4 has no binding between what an ASN advertises and what it’s authorized to advertise (#2.3 p2). Mandatory validation against a registry (#1.4 p4) is in theory the right approach. RKPI tried to do something similar but adoption has been slow. Additionally, this choice is solid from a civil liberties perspective, it’s just network operators proving that they own what they say they do.
The Cost Factor metric is a genuinely novel routing improvement. A unified path quality metric that accumulates end-to-end across AS boundaries (#1.6 p1-2), combining latency, loss, congestion, and bandwidth with a physics floor based on distance (#1.6 p4), is something no routing protocol currently achieves. Additionally, the choice for this to be an open, versioned algorithm (#1.6 p5) is a welcome choice in a draft that otherwise guts internet openness.
Management unification solves a real operational pain point. The services fragmentation problem described in #1.2 and #2.1 is accurate. DHCP, DNS, NTP, logging, monitoring, and auth really are separate products with no shared awareness. A single coherent delivery mechanism (#1.2 p2, #2.1 p3) would reduce ops burden, especially for small networks that can’t afford the complexity (like small businesses).
The internal zone prefix model solves multi-site addressing cleanly. Using
127.x.x.xfor internal zones (#3.5) with guaranteed no-conflict addressing across geographic regions eliminates a very real class of enterprise networking headaches, especially in VPC overlap, multicloud routing (#16), and post-merger/acquisition network consolidation.The transition model is commercially realistic. This should honestly have been thought about earlier. Independent phase adoption with 8to4 tunneling that ensures interoperability throughout (#1.7 p3-4, #13.3, #13.4) meas that no single organization or actor needs to move first. CF actively incentivizes IPv4 transit ASNs to upgrade by measuring their higher latency, it’s a value signal and not a mandate (#1.7 p3).
THE BAD:
64-bit address space trades real headroom needs for backwards compatibility. The draft pointedly criticizes IPv6 for failing operationally while offering deafening silence on it’s greatest asset: absurd headroom for device growth (#1.5 p2, #3.2). Doubling to 64 bits is undoubtedly a massive improvement, but address consumption is only accelerating and 64-bit could run out of space in the next 15 years. Hyperscalers, IoT platform providers, and “Industry 4.0” could plausibly exhaust 4.29B host addresses inside a single ASN. The
127.x.x.xinternal zone model mitigates this for private devices (#3.5), but public-facing services still consume ASN host addresses. A protocol in 2026 designed to replace IPv4 should be planning for 128-bit addressable scale, not just a few billion. This is an honest tradeoff in the name of backwards compatibility, but the draft presents it as sufficient without acknowledging the constraint.DNS8 + WHOIS8 egress validation is indistinguishable from a censorship architecture at every scale. The anti-malware framing is legitimate, but the mechanism is identical to what any Zone Server operator needs to block access to any destination. That threat model is no longer limited to authoritarian states, it scales all the way down to the household level (see the section on scale at the bottom for more detail). The draft specifies that a home router can operate as a local OAuth2 authority (#1.3 p3). An abusive partner who controls the home router controls DNS resolution, egress validation, rate limits, and telemetry for every device in the household. They could block domestic violence hotlines by just not resolving them in DNS8. They could throttle a victim’s device to 1.2 Mbps so video calls to a counselor are unusable. They could pull up NetLog8 telemetry to see every domain visited and when, including legal aid organizations and shelters. All of this is baseline Zone Server functionality, not a hack or misconfiguration. The protocol’s security model assumes the Zone Server operator is always benevolent. Domestic abuse is the clearest counterexample where that assumption fails at the smallest possible network scale (#1.4 p3, #17.5).
VPNs survive functionally but lose their privacy value against the local operator. Identity-correlated flow metadata is generated automatically (#1.3 p2-3, #2.1 p3). Blocking commercial VPNs becomes a trivial ACL8 policy decision (#1.4 p2). Your VPN tunnel still works, but the Zone Server knows exactly who opened it, where it terminates, and when. The only remaining value of a VPN becomes destination-side IP masking and geo-unblocking, assuming your Zone Server operator allows a VPN at all.
Rate limiting turns the Zone Server into a single point of failure for usability. If the Zone Server pair goes down, every device on the segment drops to 1.2 Mbps. Links are physically up but the network is functionally dead. This is an architectural fragility with no precedent in current network design (#17.5 p3). The internet has never had a component whose failure degrades every device’s throughput to near-unusable levels while the physical links remain operational.
Rate elevation is another identity-correlated surveillance data point. The Zone Server knows which devices were granted what throughput tiers and when (#17.5, #1.3 p3). You don’t need deep packet inspection to build behavioral profiles. If a device gets elevated to streaming-tier rates every evening at 8pm, that’s a fingerprint tied to hardware identity.
The backward compatibility claim cuts both ways. Zero disruption to existing IPv4 addressing (#1.5 p3, #1.7, #13.1), sure. But the management layer is entirely new and entirely centralized (#1.3). The “no flag day” promise applies to packets, not to the surveillance and control properties of the management suite.
“No flag day” is a lie at the management layer. The draft claims no existing device requires modification (#1.5 p3). That’s true for addressing,
r.r.r.r = 0.0.0.0works fine. But a legacy IPv4 device connecting to a network that has deployed Zone Server management can’t authenticate via OAuth2 because it has no JWT capability. That means it hits the unauthenticated NIC rate limit: 10 packets per second, max 30 per minute (#17.5). That’s roughly 120 Kbps at 1500 MTU. That’s dial-up. A device at 10 packets per second can’t load a webpage, can’t stream, can’t do video, can barely maintain a persistent TCP connection. The Zone Server is the sole authority for rate elevation (#17.5 p3), and rate elevation presumably requires OAuth2 authentication. A device that can’t authenticate can’t get elevated. It’s stuck at 10 packets per second permanently, not as a temporary degradation but as an architectural ceiling. This isn’t a global flag day, it’s a rolling flag per network segment. The moment a network deploys IPv8 management, every legacy device on that segment is throttled to functional uselessness. That’s arguably worse than a traditional flag day because it’s invisible. A flag day is at least predictable and planned. This is a slow squeeze where each network that adopts IPv8 management silently bricks every unmodified device behind it, and the user just thinks their old laptop “got slow“.Policy choices are embedded in protocol choices. Framing egress validation as purely a security mechanism (#1.4 p3, #2.3 p2-3) obscures the fact that the same mechanism enables political censorship, employer surveillance, and ISP-level behavioral tracking, all without any additional infrastructure. The draft doesn’t acknowledge this dual-use nature anywhere.
OAuth2 is an authorization framework being used as a hardware authentication protocol. This is like using a hotel keycard system to authenticate engine components in a car. OAuth2 was designed for “let this app access Google Drive”, not “prove your NIC’s identity before you’re allowed to send packets”. The surveillance properties come from the mandatory hardware authentication itself, not the protocol choice, so this doesn’t make the architecture more evil, just more fragile. But welding a bearer token framework into NIC firmware means you’ve taken all of OAuth2’s existing attack surface, token theft, replay, implementation complexity, and embedded it in hardware that the OS can’t patch independently. The draft chooses the worst tool for the job and then makes it irrevocable.
The draft violates RFC 7258 in spirit. The IETF formally declared pervasive monitoring an attack. IPv8 makes pervasive monitoring the default network architecture and the Security Considerations section (#18) doesn’t include any privacy analysis. That’s not an oversight, it’s a gap big enough to drive INGSOC through.
RFC 6973 requires privacy analysis for new protocols. The draft has none. No discussion of data minimization, identifier unlinkability, or user consent. The Security Considerations section (#18) covers prefix spoofing, zone protection, and filtering. That’s it. This procedural gap alone would likely stall IETF adoption.
The draft assumes unlimited data storage and doesn’t care. NetLog8 mandates telemetry from every device. OAuth8 logs every authentication event. DNS8 logs every resolution. WHOIS8 logs every egress validation. Rate elevation is tracked. ACL8 enforcement decisions are recorded. All of it is hardware-identified, timestamped, per-connection. A single smartphone makes 1,000-3,000 DNS queries per day between the background services, push notifications, app refreshes, and analytics pings. A small household in a first-world country with 10-20 devices generates 10,000+ DNS log entries per day before you even count flow records. Scale that to a university campus with 50,000 devices and you’re looking at 50-150 million DNS queries per day plus flow metadata for every TCP connection, plus auth events, plus rate elevation records. At a conservative 200-500 bytes per log entry, that’s terabytes per month for one campus. A regional ISP with 100k subscribers averaging 20 devices each is generating terabytes per day, petabytes per year. A national ISP and the numbers become genuinely absurd. Suddenly the net flow data generated by one household needs something the size of the NSA’s Utah Data Center to store.
The draft crosses a line between protocol specification and operational policy, then refuses to own it. The draft addresses none of the storage implication. No storage architecture. No retention periods. No data lifecycle. No capacity planning. No discussion of who pays for it. No discussion of what happens when storage fills up. No right to deletion. No consideration of GDPR or state privacy law compliance for what amounts to a comprehensive behavioral record of every human being on the network. The fact you’d even need to ask “where does all this data go“ is itself evidence that the protocol has overstepped the boundary between protocol specification and operational policy. Traditional protocols dont generate this question because traditional protocols don’t generate mandatory surveillance data. The draft is trying to have it both ways: it mandates collection with the specificity and authority of protocol specification (“MUST generate NetLog8”, “Must authenticate via OAuth8“) but then treats the consequences of that collection, storage, retention, access control, deletion, legal compliance, as someone else’s problem. That’s not a gap in the draft. That’s the draft mandating a full surveillance state and outsourcing the liability.
Mandatory identity binding eliminates hardware anonymity by default. OAuth2 JWT binds to the device at the NIC level before any user interaction (#1.3 p2-3). This isn’t user-level authentication that you can compartmentalize with separate accounts or throwaway credentials, it’s physical hardware identity baked into the protocol’s trust chain. Switch ports enforce OAuth2 hardware VLAN binding (#1.4 p2, #17.2). Your device is identified before you even touch it.
The anonymity eliminated is at the layer hardest to restore. User-level anonymity can be rebuilt in software. Hardware-level anonymity under IPv8 would require physically swapping NICs or compromising firmware the protocol is specifically designed to lock down via Update8 (#1.3 p4, #17.5). You can change accounts. You can change passwords. You can reinstall your OS. The NIC is still the NIC.
The Zone Server is a single-point panopticon. Authentication, DNS resolution, route validation, telemetry collection, access control, rate limit authorization, and translation all converge on one platform (#1.3 p1). No need to correlate across systems, the surveillance picture is pre-assembled. Every question you’d want to ask about network activity (”who connected where, when, for how long, at what speed”) is answered by a single database.
Hardware tracking persists through everything. The NIC firmware is the identity anchor (#17.5). Update8 controls what firmware the NIC runs (#1.3 p4). Wipe the machine, factory reset, create a new account, reinstall the OS, the hardware identity doesn’t change. This is a persistent tracking identifier that lives below the operating system and survives every countermeasure a normal user would think to try.
Device-to-traffic attribution becomes a database query, not an investigation. Today, correlating network activity to a specific physical device takes real forensic effort. Under IPv8, the Zone Server maintains that mapping continuously as a basic operational function (#1.3 p2, #2.1 p3). No warrant, no forensics, no effort. Just a query.
NIC firmware rate limits make the network unusable without Zone Server permission. 100 packets per second at 1500-byte MTU is roughly 1.2 Mbps, enough to barely browse the web. Streaming is impossible. Video calls won’t connect. File transfers crawl. Gaming is out. The Zone Server is the sole authority for rate elevation, and it’s enforced in hardware the OS cannot override (#17.5). Your computer’s own network card won’t let you send packets faster than the Zone Server allows.
Selective throttling enables invisible coercion. A Zone Server operator can degrade any device to near-unusable speeds without blocking it outright. The user experiences “slow internet” rather than a clear censorship event. There’s no block page. No error message. Nothing to screenshot or report. Just a network that barely works, and only for you (#17.5, #17.1). This is a subtler and more deniable control mechanism than blocking, and the draft hands it to every Zone Server operator for free.
This architecture is fail-closed, and that can kill people. Safety-critical systems, insulin pumps, pacemakers, continuous glucose monitors, remote patient monitoring systems, flight management systems, ground-based ATC links, satellite command uplinks, spacecraft telemetry, all rely on reliable network connectivity. IPv8 makes every single one of them dependent on a Zone Server staying up and a JWT token remaining valid. This is a fail-closed architecture. If the Zone Server goes down, the device doesn’t keep working normally, it drops to 10 packets per second unauthenticated or 100 packets per second authenticated (#17.5). That’s not degraded service, that’s functionally offline for anything that needs real-time data. If a JWT token expires and the OAuth8 cache can’t refresh it, the device’s auth lapses and the NIC enforces the unauthenticated rate limit in hardware. The device didn’t malfunction, the network killed it. A pacemaker that can’t transmit telemetry to it’s monitoring service because a token expires. An ATC data link that dropped to 120Kbps because a Zone Server pair failed over badly. A spacecraft command uplink that got throttled because an ACL8 policy was misconfigured. These aren’t hypotheticals, they’re the predictable consequences of an architecture that defaults to “deny“ when any component in the auth chain fails, enforced in NIC firmware that the device’s own OS cannot override. Every safety critical system in every safety-critical industry has learn in blood that network dependencies MUST be fail-open. IPv8 is fail-closed by design, at the hardware level, with no exception for systems where failure means death. The draft makes no mention of safety-critical priority classes, no guaranteed minimum service levels, no fail-open mode, no emergency bypass. Network mandated death by Denial-of-Service isn’t a hypothetical, it’s an architectural inevitability.
IPv8 is fundamentally incompatible with real-time operating systems. I’m not well versed in this space, but as I understand it RTOS exists for one reason: deterministic timing guarantees. The scheduler, the I/O, the interrupts, everything is bounded and provable. That’s why RTOS is used in avionics (ARINC 653), automotive (AUTOSAR), medical devices (IEC 62304), industrial control (PLCs, SCADA), and spacecraft flight software. When a hard real-time deadline is missed, things crash, explode, or people die. IPv8 introduces at least five non-deterministic dependencies into the network path that an RTOS cannot bound or control:
JWT token lifecycle is non-deterministic. Token validation requires cryptographic signature verification, memory allocation for parsing, and periodic refresh via network round trip to the OAuth8 cache. If the cache is slow, the token expires, the NIC firmware drops the device from 100 pps to 10 pps instantly, and that timing violation cascades through the entire real-time schedule. An RTOS can’t guarantee a 1ms control loop if the NIC might independently decide to throttle between one cycle and the next.
The NIC firmware is no longer under OS control. RTOS design assumes the OS has deterministic control over all hardware. The IPv8 NIC takes orders from the Zone Server, not the local OS (#17.5). Rate limits, ACLs, and firmware updates are all externally imposed. The RTOS scheduler can’t account for constraints it doesn’t control and can’t predict. You’ve put a non-deterministic external authority between the OS and its own network interface.
DNS8 resolution adds unbounded latency to connection establishment. Every outbound connection requires a DNS8 lookup before the XLATE8 state table entry is created (#1.4 p3). DNS round trips are inherently variable. In a hard real-time system that needs to establish a connection within a bounded time window, an unbounded DNS dependency is a certification failure.
Update8 undermines the entire safety certification model. Avionics software is certified under DO-178C. Medical devices under IEC 62304. Automotive under ISO 26262. All of these require that every piece of software and firmware running on the system is validated, tested, and locked. Update8 lets the Zone Server push NIC firmware updates (#1.3 p4). An external entity can modify the firmware on a safety-certified device’s network interface without going through the certification process. That doesn’t just violate best practice, it violates federal aviation regulations, FDA device requirements, and automotive safety standards.
The Zone Server is a common-mode failure. RTOS safety architectures are designed to eliminate common-mode failures, a single point whose failure takes down multiple independent systems. The Zone Server is exactly that. Every device on the segment depends on it for authentication, rate elevation, DNS resolution, and egress validation. A Zone Server failure degrades every real-time system on the segment simultaneously. This is the kind of failure mode that safety analysis specifically exists to prevent.
You cannot certify an RTOS-based safety system under DO-178C, IEC 62304, or ISO 26262 if the network interface can be independently throttled, updated, or disabled by an external server. IPv8 and real-time safety-critical computing are architecturally incompatible.
Tor, I2P, and IP-literal circumvention tools are broken by design, not by policy. This isn’t a blocklist that can be evaded with new relays or bridges. It’s a structural gate. No DNS lookup means no XLATE8 state table entry means the connection is blocked (#1.4 p3). Period. The mechanism that blocks malware C2 channels and the mechanism that blocks Tor are the same mechanism, and the protocol can’t tell the difference.
NIC-level firmware enforcement puts the control plane below the OS. The user cannot override rate limits, ACLs, or update policies in software (#17.5). The Zone Server decides what firmware the NIC runs via Update8 (#1.3 p4). This is unprecedented protocol-level control over endpoint hardware. Your own machine’s network interface takes orders from the Zone Server, not from you.
NetLog8 mandatory telemetry creates a universal activity log tied to hardware identity. Combined with OAuth8 device binding, this is turnkey lawful intercept infrastructure without any additional tooling, and it correlates to physical hardware, not disposable accounts (#1.3 p1, #2.1 p3, #17.1). You don’t need to build a surveillance system. You just need to read the logs the protocol already generates.
Who operates the Zone Server is the only question that matters. Every privacy and usability property of this protocol reduces to one variable: do you trust the Zone Server operator with a complete, hardware-identified, real-time log of every device and connection on the network (#1.3 p1-3), plus the ability to throttle any device to unusability at will (#17.5)? The protocol assumes the answer is always yes. Your consent is neither asked nor required, and it has no mechanism for the answer to be no.
The draft’s security framing implicitly assumes a benevolent network operator defending against external threats. But every capability described above is a property of the Zone Server itself, and the draft explicitly supports Zone Server deployment at every network scale, from national ISPs down to home routers operating as local OAuth2 authorities (#1.3 p3). The surveillance and control capabilities are identical at every tier. The only variable is who holds the keys.
Every example below uses the same mechanisms: DNS8 resolution blocking (#1.4 p3), NetLog8 telemetry (#1.3 p1, #2.1 p3), OAuth8 hardware identity binding (#1.3 p2-3), rate limit control (#17.5), and ACL8 access enforcement (#1.4 p2). Nothing is hypothetical. Nothing requires additional infrastructure. These are baseline Zone Server functions.
A government that operates or compels cooperation from national ISP Zone Servers gets a complete, hardware-identified log of every device and every connection in the country. A regime that doesn’t want its citizens reading independent journalism just stops resolving those domains in DNS8. No connection, no block page, no visible censorship event. Tor is broken at the protocol level (#1.4 p3). VPN providers can be blocked by ACL8 policy. Selective throttling allows invisible suppression of targeted individuals or organizations without generating the kind of screenshots that attract international attention. Rate elevation records create behavioral profiles of the entire population. NetLog8 telemetry identifies every device that attempted to access a blocked resource, tied to hardware identity.
This is the scenario most people think of first, and honestly it’s the least interesting, because authoritarian states already build bespoke surveillance infrastructure. IPv8 just makes it the default operational mode of the network itself.
A US state that passes legislation mandating ISP-level content filtering, whether that’s age-verification laws for pornography, restrictions on reproductive health information, or bans on materials related to gender-affirming care, currently faces significant technical and legal friction in enforcement. DNS blocking is circumventable. VPNs provide easy workarounds. Enforcement requires cooperation from platforms, not infrastructure.
Under IPv8, a state government that compels cooperation from ISPs operating Zone Servers within its jurisdiction gets a clean enforcement mechanism. DNS8 resolution blocking removes access to targeted content categories at the infrastructure level. NetLog8 telemetry identifies which hardware-identified devices attempted to reach blocked domains, creating a log of who tried to access restricted content, not just that it was blocked. Circumvention via Tor is broken by design. VPN blocking is an ACL8 policy decision. The state doesn’t need platform cooperation, it needs Zone Server cooperation, and the ISP is already regulated.
The political valence of the blocked content is irrelevant to the architecture. A conservative state blocking pornography and a progressive state blocking firearms retailers use the same DNS8 gate, the same NetLog8 logs, the same ACL8 enforcement. The Zone Server doesn’t know the difference and it doesn’t care.
A university operating Zone Servers controls the network for every student, faculty member, and visitor on campus. Students living in dorms have no alternative network, the campus Zone Server is their internet.
A religiously affiliated university that holds a particular ideological position can block DNS8 resolution for academic journals, news outlets, advocacy organizations, or research databases that conflict with institutional doctrine. A student researching perspectives the institution opposes, whether that’s climate science at an institution that rejects it, queer theory at a conservative seminary, or religious scholarship at a militantly secular institution, has their queries logged in NetLog8, tied to their hardware-identified device, timestamped, and stored. The institution doesn’t just block the content. It knows which student, on which device, tried to access it and when.
Rate limiting can be applied selectively to deprioritize traffic to disfavored destinations while maintaining full-speed access to approved resources. Student devices are hardware-identified and persistently trackable across the entire campus network, across semesters, across years. A student who was curious about a blocked topic as a freshman carries that NetLog8 record through graduation.
This is where the assumption of a benevolent operator fails most catastrophically. The draft specifies home routers can operate as local OAuth2 authorities (#1.3 p3). An abusive partner who controls the home router, which is the default in most households, becomes the Zone Server operator for every device in the home. The capabilities are not theoretical:
DNS8 blocking — silently prevent a victim’s device from resolving domestic violence hotlines, shelters, legal aid organizations, or specific contacts.
NetLog8 telemetry — review every domain the victim visited, every connection made, timestamped and tied to their specific device hardware identity.
Rate limiting — throttle the victim’s device to 1.2 Mbps so video calls to counselors, lawyers, or family are unusable, while maintaining normal speeds on the abuser’s own devices.
Selective throttling as gaslighting — the victim experiences “slow internet” with no error message, no block page, nothing to screenshot or report. The network appears to be working.
Hardware tracking — the victim cannot escape monitoring by factory-resetting their device, creating new accounts, or reinstalling their OS. The NIC identity persists through all of it.
Today, an abusive partner can install monitoring software or configure router-level DNS filtering, but it requires deliberate technical effort and the victim’s cellular connection bypasses the home network entirely. Under IPv8, the surveillance and control capabilities are the default operational mode of the home network. No additional software, no technical skill beyond basic router access, no indication to the victim that anything has been configured.
A nation blocking journalism. A state blocking pornography. A school blocking dissenting scholarship. A household blocking access to help. All four use the same DNS8 gate, the same NetLog8 telemetry, the same OAuth8 hardware identity, the same rate limiting, the same ACL8 enforcement, all administered from a single Zone Server platform that the draft deploys at every network scale from global to residential.
The protocol makes no architectural distinction between a Tier 1 ISP protecting its network from malware and an abusive partner isolating a victim from help. The Zone Server capabilities are the same. The telemetry format is the same. The enforcement mechanisms are the same. The only difference is the scale of the network and the intent of the operator, and the protocol has no concept of intent.
This is the fundamental design flaw: IPv8 centralizes authentication, DNS resolution, egress validation, telemetry collection, rate control, firmware management, and access enforcement into a single platform, then deploys that platform at every network scale from global to residential, and provides no mechanism, technical, procedural, or architectural, to constrain what the operator of that platform does with those capabilities.
Given everything above, the natural question is: can you opt out? Can you build or configure your way around this? The honest answer is no, not meaningfully.
Swapping hardware gets you session unlinkability, not anonymity. You could build a custom PC with a removable PCIe NIC or use disposable USB Ethernet adapters, rotating hardware identity regularly. Each new NIC is a new hardware identity, so the Zone Server can’t tie Tuesday’s session to Wednesday’s. But each individual session is still fully surveilled. You still authenticate via OAuth2 to get past the 10 packets/sec unauthenticated rate limit (#17.5). You still go through DNS8 for every outbound connection. You still show up in NetLog8. You’re a new identity each time, but each identity is completely transparent to the Zone Server for the duration of the session.
IPv8-certified NIC firmware is part of the trust chain. A certified NIC has firmware that enforces rate limits, ACLs, and rollback prevention (#17.5, #1.3 p4). You can’t flash your own firmware because Update8 is specifically designed to prevent that. So your swappable NIC, if it’s IPv8-certified, still takes orders from the Zone Server. You’re just rotating which piece of compliant hardware is reporting on you.
Legacy non-certified NICs are a shrinking window. The draft claims 100% backward compatibility, no existing device requires modification (#1.5 p3). A plain IPv4 NIC without IPv8 firmware wouldn’t have NIC-level rate limiting or ACL enforcement. But you’re still connecting through a switch that enforces OAuth2 VLAN binding (#17.2), and the Zone Server still controls egress via DNS8 and XLATE8. You dodge the below-OS enforcement layer but not the network-level enforcement layer. The draft’s compliance tiers (#17) create pressure toward certified hardware over time, so this workaround has an expiration date.
Cellular bypasses the local Zone Server but not the architecture. Your phone on LTE/5G bypasses the home or campus Zone Server entirely, which is why it matters in the domestic abuse scenario. But that just moves the Zone Server from your home router to your carrier. If your carrier’s Zone Server is operated or compelled by the same entity you’re trying to avoid, whether that’s a state government or a national regime, cellular doesn’t help.
There is no unsigned, unlogged, unidentified way to send a packet to the internet under IPv8 as specified. Every path terminates at some Zone Server. Every Zone Server has the same toolkit. You can achieve partial session unlinkability by rotating hardware, you can bypass a specific Zone Server by using a different network path, but you cannot reach the internet without passing through a Zone Server that authenticates your hardware, logs your connections, validates your DNS, and controls your throughput. The protocol is designed so that this is always true. That’s presented as a security property. It’s also the definition of a surveillance architecture with no exits.
There are genuinely good ideas in this draft. The backward compatibility model is elegant. The routing improvements are real. The management unification addresses problems that have plagued network operators for decades. These contributions deserve to survive into whatever comes next.
But the surveillance architecture, the mandatory hardware identity binding, the fail-closed rate limiting, the protocol-level censorship gate, the universal telemetry, the NIC firmware control plane, none of this can ship. Not in this form. Not without a complete privacy analysis, not without safety-critical exemptions, not without fail-open modes, and not without answering the question the draft refuses to ask: what happens when the person operating the Zone Server is the threat?
The internet was built on a principle that packets move without asking permission. IPv8 inverts that principle at every layer, from the NIC firmware to the border router, and calls it security. The good parts of this draft should be extracted and rebuilt on an architecture that doesn’t require trusting a single platform with total visibility and total control over every device on the network. Until then, this draft is a blueprint for the most comprehensive, scalable, and architecturally inescapable surveillance infrastructure ever proposed in an IETF standards document. You could not hand a hostile actor a better surveillance architecture if you tried.
“Beware of he who would deny you access to information, for in his heart he dreams himself your master.”
Commissioner Pravin Lal, “UN Declaration of Rights” (Sid Meier’s Alpha Centauri)
All of my work on Substack will remain free and publicly available forever. If you find my musings helpful or just want to say thanks, feel free to feed my caffeine addiction!