Skip to content

WIP: Add pnet support with PSK-based connection wrapping #1002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

WIP: Add pnet support with PSK-based connection wrapping #1002

wants to merge 11 commits into from

Conversation

@lla-dane
Copy link
Contributor

This PR introduces support for libp2p Private Networks (pnet) in py-libp2p.

Reference: https://github.com/libp2p/go-libp2p/tree/master/p2p/net/pnet

pnet is lightweight encryption layer used to isolate a libp2p network using a shared Pre-Shared Key (PSK).
Nodes that don't have the correct PSK simply can't establish connections - enforcing network-level access control before any libp2p handshake happens.

What's implemented:

  • Added a new PskConn class that wraps a RawConnection.
  • When a PSK is provided, all reads/writes on the connection are transparently encrypted/decrypted using the Salsa20 stream cipher.
  • The PSK itself is derived from a 32-byte hex key shared among all peers in the private network.

How it works:

  • On the first write, the connection generates a random 8-byte nonce and sends it to the peer.
  • The nonce initializes the Salsa20 cipher, which is then used to encrypt outgoing data.
  • On the receiving side, the PskConn reads this nonce and creates a matching decryptor, ensuring both peers are synchronized.
  • All further communication flows through this encrypted stream.

Cipher: Crypto.Cipher.Salsa20 (key= 32 bytes, nonce= 8 bytes)

@seetadev
Copy link
Contributor

Excellent work, @lla-dane! 👏

This is a very valuable addition to py-libp2p, and the implementation is both clean and thoughtfully aligned with the existing go-libp2p/pnet design.

This feature will be especially important for enabling isolated, permissioned libp2p deployments and for use cases where network-level access control is essential (e.g., consortium networks or research environments).

Great work bringing this to life in py-libp2p — this significantly improves the library’s parity with the Go and JS implementations. Looking forward to seeing this PR head towards final review + merge.

@lla-dane
Copy link
Contributor Author

lla-dane commented Oct 23, 2025
edited
Loading

@seetadev @pacrob: The implementation is effective with TCP and WS. Please have a review. Will include the docs folder shortly.

Here's a ping-demo over tcp and ws with pnet-enabled, with logs showing that we use the read/write functions of PskConn:

Screencast.From.2025-10-23.18-50-49.mp4

And pnet-enabled peer rejecting non pnet-enabled over tcp:

Screencast.From.2025-10-23.19-03-08.mp4

@lla-dane
Update protobuf version
e33e1ca
@lla-dane
Add pnet module
90d5b87 
- Add pnet utils in libp2p/security/pnet
- Integrated pnet with TCP transport
@lla-dane
fix bugs
b1af75f
@lla-dane
Add test-suite
9543e99
@lla-dane
Updated ping example
e67cbb3 
- to include PNET as optional
- to specify transport layer TCP/WS with tcp as default
@lla-dane
Add docs/libp2p.security.pnet.rst file
d1f2dee
@seetadev
Copy link
Contributor

@lla-dane : HI Abhinav. Appreciate your efforts.

Wish if you could resolve CI/CD issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lla-dane @seetadev