Skip to content

Security Model

iliyan85 edited this page Jul 5, 2026 · 1 revision

Security Model

AISMixer defines security boundaries for selected transport and control surfaces. This page distinguishes implemented behavior from operational responsibilities and explicit non-goals.

Security Scope

AISMixer does not validate the real-world truth of AIS payloads and does not turn AIS data into authenticated vessel identity.

UDP Ingress

Plain UDP ingress has no built-in station authentication or encryption.

Configured UDP input IDs, UDP alias maps, and source IP addresses are routing and metadata inputs. They are not cryptographic identities.

UDPSEC Ingress

UDPSEC authenticates configured station keys and protects transport integrity and confidentiality with authenticated encryption. It carries encrypted AIS payloads and encrypted liveness messages between nmea_sproxy and AISMixer.

UDPSEC does not make every AIS payload semantically trustworthy. It authenticates the station transport, not the vessel or radio-origin truth of each AIS message. It does not detect AIS spoofing.

See UDPSEC and nmea_sproxy for operational details.

Identity and Routing

Internal routing uses source_id, not ingress TAG s.

For UDPSEC, source_id comes from the authenticated station identity, for example udpsec:rPiAIS002. For plain UDP, source identity comes from configured input ID, alias map, or remote IP fallback.

Ingress TAG s is metadata. It must not be treated as authenticated routing identity. Emitted TAG s and internal source_id are separate concepts.

Unix Control Socket

The Unix control socket is local and opt-in. Authorization currently depends on Unix filesystem ownership, group, and mode on the parent directory and socket path.

There are no application-level authentication tokens. A client that can access the socket can request status and routing-state changes.

Parent-directory and socket permissions therefore matter. Treat the socket as an administrative interface.

Routing Updates

Candidate routing configs are fully validated before atomic installation. Invalid candidates do not replace the active snapshot.

expected_generation protects against accidental stale updates. Generation checks are concurrency controls; they are not user authentication.

Configuration and Key Material

Station private keys must remain private. AISMixer should store authorized station public keys, not station private keys.

Deployment-specific config files, authorized_keys.yaml, station private keys, and server private keys should use restrictive filesystem permissions. Never commit private keys or real deployment secrets.

Logging and Operational Visibility

Debug output and process logs are useful operational signals, but they are not tamper-proof audit logs. Do not treat them as a cryptographic audit trail.

Explicit Non-Goals

These are not implemented security features:

  • AIS spoof detection.
  • Vessel identity validation.
  • Payload-signature validation.
  • Application-level control authentication.
  • Remote HTTP/TCP control.
  • Tamper-proof audit logging.
  • Distributed routing consensus.

Clone this wiki locally