nymtech
LP registration
Summary
This PR implements the Lewes Protocol (LP) registration path for direct TCP-based gateway connections, providing a more efficient alternative to mixnet-based registration while maintaining security through Noise protocol handshake and credential verification.
What's Implemented
Server-Side (Gateway)
- LP Listener on port 41264 accepting TCP connections
- Noise protocol handshake (XKpsk3_25519_ChaChaPoly_SHA256) for secure channel establishment
- Registration handler supporting both dVPN and Mixnet modes
- Credential verification using existing EcashManager infrastructure
- WireGuard peer management integration for dVPN registrations
- Session management with replay protection using bitmap-based counter validation
Client-Side (RegistrationClient)
- LpRegistrationClient module with TCP connection handling
- State machine for LP handshake as initiator
- Registration flow with request/response handling
- Transport layer for post-handshake data transfer
- Integration with existing RegistrationClient via register_lp() method
- Result types (LpRegistrationResult) matching existing patterns
Protocol Features
- Length-prefixed framing for TCP packet boundaries
- Random PSK generation per registration (32-byte)
- Replay protection with 1024-packet reorder window
- Registration modes: dVPN (WireGuard) and Mixnet
Configuration & Defaults
- Connection timeout: 10 seconds
- Handshake timeout: 15 seconds
- Registration timeout: 30 seconds
- TCP optimizations: TCP_NODELAY enabled, no keepalive needed
- No persistent connections: Registration-only protocol
Architecture Changes
New Modules
- common/nym-lp/ - Core LP protocol implementation
- common/nym-lp-common/ - Shared LP types
- gateway/src/node/lp_listener/ - Gateway LP listener
- nym-registration-client/src/lp_client/ - Client LP implementation
Modified Components
- NymNode struct now includes optional lp_address field
- RegistrationClient supports RegistrationMode::Lp
- Gateway startup includes LP listener initialization
What's Outstanding
Testing
- Unit tests for LP protocol components
- Integration tests for end-to-end registration flow
- Real gateway testing with LP-enabled nodes
Documentation
- API documentation for LP registration usage
- Configuration guide for LP-specific settings
- Protocol specification documentation
Future Enhancements (Not blocking)
- Metrics collection for LP operations
- Gateway probe support for LP endpoints
- Advanced PSK management (currently using random generation)
- Error handling improvements and categorization
Breaking Changes
None - LP is an additional registration path that doesn't affect existing WireGuard or Mixnet registration modes.
Performance Impact
LP registration provides:
- Lower latency: Direct TCP connection vs multi-hop mixnet
- Reduced overhead: No Sphinx packet wrapping
- Faster registration: ~1-2 seconds vs 10-30 seconds for mixnet
Security Considerations
- Noise protocol provides mutual authentication and forward secrecy
- Random PSK per registration prevents replay attacks
- Credential verification ensures proper authorization
- No persistent state reduces attack surface
Migration Path
No migration required. Clients can opt-in to LP registration by:
- Checking if gateway advertises LP address
- Using RegistrationMode::Lp when building RegistrationClient
- Falling back to existing modes if LP unavailable
This change is 
The latest updates on your projects. Learn more about Vercel for GitHub.
| Project | Deployment | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| nym-explorer-v2 |  Ready |
Preview | Comment | Nov 24, 2025 11:16am |
2 Skipped Deployments
| Project | Deployment | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| docs-nextra |  Ignored |
Preview | Nov 24, 2025 11:16am | |
| nym-node-status | Ignored |
Preview | Nov 24, 2025 11:16am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}