Threat Model

confidentiality of data and control traffic when secure transports are used,

integrity of transport/session/network/data messages,

peer identity during session establishment,

correctness of local authorization decisions,

availability of established sessions and discovery flows.

the local node process and its local configuration,

authenticated peers within an administrative domain,

unauthenticated or partially trusted peers reachable on the transport network,

intermediate networks and links that may be observed or modified unless protected by a secure transport.

eavesdropping on links protected by TLS/QUIC or equivalent secure transports,

active tampering with traffic on authenticated secure links,

impersonation during session establishment when transport- or session-layer authentication is enabled,

unauthorized publish/query/declaration activity rejected by local access-control policy,

replay of stale session-establishment state through the INIT/OPEN cookie mechanism.

physical compromise of devices or the trusted local process,

operating-system, runtime, or side-channel attacks,

IP-layer or link-layer denial of service,

traffic analysis on otherwise encrypted links,

key management, PKI provisioning, and secret distribution,

application-specific misuse of opaque payloads or attachments.

secure transports correctly validate peer credentials and protect link confidentiality/integrity,

implementations correctly validate message syntax, lengths, and extension chains,

local policy engines are configured with the intended trust anchors and authorization rules,

secret management and credential provisioning are handled securely outside the base protocol.