UTCP — Unikernel Transport Control Protocol
Integrated
UTCP is the Nexus sovereign transport protocol. It replaces TCP/IP for Nexus-to-Nexus communication with an identity-centric, NACK-based protocol that is immune to entire classes of network attacks.
Why Not TCP?
TCP was designed in the 1970s for a network of trusted academic institutions. It has fundamental problems:
| TCP Problem | UTCP Solution |
|---|---|
| IP addresses change (DHCP, NAT) | Nodes identified by CellID (SipHash-128) |
| Open ports are scannable | No ports. NetSwitch drops unknown CellIDs |
| ACK-heavy (every packet acknowledged) | NACK-based (only missing packets reported) |
| Connection state in kernel | All state in userland fiber |
| DNS dependency for name resolution | CellID is the identity — no DNS needed |
How UTCP Works
Identity-Centric Addressing
Every Nexus node has a CellID — a 128-bit identity derived from its Ed25519 public key via SipHash. Nodes communicate by CellID, not by IP address:
sender_cellid → receiver_cellidIf a node moves to a different network, gets a new IP, or goes through NAT — the CellID stays the same. The connection continues.
EtherType Fork
The NetSwitch uses the Ethernet frame's EtherType to distinguish traffic:
0x0800(IPv4) → Routed to LwIP in the Membrane0x88B5(UTCP) → Routed to the UTCP handler fiber
Legacy TCP/IP and sovereign UTCP coexist on the same wire. No tunneling. No encapsulation overhead.
NACK-Based Reliability
TCP acknowledges every packet. This wastes bandwidth when the network is reliable (which it is, most of the time).
UTCP inverts this: the receiver only sends a NACK (negative acknowledgment) when it detects a missing sequence number. On a healthy network, no control messages flow. On a lossy network, only the missing packets are retransmitted.
DDoS Immunity
The NetSwitch drops packets addressed to unknown CellIDs at L2. There is no "listening port" to discover. You cannot port-scan a UTCP node because:
- There are no ports
- The CellID must be known before communication can begin
- Unknown CellIDs are dropped before they reach any userland code
Packet Format
UTCP uses a minimal header:
| Field | Size | Purpose |
|---|---|---|
| src_cellid | 16 bytes | Sender identity |
| dst_cellid | 16 bytes | Receiver identity |
| seq | 4 bytes | Sequence number |
| flags | 2 bytes | Control flags (SYN, FIN, NACK) |
| payload_len | 2 bytes | Payload length |
| payload | variable | Application data |
Total overhead: 40 bytes per packet. TCP+IP headers are 40-60 bytes.
Integration with NexFS
UTCP provides the transport layer for NexFS mesh storage (SPEC-704):
BLOCK_WANT/BLOCK_PUTmessages flow over UTCPDAG_SYNCuses UTCP for peer-to-peer DAG head synchronization- CellID-based addressing means storage peers can migrate between networks without losing sync state
Tensor Extensions
For AI workloads, UTCP includes tensor extensions (SPEC-702) that provide soft-RDMA capabilities:
- Direct memory registration for large tensor transfers
- Zero-copy scatter/gather for distributed training
- Priority scheduling for gradient synchronization traffic
These extensions are only active when the nexfs_cluster or nexfs_federation build flags are enabled.