Skip to main content

Principles of Future Networks

·8 mins·
Architecture and Research Protective Runes New Архитектура Протоколы Безопасность Принципы
Table of Contents

This is the third part of a series on building detection-resistant networks. The fourth and final part is planned.

If you read the post on statistical invisibility, you already know: the main challenge today is not wrapping traffic in a tunnel — it’s making that traffic statistically indeterminate. Modern DPI systems have long outgrown simple IP and port blocking. We are now entering an active phase of machine learning being applied to behavioral traffic analysis — packet sizes, inter-packet intervals, temporal session signatures. And every day they get better at it.

This is an arms race. DPI systems evolve — which means we must evolve faster. If DPI has learned to recognize the characteristic rhythm of VPN traffic — that rhythm must be broken. If it can isolate anomalies in the flow — deviations must be reduced to the level of statistical noise, indistinguishable from background HTTPS. In practice, this means several concrete principles that must be built into secure network architecture from the very beginning.

Principle One: No VPN Patterns #

The days of OpenVPN are over. Modern DPI systems don’t read packet contents — they look at shape. Header sizes, transmission rhythm, handshake characteristics — all of this adds up to a digital fingerprint by which traffic is identified as confidently as a person is recognized by their gait.

The logical response was the emergence of protocols that mimic standard HTTPS: single-layer TLS encryption, minimal additional headers, no artificial obfuscation. VLESS, TrustTunnel — or any other protocol built on the same principles. The key requirement is one: traffic must look alive and plausible, not like a rhythmically perfect but unrecognizable stream of bytes. That “too regular” rhythm was exactly what gave away VPN connections during the Iran protests in 2022. Around the same time, the Great Chinese Firewall began deploying random forest models for traffic classification — and demonstrated over 90% accuracy in identifying Shadowsocks from temporal packet patterns alone, without any content analysis.

Transport: gRPC or WebSocket — widely deployed, unremarkable, unquestioned. gRPC runs over HTTP/2 and uses the same port 443 — from a DPI perspective it is indistinguishable from corporate API traffic from Google or Cloudflare. WebSocket, after the handshake, looks like a standard TCP session with Keep-Alive.

The next candidate on the horizon is HTTP/3 over QUIC. The protocol runs over UDP, is encrypted at the transport layer, and is being actively adopted by major CDNs and cloud platforms: today HTTP/3 handles a significant share of traffic from Google, Cloudflare, and Meta. But there’s a nuance: some providers aggressively throttle or block UDP on port 443, treating it as anomalous. HTTP/3 as a masking transport is a question of time and geography, not fundamental impossibility.

Experience has shown that betting on novelty doesn’t work. Neither XHTTP nor Hysteria2 took off — despite hopes that they “hadn’t been blocked yet.” New and exotic protocols stand out too sharply against the general backdrop and attract regulatory attention precisely through their unusualness. The principle here is simple: the best disguise is not uniqueness — it’s ordinariness.

Principle Two: Client Digital Hygiene #

Intelligent routing on the client side is not an option — it’s a prerequisite. GeoIP, traffic splitting by domain and subnet, selective VPN routing — everything commonly referred to as split tunneling. Traffic to Russian resources goes directly; traffic to blocked resources goes through the network.

It’s important to understand: the question of client-side digital hygiene cannot be solved by network settings alone. The network can provide tools, but it cannot make users employ them thoughtfully. This leads to an interesting corollary: the requirement for client discipline becomes a natural filter. Random, indiscriminate users — those who route all traffic through a VPN without thinking — create unnecessary noise and risk. Loyal and disciplined users — those who understand why and how — become an organic part of the network.

From this also comes the principle of VPN traffic minimization. The less traffic passes through the network, the smaller its statistical footprint, the lower the probability of detection and node compromise. Classic correlation attack studies on Tor demonstrated this clearly: users who routed all traffic through Tor — including background system requests — were de-anonymized significantly faster than those who used it selectively. “VPN day and night” or “everything through VPN” no longer works. A VPN should provide selective access to restricted resources — and nothing more.

Principle Three: Rotation at Every Level #

Even perfectly disguised traffic becomes vulnerable if it consistently arrives from the same address. Consistency is a pattern, and a pattern is a target. The answer is continuous rotation: automated switching of nodes, endpoints, and domains that leaves an observer no stable point of reference.

But rotation is not uniform. There are two fundamentally different network segments, and each requires its own approach.

The client → entry node segment is the most sensitive. The client interacts with the network directly, and this is precisely where their traffic is most vulnerable to analysis. Rotation here must be aggressive: multiple domains, regular endpoint changes, short TTL. The higher the variability on this segment, the harder it is to build a statistically meaningful observation picture.

The entry node → network core segment is transboundary. Traffic here crosses a national border and enters the level of backbone networks and large providers. This is territory where inspection operates at a completely different scale. The solution is not to hide — but to dissolve: routing through major hosting platforms and CDNs turns traffic into an indistinguishable part of a massive legitimate flow.

Principle Four: Layer Isolation #

Network resilience is determined not only by how its traffic looks. It is determined by how difficult it is — having gained access to one element — to reach the others. This principle is called layer isolation: division into independent levels, where the compromise of one does not entail the compromise of its neighbors.

Applied to the network, this means separation — and not only in the digital sense. At least four layers can be identified:

  • Network layer — nodes, routing, protocols. What was discussed above.
  • Operational layer — administration, monitoring, configuration management. Completely separated from the user perimeter.
  • Service layer — user management, subscriptions, access. No overlap with the operational layer.
  • Commercial layer — payments, user acquisition, communications. Maximally moved outside the network perimeter and embedded within external services.

A single service that concentrates user management, payment processing, technical administration, and acquisition is a single point of failure and a single entry point for an attacker. Separation must be physical, not merely logical: different machines, different networks, different accounts, minimal digital traces linking the layers to each other.

The logic here is the same as with traffic: the less that is concentrated in one place, the smaller the damage from any individual incident. Services should know about each other only as much as is necessary for operation — and no more.

Principle Five: Horizontal Scaling #

Rotation only works when there is something to rotate through. Resilience comes with scale: the more participants, the more endpoints, the higher the path variability — and the harder it is for an external observer to build a statistically meaningful picture.

The mechanics here are simple. Each new participant brings new endpoints. Endpoints are shared and rotated among all network participants — creating a constantly changing traffic pattern that is nearly impossible to track dynamically. Meanwhile, participants freely join and freely leave: the network does not depend on specific people or nodes, it depends on principles.

But scale has a downside. A network that grows too large becomes visible in its own right — it starts generating traffic volumes that stand out from the background, and draws the kind of attention that one would prefer to avoid. The optimal size is a balance: large enough to provide meaningful node and participant rotation; small enough to stay below the detection threshold. Not an army — a working group. Not a highway — a capillary network.

Principle Six: Fault Tolerance #

Even with all of the above principles in place — the fight promises to be hard, and there are no guarantees that network nodes will not be discovered and fully or partially compromised.

To ensure fault tolerance, the network must be distributed and decentralized — at every level and in every layer.

In Lieu of a Conclusion #

The principles outlined here are not a checklist. They are an architectural philosophy built around a single idea: the best defense is not to confront the detection system — but to dissolve into it. Look like everyone else. Move like everyone else. Leave nothing that can be grabbed hold of.

DPI systems will improve. Machine learning models will grow more accurate. Regulators will find new tools. This is not a reason for pessimism — it is the condition of the problem. Rules change, but principles remain: less predictability, more variability, no single points of failure.

Everything discussed above is being built into Sigil Gate’s architecture — consciously or not, gradually or all at once. Some of it is already implemented. Some is still ahead. How the network grows, expands, and transforms — follow along in our blog.