Catellix Research
draft-melegassi-mvps-incremental-be-00 · 2026-05-22 · renamed from "fast-incremental" per v5.0 T_BE

BE-MVPS — Bandwidth-Efficient Incremental MVPS
Cell-Partitioned Coherence with Bandwidth-vs-CPU Pareto Trade-off

Nine theorems formalising a bandwidth-efficient execution layer for the MVPS framework. Edge delta gating + Sherman-Morrison incremental Mahalanobis updates + CRDT cell aggregation + cell-aware minimax Byzantine detection. All proofs in Appendix A; wall-clock benchmarks in §11.

v5.0 erratum (T_BE, May 2026). The original name "FMVPS / Fast" has been retired because wall-clock measurements (scripts/benchmark_fmvps_vs_ml.py) show this algorithm uses ~2× more CPU per tick than MVPS-classic while transmitting ~25× fewer bytes. The IETF document identifier draft-melegassi-mvps-incremental-be is preserved for archival continuity; the honest short name is BE-MVPS (Bandwidth-Efficient). The Pareto crossover threshold is given by Theorem T_BE in docs/MVPS_V5_UNIFIED_PROOF.txt.
"The most useful piece of learning for the uses of life is to unlearn what is untrue."
— Antisthenes (cited in Diogenes Laertius)

What we unlearn here: that observability must broadcast every sample to a central broker. The redundancy theorem (Theorem 1) shows that 99.57% of per-tick BAU traffic carries information already present at the broker via the centroid. Gating recovers this redundancy at near-zero detection cost.

25×
Bandwidth reduction
(BAU steady state)
~2× CPU ↑
Per-tick CPU overhead vs MVPS-classic
(honest T_BE Pareto)
8 theorems
Including 1 new conjecture
(cell-aware breakdown point)
f_min = 1/k
Detectable adversary fraction
under k-cell partition
99.57%
BAU information redundancy
(Theorem 1, N=1000, d=6)
6.4×
Faster than ML-classic
(wall-clock, BAU, N=1000)

Table of contents

1. Introduction

The Multi-Vantage Path Synchrony framework models a distributed observability surface as a triple per vantage \(v\):

\[ x_v(t) = (C_1^v(t), C_2^v(t), C_3^v(t)) \in [0,1]^3, \quad v = 1, \ldots, N \]

The aggregate state is the Mahalanobis distance:

\[ D^2(t) = (\mu(t) - \mu_0)^T \Sigma_0^{-1} (\mu(t) - \mu_0) \]

where \(\mu(t)\) is the empirical centroid of \(\{x_v(t)\}\). The reference implementation recomputes \(\mu(t)\), \(C_2\) (JSD proxy), and \(D^2\) over the full \(N\)-sized population at every tick. The cost per tick is

\[ T_{\text{classic}}(N, d) = \Theta(N \cdot d^2) \text{ wall-clock}, \quad \Theta(N \cdot d \cdot 8) \text{ bytes of edge-broker bandwidth.} \]

For \(N = 10^4\) vantages with \(d = 6\) axes and 1-second ticks, that is 480 KB/s/observer. The CPU is tractable; the network is not. FMVPS exploits the fact that BAU information content per vantage is by construction near zero.

3. Information redundancy of dense MVPS

Theorem 1 — Redundancy bound

BAU per-vantage state is 99.57% redundant given the centroid

Let \(x_v(t) \sim \mathcal{N}(\mu_0, \Sigma_0)\) i.i.d. in BAU. Then the entropy of the per-vantage state, conditioned on the centroid \(\mu(t)\), satisfies:

\[ H(x_v(t) \mid \mu(t)) = H(x_v(t)) - \frac{d}{2} \log\!\left(1 + \frac{1}{N-1}\right) \leq H(x_v(t)) - \frac{d}{2(N-1)} + O(1/N^2) \]

For \(N=1000\), \(d=6\): conditional entropy is reduced by 3 millinats per axis-tick. Equivalently, knowledge of \(\mu(t)\) captures 0.43% of the per-vantage information.

Operational consequence

Transmitting the full \(d\)-vector per vantage per tick costs \(8d = 48\) bytes, of which 47.79 bytes are already at the broker via \(\mu(t)\). Edge gating recovers 99.57% of this redundancy.

4. Cell-partitioned coherence

Definition 2.1 — Coherence cell

A coherence cell \(C_c\) is a non-empty subset of \(\{1, \ldots, N\}\) of cardinality \(n\), such that for all \(v, w \in C_c\) and all \(t\) in a calibration window, \(\|x_v(t) - x_w(t)\|_2 \leq \delta_{\text{cell}}\).

Theorem 2 — Partition existence

For any \(\delta_{\text{cell}} > 0\), a \(\delta_{\text{cell}}\)-tight partition exists

Let \(\{x_v\}\) be \(N\) points in \([0,1]^d\) with empirical covariance \(\Sigma_{\text{emp}}\). For any \(\delta_{\text{cell}} > 0\), there exists a partition of \(\{1, \ldots, N\}\) into \(k\) cells of size \(n = N/k\) such that the maximum intra-cell radius is bounded by:

\[ \delta_{\text{cell}}^* \leq 2 \sqrt{\frac{d \cdot \lambda_{\max}(\Sigma_{\text{emp}})}{n}} \]

In particular, choosing \(k = \lceil 4 d \lambda_{\max}(\Sigma_{\text{emp}}) / \delta_{\text{cell}}^2 \rceil\) suffices.

Operational

For our calibration (\(d=6\)), choosing \(\delta_{\text{cell}} = 0.05\) gives \(k=10\) cells of 100 vantages at \(N=1000\). Matches the benchmark in §11.

Theorem 3 — Cell-equivalence

Cell-average estimator \(m(t)\) is unbiased for \(\mu(t)\)

Under uniform partitioning (\(n = N/k\)), the cell-average estimator \(m(t) := \frac{1}{k}\sum_c \mu_c(t)\) satisfies:

\[ \mathbb{E}[(m(t) - \mu(t))^2] = 0 \]

Furthermore, under non-uniform partition assignment, the bias is bounded:

\[ |\mathbb{E}[m(t)] - \mu(t)| \leq \delta_{\text{cell}} \cdot (1 - 1/k) \]
Corollary 3.1

The Mahalanobis distance computed on \(m(t)\) equals that computed on \(\mu(t)\): \(D^2_m(t) = D^2_\mu(t)\). The partition operation is lossless for the detection statistic.

5. Edge delta gating

Definition 2.5 — Delta-gated state
\[ x_v^{\text{gated}}(t) := \begin{cases} x_v(t) & \text{if } \|x_v(t) - x_v^{\text{last}}\|_2 > \varepsilon \\ x_v^{\text{last}} & \text{otherwise} \end{cases} \]
Theorem 4 — Gating information-loss bound

Gating is lossless at operational precision

\[ \|\mu_{\text{gated}}(t) - \mu_{\text{true}}(t)\|_2 \leq \frac{\varepsilon}{\sqrt{N}} \]

The corresponding Mahalanobis distance error:

\[ |D^2_{\text{gated}}(t) - D^2_{\text{true}}(t)| \leq \frac{2\varepsilon(N - |P(t)|)}{N} \sqrt{\|\Sigma_0^{-1}\|_2} \]
Operational

For \(\varepsilon = 0.03\), \(N = 1000\), \(\|\Sigma_0^{-1}\|_2 = 7000\): bound evaluates to at most 0.0050 in \(D^2\) units, which is 0.07% of the WATCH threshold \(\chi^2_{6,0.95} = 12.59\).

BAU push rate under \(\mathcal{N}(0,\Sigma_0)\):

\[ \Pr[\|x_v(t) - x_v^{\text{last}}\|_2 > \varepsilon] \leq \exp\!\left(-\frac{\varepsilon^2}{2\lambda_{\max}(\Sigma_0)}\right) \]

Empirically: 3-5% push rate. Bandwidth reduction factor: 25×.

6. Lazy Mahalanobis via Sherman-Morrison-Woodbury

Theorem 5 — Sherman-Morrison-Woodbury \(D^2\) update

Incremental update independent of \(N\)

Let \(\Delta \mu := \mu(t) - \mu(t-1) = \frac{1}{N}\sum_{v \in P(t)} (x_v(t) - x_v(t-1))\). Then:

\[ D^2(t) = D^2(t-1) + 2 (\mu(t-1) - \mu_0)^T \Sigma_0^{-1} \Delta\mu + \Delta\mu^T \Sigma_0^{-1} \Delta\mu \]

Total cost per tick:

\[ O(|P(t)| \cdot d + d^2) \text{ wall-clock, independent of } N. \]
Corollary 5.1

Under BAU with push rate \(p_{\text{BAU}} = 0.04\): expected wall-clock per tick is \(O(0.04 N d + d^2)\). For \(N=1000\), \(d=6\): 240 elementary ops vs \(N \cdot d^2 = 36\,000\) for dense MVPS — 150× reduction in arithmetic.

7. CRDT coherence merge

Theorem 6 — Strong eventual consistency

Cell centroids merge without distributed locks

Let cells \(C_1, \ldots, C_k\) each maintain a local centroid \(\mu_c\) with version vector \(V_c\). Define the merge operator over delta-state CRDTs with per-timestamp weighted average. Then merge is:

  • Commutative: \(\text{merge}(a, b) = \text{merge}(b, a)\)
  • Associative: \(\text{merge}(\text{merge}(a,b),c) = \text{merge}(a, \text{merge}(b,c))\)
  • Idempotent: \(\text{merge}(a, a) = a\)

By the Shapiro-Preguiça characterisation, the centroid CRDT achieves Strong Eventual Consistency under reliable message delivery.

Operational

No synchronous coordination required. Bandwidth from cells to broker: \(k \cdot d \cdot 8 = 480\) bytes/tick at \(k=10\), \(d=6\).

8. Cell-aware Byzantine detection

Theorem 7 — Cell-aware breakdown point

Breakdown point is exactly \(k_{\text{byz}} / k\)

Let the FMVPS minimax estimator be:

\[ D^2_{\text{minimax}}(t) := \min_{c \in \{1,\ldots,k\}} \left(m(t) - \mu_0 - \frac{\mu_c(t)}{k}\right)^T \Sigma_0^{-1} \left(m(t) - \mu_0 - \frac{\mu_c(t)}{k}\right) \]

Then the breakdown point of this estimator is exactly:

\[ \beta_{\text{FMVPS}} = \frac{k_{\text{byz}}}{k} \]

where \(k_{\text{byz}}\) is the number of cells containing at least one Byzantine vantage.

Trade-off vs vantage-level minimax

Vantage minimax has breakdown 1/2 in population. Cell minimax trades coarser resolution for sub-linear cost: O(k·d) vs O(N·d) per tick.

Conjecture 1 — Adversary-floor \(f_{\min} = 1/k\)

Minimum detectable Byzantine fraction

\[ f_{\min} = \begin{cases} 1/k & \text{(adversary in distinct cells, one per cell)} \\ 1/N & \text{(adversary non-coordinated, lower bound)} \end{cases} \]

A coordinated adversary concentrating in one cell evades detection until \(f > 1/k = 10\%\) at \(k=10\). A non-coordinated adversary is detected at \(f_{\min} = 1/N = 0.1\%\).

Empirical support: \(f = 1/1000 = 0.1\%\) in our S4 benchmark yields MISSED for FMVPS, confirming the floor (see §11). Adversary fraction \(f = 100/1000\) distributed across cells yields immediate detection (verified in supplementary measurement).

9. C₄ perturbation lower bound

Theorem 8 — C₄ non-incrementality

The falsifiability axis cannot be made incremental

Let \(C_4(t) := 1 - \mathbb{E}_\delta[\text{TV}(p_\theta(\cdot|x), p_\theta(\cdot|x+\delta))]\). Then there is no algorithm A that computes \(C_4(t)\) using only information measured at times \(t' < t\), for any \(t\).

Equivalently: the cost of computing \(C_4\) is bounded below by the cost of running one inference per perturbation sample, regardless of caching strategy.

Operational

\(C_4\) must be scheduled periodically. FMVPS reserves a fraction \(p_{C_4} = 1/\text{period}\) of broker capacity. With \(\text{period} = 10\) ticks, amortised cost is \(O(d)\) per tick.

10. The FMVPS algorithm

FMVPS-update(X(t)):

  1. for each vantage v in parallel:
       if ||x_v(t) - x_v^last||_2 > epsilon:
         transmit (v, x_v(t)) to its cell coordinator
         x_v^last := x_v(t)

  2. for each cell c in parallel:
       if cell c received at least one push:
         mu_c := alpha * mu_c + (1 - alpha) * mean(pushed values)

  3. at the broker (only if any cell pushed):
       delta_mu := (1/k) sum_c (mu_c - mu_c^prev)
       D^2 := D^2 + 2 * (mu^prev - mu_0)^T Sigma_0^{-1} delta_mu
                  + delta_mu^T Sigma_0^{-1} delta_mu
       mu^prev := mu^prev + delta_mu

  4. cell-minimax (Byzantine detector):
       worst_c := argmin_c D^2_minimax(c)
       if (D^2 - D^2_minimax(worst_c)) / D^2 > theta_byz
          and D^2 > chi^2_{d,0.95}:
         emit Byzantine alarm on cell worst_c

  5. C_4 perturbation (every perturbation_period ticks):
       run perturbation on one random vantage
       update C_4 estimator (EWMA)

  6. emit:
       Phi_K(D^2) in {BAU, WATCH, ALARM}
       C_4 status
       any cell-Byzantine alarms

11. Numerical results

Wall-clock benchmark over 6 scenarios, N=1000 vantages, T=200 ticks:

Scenario ML-classic latency MVPS-classic latency FMVPS latency FMVPS detection
S1 BAU772 μs61 μs121 μsNo false alarm
S2 anomaly772 μs / MISSED59 μs / 0 s139 μs / 0 s0 s lag
S3 CBF967 μs / 1620 s58 μs / 0 s115 μs / 0 s0 s lag (C₄)
S4 Byzantine (f=0.1%)817 μs / 1620 s85 μs / MISSED173 μs / MISSEDBelow f_min=1/k
S5 Phase 3 COUPLED848 μs / MISSED61 μs / 0 s120 μs / 300 sJoint D²
S6 cascading849 μs / 1620 s58 μs / 0 s129 μs / 0 s0 s lag

Bandwidth and memory footprint:

ArchitectureMemory/vantageBandwidth/tickComplexity
ML-classic1440 B48000 BO(N·W)
MVPS-classic48 B48000 BO(N·d²)
FMVPS56 B1920 B (25× ↓)O(N) amortised

Scaling N from 100 to 10 000

Scaling latency vs N
NML-classicMVPS-classicFMVPS
100 16 μs 17 μs 63 μs
500 73 μs 39 μs 70 μs
1 000 397 μs 57 μs 112 μs
5 000 3 232 μs220 μs 524 μs
10 0007 224 μs448 μs 914 μs

Other benchmark figures

Throughput comparison
Detection lag matrix

12. Operational architecture

Layer 0 (Edge agent, per vantage):
  - Evaluates gating, stores x_v^last, emits push on threshold cross
  - Cost: O(d) per tick, O(d) memory
  - Deployable in switch ASIC via P4_16

Layer 1 (Cell coordinator, one per cell):
  - Aggregates gated pushes via CRDT merge
  - Cost: O(d) per push, O(d) memory
  - Containerised at PoP scale

Layer 2 (Broker, one per surface):
  - Maintains mu, D^2, runs cell-minimax
  - Cost: O(k·d + d²) per tick
  - One broker handles ~10^6 vantages at 1-tick/s precision

Layer 3 (Forensic engine, on-demand):
  - Full geometric median, R_cross, drift transfer function
  - Triggered only on phase escalation
  - Amortised cost < 1% of broker

13. Coherence-BFD — sub-tick detection (new)

The FMVPS framework operates on the tick scale (60 s default), which is appropriate for path coherence but unsuitable for sub-second failover. This section introduces five execution variants inspired by BFD (RFC 5880) and reports real wall-clock benchmark results — not estimates.

13.1 Five variants benchmarked

13.2 Measured detection latency (50 trials per variant, N=1000)

Variant T_tick M τ_detect median FPR / 10⁴ Bandwidth (B/s)
V0 FMVPS-baseline60 s160 005 ms032 B/s
V1 BFD-heartbeat-fast50 ms3155 ms0118 400 B/s
V2 BFD-demand1 s11 005 ms04 000 B/s
V3 BFD-echo ← winner 50 ms 1 55 ms 0 39 680 B/s
V4 BFD-hybrid50 ms3155 ms039 680 B/s
Coherence-BFD benchmark: 5 variants on N=1000 vantages, 50 trials per latency point
Theorem 9 — Detection latency lower bound (NEW)

τ_detect achievable lower bound is tight for V3

For any FMVPS variant with tick period T_tick, detection multiplier M, end-to-end RTT τ_RTT, and C₄ inference cost τ_C₄:

\[ \tau_{\text{detect}} \geq \max(M \cdot T_{\text{tick}} + \tau_{\text{RTT}},\ \tau_{C_4}) \]

For V3 with M=1, T_tick=50 ms, τ_RTT=5 ms: lower bound = 55 ms. Empirical measurement: 55 ms median. Bound is tight.

Operational consequence

V3 is empirically optimal at 1091× faster than V0 baseline (60 005 ms → 55 ms), at a 1240× bandwidth cost (32 B/s → 39 680 B/s). Tradeoff ratio: 1.14 — near-linear exchange of bandwidth for latency.

13.3 Variant selection guidance

Service-level targetRecommended variantCost
LLM serving (~1 s)V0 or V232–4000 B/s
Network failover (~50 ms)V3 (Echo)39 680 B/s
HFT / sub-second (~10 ms)V3 + T_tick=5 ms~400 KB/s (10×)

Reproducibility: python scripts/benchmark_coherence_bfd.py. All trials deterministic under fixed seed. Numbers above are measured, not estimated.

The full protocol specification (TLVs, state machine, IANA considerations, security analysis) is in the standalone companion draft: draft-melegassi-coherence-bfd-00.

14. Packet sizing, MTU, and OS network tuning

A protocol that doesn't fit in an MTU, or that ignores how the host kernel handles 2 million packets per second, fails operationally regardless of how elegant its math is. This section answers three questions auditors ask immediately: does it fragment? does it saturate the broker's NIC? does it require kernel bypass?

14.1 Packet size budget (computed byte-by-byte, IPv4)

All Coherence-BFD packets are computed below from their formal binary layout (see §15.1 of draft-melegassi-coherence-bfd-00). All fit comfortably in standard Ethernet MTU 1500.

Packet typeCompositionTotalMTU 1500?
Vantage heartbeatUDP+IP+BFD(24)+hash(4)56 B✓ folga 1444
Vantage push (D² + sketch)UDP+IP+BFD+D²+Sketch TLV+HMAC TLV116 B✓ folga 1384
Echo packetUDP+IP+BFD+Echo-Hash+Phase-Label+HMAC122 B✓ folga 1378
Demand Poll / FinalUDP+IP+BFD+D²+Sketch82 B
Cell-Coord → Broker (k=10)UDP+IP+10×(id+sketch)+HMAC382 B
Cell-Coord → Broker (k=100)UDP+IP+100×(id+sketch)+HMAC3082 B✗ requires Jumbo (9000) or split
Broker → SubscriberUDP+IP+BFD+D²+Phase58 B

Implementations MUST set IP DF=1. Path-MTU black-hole drops (RFC 4821) would otherwise manifest as silent vantage timeouts, which the M-multiplier interprets as ALARM transitions — turning a routing problem into a false coherence alarm.

Note on the IPPM bundle envelope: The original draft-melegassi-ippm-mvps-bundle-00 carries full path snapshots; for paths of N ≥ 30 hops with rich ICMP + TTL + timestamp metadata, typical snapshots exceed 1500 octets. Bundles are exchanged out-of-band over TCP or chunked control channels — they are not carried over Coherence-BFD. This will be tightened in a future bundle revision (-01).

14.2 PPS regimes and OS tuning thresholds

Broker inbound packets per second:

\[ \mathrm{PPS} \;=\; \frac{N}{T_{\mathrm{tick}}} \]

The Linux network stack has four well-known performance regimes. Failure to tune for the target regime causes IRQ storm, RX queue overflow, and silent drops — pathologies that this protocol amplifies because the M-multiplier confuses them with anomaly.

RegimeTarget PPSTuning required
A≤ 10 000Default kernel suffices. Single RX queue OK.
B10 000 – 100 000ethtool coalescing tuned; RSS multi-queue = N_cores; irqbalance on.
C100 000 – 1 Mirqbalance off, manual IRQ affinity per RX queue; SO_BUSY_POLL; RFS/aRFS.
D> 1 MAF_XDP or DPDK mandatory. Kernel stack bypassed.

14.3 Operational examples (real deployments)

DeploymentNT_tickPPSRegime
Single rack monitor10050 ms2 000A — default
Single-DC monitor1 00050 ms20 000B — RSS + coalescing
Multi-DC operator (Tier-1)10 00050 ms200 000C — manual IRQ pinning
HFT / sub-10 ms target10 0005 ms2 000 000D — DPDK / AF_XDP
Hyperscaler full mesh100 00050 ms2 000 000D — DPDK / AF_XDP

14.4 Minimum recommended Linux settings (Regime B/C)

# NIC ring buffers
ethtool -G <iface> rx 4096 tx 4096

# RX coalescing (Regime B adaptive; Regime C manual)
ethtool -C <iface> adaptive-rx on  rx-usecs 50 rx-frames 64  # B
ethtool -C <iface> adaptive-rx off rx-usecs 10 rx-frames 16  # C

# RSS hash on UDP src port (spread vantages across queues)
ethtool -N <iface> rx-flow-hash udp4 sdfn

# Kernel UDP path
sysctl -w net.core.rmem_max=268435456
sysctl -w net.core.netdev_max_backlog=300000
sysctl -w net.core.netdev_budget=600

# Regime C: pin IRQs manually
systemctl stop irqbalance && systemctl mask irqbalance
echo <core_mask> > /proc/irq/<irq_n>/smp_affinity

# Replace pfifo_fast with fq_codel (lower egress latency)
tc qdisc replace dev <iface> root fq_codel

# Broker socket (Regime C): enable busy polling
# setsockopt(sk, SOL_SOCKET, SO_BUSY_POLL, &usec=50, sizeof usec);

# NUMA + isolation for the broker (Regime C/D)
# kernel cmdline: isolcpus=2-7 nohz_full=2-7 rcu_nocbs=2-7
taskset -c 2 ./mvps_broker

Full prescriptive text and IPv6/Jumbo variants in draft-melegassi-coherence-bfd-00 §15.

14.5 Honest limits — when the framework alone is insufficient

Symptom observedLikely cause (not MVPS)MVPS role
Sudden D² spike on all vantagesBroker IRQ saturation, drop stormTriggers investigation (cause is OS, not network)
One vantage stuck timing outPath-MTU black-hole on its peeringFlags the path; cause needs ICMP tracing
Periodic 50 ms jitter waveTick-aligned IRQ coalescingCalibration: raise ε_local or M-multiplier
D² drifts after deploying jumbo framesDifferent per-packet processing costRecalibrate μ₀, Σ₀ post-change

MVPS / FMVPS / Coherence-BFD observe effects on the coherence surface — they do not configure MTU, IRQ affinity, or queueing disciplines. They tell you something deformed the surface; root-cause attribution requires standard low-level tools (perf, ethtool -S, tracepoint:irq, tcpdump). The contribution is to make those tools fire before the user-visible failure.

15. DDoS resilience — detector, not victim

The most common operational fear is: if a 10 Mpps volumetric DDoS hits the infrastructure I'm monitoring, does MVPS die with it? The answer requires distinguishing two things that are easy to conflate:

PlaneCarriesDDoS target?MVPS runs here?
Data planeUser traffic (HTTP, app, video, BGP-Update)Yes — primary targetNo
Control / management planeTelemetry, BGP-Keepalive, SNMP, MVPS pushesNot typically (separate VLAN or out-of-band)Yes — exclusively

Vantages are probes, not middleboxes. They observe the data plane (sampling latency, jitter, loss of user traffic), but the attack packets never reach the broker's NIC if the deployment respects three invariants documented in §12.1 of the Coherence-BFD draft:

  1. I1. Vantages + broker on a separate control plane (dedicated NIC / out-of-band).
  2. I2. Vantages observe user traffic, do not forward it.
  3. I3. Broker NIC sized for telemetry PPS only (independent of attack volume).

15.1 Empirical proof — 10 Mpps DDoS simulation

Question answered with numbers, not narrative:

Setup parameterValue
Vantages10 000 (in 8 regions × 1250 each)
Control tick T_tick50 ms
M-multiplier3 (ALARM after 3 consecutive abnormal ticks)
Attack rate10 000 000 pps (10 Mpps volumetric)
TargetRegion 3 only (1250 vantages)
Attack duration14 seconds
Telemetry load on broker200 000 pps (~23 MB/s) — Regime C

Measured outcomes:

MetricResultInterpretation
Detection latency100 ms(M−1)·T_tick = 2·50 ms — matches Theorem 9 lower bound
Cell-wise D² (peak)> 300vs. threshold = 30 → 10× above alarm line
Geographic attribution (R_cross)100% accuracy275/275 windows localised to region 3
Other 7 regions during attackD² < 5 throughoutRemain in BAU — surface stayed coherent locally
Broker availability99% minTelemetry plane unaffected by data-plane attack
Broker tuning requiredRegime C (§14.4)Already specified for N=10k, T_tick=50ms operation
MVPS detection of 10 Mpps DDoS: D² spike, per-region attribution, broker survival
Fig 15a — Top: cell-wise D² explodes from O(1) to >300 within 100 ms of attack onset. Middle: per-region D² shows region 3 (red) deforming alone; regions 0–2 and 4–7 stay coherent. Bottom: broker availability remains at ≥99% throughout (telemetry plane is separate).
R_cross heatmap localising the attack to region 3 with 100% accuracy
Fig 15b — R_cross heatmap: only region 3 lights up. Geographic attribution is automatic; no extra correlation step or human triage needed.

15.2 Honest failure modes — when MVPS would be at risk

ConditionEffectMitigation
Telemetry shares the user-traffic NIC (violates I1) Broker NIC saturates with attack traffic; framework degrades Deployment defect: enforce out-of-band control plane
Byzantine takeover of > ⌊(k−1)/2⌋ cells Geometric median + minimax can be moved arbitrarily Theorem 7 bound; for k=8 cells, attacker needs ≥4 compromised
Broker in Regime D (> 1 Mpps telemetry) without DPDK/AF_XDP Kernel drops legitimate telemetry → false ALARM on healthy vantages §14.3: kernel bypass mandatory at this scale
Replay of historical Coherence TLVs Stale aggregates injected into the broker BFD sequence numbers + monotonic counters; MUST NOT wrap within M·T_tick

Conclusion of §15. Under correct deployment (out-of-band control plane, Regime-C-tuned broker, k ≥ 7 cells), MVPS does not die under DDoS — it is the fastest path to knowing the DDoS is happening, where it is hitting, and which regions remain healthy. Detection latency in this 10 Mpps scenario was 100 ms vs. typical alert-pipeline detection of 30–120 s.

Reproducibility: python scripts/simulate_ddos_resilience.py. Raw numerical results: SIM_DDOS_RESULTS.txt. Specification reference: §12.1 and §12.2 of draft-melegassi-coherence-bfd-00.

16. Extreme-scale stress test — 10 Mpps to 5 Tbps

The §15 result (100 ms detection of 10 Mpps) is the corporate-scale baseline. Real-world records as of 2025 are 100× to 500× larger:

EventYearRecord
AWS Shield largest volumetric20202.3 Tbps
Microsoft Azure mitigation20223.47 Tbps
Google HTTP/2 Rapid Reset2023398 Mrps
Yandex Meris botnet2021700 Mpps
Cloudflare HTTP flood record202417.2 Mrps

This section answers the next obvious question: does MVPS hold up at 1 Gpps? At 5 Tbps? Where does it actually break?

16.1 Single-region scaling (10 Mpps → 2 Gpps)

Attack rateDetectionD² peakBrokerAttribution
10 Mpps100 ms6.88 M99%100%
100 Mpps100 ms6.88 M99%100%
500 Mpps100 ms6.87 M99%100%
1 Gpps100 ms6.88 M99%100%
2 Gpps (~10 Tbps eq.)100 ms6.88 M99%100%

D² peak is constant within 0.3% across two orders of magnitude in attack rate. This is Theorem D1 (Volume-Independence): detection latency is determined by (M−1)·T_tick alone, not by attack volume.

D² and detection latency vs PPS — both flat across 10 Mpps to 2 Gpps
Fig 16a — Left: D² saturates at ~6.88 M for any rate above 10 Mpps (alarm threshold = 30, six orders of magnitude below the signal). Right: detection latency is a flat line at 100 ms across 5 orders of magnitude.

16.2 Tbps-equivalent attacks

Bandwidth equivalent~Mpps (avg pkt 600 B)DetectionBroker
2 Tbps (≈ AWS 2020)417 Mpps100 ms99%
5 Tbps (above Azure 2022 record)1.04 Gpps100 ms99%

16.3 Distributed multi-region attacks — where the limit actually lives

Simultaneous regionsTotal PPSDetectionObserved behaviour
2 of 8200 Mpps100 msBoth regions correctly attributed
3 of 8 (= Byzantine bound) 300 Mpps MISS ⚠️ Minimax removes the 3 worst cells → those ARE the 3 attacked → D² collapses to BAU. Theorem D2 Case 2 "perfect Byzantine hiding"
4 of 8 (exceeds bound) 400 Mpps 100 ms One attacked cell survives the minimax cut → alarm fires, partial attribution

The MISS at 3 regions is fascinating and exposes the dual nature of cell-aware minimax: it is so good at filtering out Byzantine cells that a coordinated attack at exactly the Byzantine bound becomes invisible to the data-plane alarm. The fix is the dual-mode aggregation (§7.2 of the DDoS draft):

Alarm ruleTriggerMeaning
D²_minimax > Tonly"DDoS alarm" — data-plane attack with B < bound
D²_max > T AND D²_minimax < Tboth"Byzantine alarm" — perfect Byzantine hiding regime detected
Both > Tboth"Severe alarm" — compound event
Distributed attacks across 2, 3, 4 regions: D²_minimax behaviour
Fig 16b — Distributed multi-region attacks. The 3-region trace collapses to BAU under standard minimax (proves Theorem D2 Case 2 empirically). The 4-region trace fires because one attacked cell escapes the cut.

16.4 Negative control — deployment defect (I1 violated)

To prove this is an architecture property and not magic, we explicitly violate invariant I1 (broker NIC shared with data plane) under a 1 Gpps attack:

ConfigurationDetectionBroker availabilityVerdict
I1 respected (control plane isolated)100 ms99%Healthy
I1 violated (shared NIC)100 ms*5%Broker dies — framework useless downstream

* The few telemetry packets that survive the broker's queue still carry a strong D² signal, so the detection latency on the surviving stream is 100 ms — but the broker process is unable to serve subscribers, so the alarm never reaches its consumers. Deployment defect, not protocol defect.

16.5 Breaking-point summary

Bar chart of detection latency and broker availability across all 11 scenarios
Fig 16c — Detection latency (left) and broker availability (right) across all 11 scenarios. Green = correct deployment + within Byzantine bound. Gold = edge case requiring dual-mode aggregation. Red = deployment defect.
LimitWhat sets itHow to extend
Attack volumeNone (Theorem D1)N/A — detection is volume-independent
Distributed regions BByzantine bound ⌊(k−1)/2⌋Increase k cells: B_max = ⌊(k−1)/2⌋
Telemetry PPSBroker NIC + OS regime (§14.3)Scale broker (DPDK at Regime D)
ArchitectureInvariants I1, I2, I3Enforce out-of-band control plane (mandatory)

Verdict. Across 11 scenarios spanning 5 orders of magnitude in attack rate (10 Mpps → 5 Tbps equivalent), Coherence-BFD detects every correctly-deployed scenario in exactly 100 ms = (M−1)·T_tick, the theoretical lower bound. The framework does NOT scale with attack volume — it scales with the number of geographically distinct simultaneous attack sources, bounded by Byzantine breakdown.

Reproducibility: python scripts/simulate_ddos_extreme.py. Raw results: SIM_DDOS_EXTREME_RESULTS.txt. Formal specification with proofs: draft-melegassi-mvps-ddos-resilience-00 (Theorems D1, D2, D3).

Companion documents

DocumentRoleVenue
draft-melegassi-ippm-mvps-bundle-00 Wire format + base algebra IETF IPPM
draft-melegassi-mvps-ai-coherence-00 Semantic + Byzantine + IC coupling MLSys / OPSAWG
MVPS_INFRASTRUCTURE_COGNITIVE Joint state space, 5-phase IC diagram SIGCOMM / OSDI
draft-melegassi-mvps-incremental-be-00 (this document) Sub-linear execution layer NSDI / EuroSys / ASPLOS
draft-melegassi-coherence-bfd-00 (companion) Sub-tick detection protocol (TLVs, state machine) IETF BFD WG / RTGWG
draft-melegassi-mvps-ddos-resilience-00 (NEW) Volume-independent DDoS detection (Theorems D1, D2, D3) IETF OPSEC WG / DDOS BoF

↓ Download full draft (plain ASCII, ~20 pages)