Network Working Group L. Melegassi Internet-Draft Catellix Intended status: Informational 28 May 2026 Expires: 28 November 2026 MVPS Vantage Localization Feasibility under MPLS Path Camouflage draft-melegassi-ippm-mvps-vantage-mpls-00 Abstract IP geolocation databases are known to be unreliable for network- path measurement purposes [Poese-2011]. Traceroute-based localization -- the practical alternative -- is further corrupted by invisible and opaque MPLS tunnels that suppress IP-TTL propagation, hiding intermediate hops and creating false direct links in the apparent network topology [Donnet-2012] [Vanaubel-2017] [Luttringer-2020]. This document formalises the interaction between MPLS path camouflage and the vantage-authentication problem of the Multi- Vantage Path Snapshot (MVPS) framework [I-D.melegassi-iab-mvps-architecture]. Three technical contributions are introduced. First, Lemma L-GEO-1 (RTT Localization Bound) establishes the feasible location set for any MVPS vantage given RTT measurements to three or more anchor points, under the assumption that all traversed tunnels are explicit or implicit in the Donnet taxonomy (TTL propagation active). Second, Lemma L-MPLS-1 (MPLS Camouflage Vulnerability) quantifies the correction term Delta_mpls that invisible and opaque tunnels introduce into the L-GEO-1 bound. For invisible tunnels this correction is unbounded without prior tunnel revelation; for opaque tunnels it is bounded by the hidden-hop count times the minimum per-hop propagation delay. Third, Theorem T-CAM-1 (MPLS-Aware Camouflage Detection) proves that an MVPS bundle from three or more vantage-to-anchor paths, combined with DPR/BRPR tunnel-revelation probing [Vanaubel-2017] or its TNT implementation [Luttringer-2020], detects MPLS- camouflaged vantage impersonation with probability at least 1 - epsilon under the existing MVPS chi-squared coherence test (Theorem 2 of the v4.0 proof catalogue [v4-proof]). Three explicit caveats (T-CAM-1.A on the i.i.d. assumption of the DKW bound, T-CAM-1.B on the empirical FAR Hypothesis H3 of [v4-proof], and T-CAM-1.C on revelation soundness under adversarial operators) qualify the bound in operational deployment. An auxiliary lemma L-GEO-1.1 (Anchor Geometry) characterises the necessary and sufficient angular distribution of anchors for L-GEO-1 to discriminate two candidate positions; this gives a deployable guideline for anchor selection. Two new phase labels, MPLS_CAMOUFLAGE_SUSPECTED and REVELATION_UNAVAILABLE, are introduced and added to the MVPS phase taxonomy alongside LOCATION_CONSISTENT, LOCATION_MARGINAL, CAMOUFLAGE_SUSPECTED, and SPOOFED_VANTAGE. A threat model (Section 1.3) enumerates seven adversarial incentive classes for vantage-location misrepresentation, from geo-licensing and sanctions circumvention to CDN and advertising fraud, and binds each to the same detection theorem. Limitations explicitly disclosed include: the symmetric "RTT inflation" attack (Section 10.2), the PHP tunnel coverage gap when the adversary controls the ingress LER (Section 10.3), the alignment between the geometric vantage minimum (N >= 3) and the Byzantine vantage minimum (N >= 3f+1, Section 10.4), and -- established as Lemma L-SRv6-1 (Section 8.3) -- the fact that the SRv6 forwarding plane (native IPv6 with H.Encaps) is NOT revealable by VP-side traceroute, so SRv6-encapsulated segments are treated as an explicit open problem rather than a solved case. A companion result, Lemma L-SRv6-2 (Section 8.4), shows this impossibility is relative to the information set: the interior is recoverable from cooperative channels (ingress reflector, control plane, egress), every one of which the adversarial threat model denies, so L-SRv6-1 is tight in that model. All results are proved by discharging MVPS axioms A1..A5 against the structural assets of the Donnet MPLS taxonomy combined with the RTT-ellipsoid localization method. No new wire format is defined; no new codepoints are required. The document is informational. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 28 November 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Melegassi Expires 28 November 2026 [Page 1] Internet-Draft MVPS Vantage Localization under MPLS May 2026 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Motivation: Using the Taxonomy Against Itself . . . . . 4 1.2. Scope and Non-Goals . . . . . . . . . . . . . . . . . . 5 1.3. Attacker Motivation and Threat Model . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 9 3. MPLS Tunnel Taxonomy . . . . . . . . . . . . . . . . . . . 6 3.1. Four Canonical Types . . . . . . . . . . . . . . . . . 6 3.2. Prevalence (2025 measurement) . . . . . . . . . . . . . 7 4. Vantage Localization in MVPS . . . . . . . . . . . . . . . 8 4.1. MVPS Axiom A1 and the Tick-Lattice Constraint . . . . . 8 4.2. Lemma L-GEO-1: RTT Localization Bound . . . . . . . . . 9 4.3. Lemma L-GEO-1.1: Anchor Geometry . . . . . . . . . . .10 5. MPLS Camouflage Vulnerability . . . . . . . . . . . . . . .11 5.1. Lemma L-MPLS-1: Camouflage Correction . . . . . . . . .12 5.2. Per-Type Analysis . . . . . . . . . . . . . . . . . . .13 6. MVPS-Aware Camouflage Detection . . . . . . . . . . . . . .14 6.1. Theorem T-CAM-1: Detection via Coherence Test . . . . .14 6.2. Corollary T-CAM-1.1: CWT Cross-Binding . . . . . . . .16 7. Phase Taxonomy Extension . . . . . . . . . . . . . . . . .17 8. Tunnel Revelation Integration . . . . . . . . . . . . . . .18 8.1. DPR and BRPR (Classical MPLS) . . . . . . . . . . . .18 8.2. SR-MPLS Revelation via AReST . . . . . . . . . . . . .19 8.3. SRv6 Forwarding-Plane Limitation (L-SRv6-1) . . . . .19 8.4. Relativity of SRv6 Revelation (L-SRv6-2) . . . . . . .20 9. Deployment Considerations . . . . . . . . . . . . . . . . .21 10. Security Considerations . . . . . . . . . . . . . . . . . .21 10.1. DPR/BRPR/TNT under Adversarial Operators . . . . . . .22 10.2. RTT Inflation Attack (Dual of Camouflage) . . . . . .23 10.3. PHP Tunnel Coverage Gap . . . . . . . . . . . . . . .24 10.4. Pre-condition Alignment with Byzantine Bound . . . . .24 11. IANA Considerations . . . . . . . . . . . . . . . . . . . .25 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . .25 13. References . . . . . . . . . . . . . . . . . . . . . . . .26 13.1. Normative References . . . . . . . . . . . . . . . . .26 13.2. Informative References . . . . . . . . . . . . . . . .27 Appendix A. Worked Example: Invisible-Tunnel Attack . . . . .29 Appendix B. Validator Notes . . . . . . . . . . . . . . . . .30 Author's Address . . . . . . . . . . . . . . . . . . . . . . .30 Melegassi Expires 28 November 2026 [Page 2] Internet-Draft MVPS Vantage Localization under MPLS May 2026 1. Introduction The Multi-Vantage Path Snapshot (MVPS) framework [I-D.melegassi-iab-mvps-architecture] defines a formal structure for multi-point network coherence measurement. Its Architecture Invariance Theorem states that any instantiation satisfying five structural axioms (MVPS-A1 through MVPS-A5) mechanically inherits a catalogue of nine theorems and two lemmas from the v4.0 existence proof [v4-proof]. Instantiations demonstrated so far include classical Internet paths [I-D.melegassi-ippm-mvps-bundle], satellite orbital segments [I-D.melegassi-ippm-mvps-orbital], IXP meshes [I-D.melegassi-nic-ippm-mvps-ixp-vantage], and broadband- access CPE fleets [I-D.melegassi-ganascim-mvps-bbf-mesh]. All instantiations share a structural assumption that is easy to overlook: that the vantages claimed by the system actually occupy the locations they declare. This assumption is non-trivial. An adversary controlling an MPLS-capable infrastructure can place an MVPS vantage at a remote location while making it appear, to standard traceroute-based localization, as if the vantage is co-located with a legitimate network entry point. The mechanism is well known: invisible MPLS tunnels, as classified by Donnet et al. [Donnet-2012] and studied further in [Vanaubel-2017] and [Luttringer-2020], suppress IP-TTL propagation inside label- switched paths, eliminating intermediate hops from the traceroute output. The result is a false direct link between the ingress Label Edge Router (LER) and the egress LER. An adversary placing a vantage at the egress end of an invisible tunnel can cause the vantage to appear, from the outside, as if it were adjacent to the ingress LER -- potentially in a completely different geographic location. This vulnerability has two compounding roots. First, IP geolocation databases -- the simplest localization tool -- are known to be unreliable [Poese-2011]: they mis-locate IP addresses frequently enough to render database-based vantage authentication impractical. Second, traceroute-based localization, the standard alternative, is blind to the hidden hops inside invisible tunnels and therefore reports the ingress- to-egress RTT without the ability to attribute it to intermediate topology. This document addresses both roots simultaneously by formalising the problem using MVPS axiom A1 (the tick-lattice constraint, which encodes timing precision) and the Donnet MPLS taxonomy (which classifies how much of the path each tunnel type hides). The combination yields a three-part result: (a) A localization lemma (L-GEO-1) valid for paths traversing only explicit or implicit tunnels, giving a closed-form feasible-location set from RTT measurements alone. (b) A vulnerability lemma (L-MPLS-1) showing that invisible and opaque tunnels break L-GEO-1 unless prior revelation is performed, and quantifying the correction term Delta_mpls where revelation is partial. (c) A detection theorem (T-CAM-1) showing that the MVPS chi- squared coherence test (inherited Theorem 2) detects MPLS- camouflaged vantage impersonation with probability at least 1 - epsilon, when combined with DPR or BRPR revelation [Vanaubel-2017] or their TNT implementation [Luttringer-2020]. The practical consequence is that an adversary attempting to camouflage a vantage via invisible MPLS tunneling faces two independent detection channels: the RTT-localization feasibility test (L-GEO-1 + L-MPLS-1) and the MVPS coherence residual (T-CAM-1). Neither channel alone is sufficient; both together close the gap. Section 8 additionally describes how AReST [Dekinder-2025], the 2025 tool for Advanced Revelation of Segment Routing Tunnels, extends the revelation corpus to SR-MPLS infrastructure, providing a forward-compatible path for T-CAM-1 as operators transition from classical MPLS to Segment Routing. Section 8.3 separately establishes, as Lemma L-SRv6-1, that the SRv6 forwarding plane (native IPv6 with H.Encaps) is NOT revealable by VP-side traceroute, and treats SRv6 revelation as an explicit open problem rather than a solved case. This document is informational. It defines no new wire format, no new codepoints, and no RFC 2119 MUST/SHOULD obligations. It proposes one addition to the MVPS phase taxonomy (MPLS_CAMOUFLAGE_SUSPECTED, Section 7) and one validator (Appendix B). 1.1. Motivation: Using the Taxonomy Against Itself The central observation of this document is that Donnet's MPLS taxonomy is both the attack surface and the defence toolkit. The four tunnel types (explicit, implicit, opaque, invisible) define exactly the surface area that an adversary can exploit; and the revelation techniques (DPR, BRPR, TNT, AReST) developed to MEASURE that surface are the same techniques that close the vantage-authentication gap. The MVPS coherence test then provides the statistical binding that makes detection mathematically precise. 1.2. Scope and Non-Goals This document does not propose any modification to MPLS router behaviour, TTL-propagation defaults, or RFC 4950 [RFC4950] deployment. It does not request any allocation from IANA. Its sole technical contribution is the formal integration of the Donnet MPLS taxonomy with the MVPS vantage-authentication problem. 1.3. Attacker Motivation and Threat Model Understanding why an adversary would misrepresent the geographic location of an MVPS vantage is essential to evaluating the practical relevance of the detection mechanisms in this document. This section enumerates the principal incentive classes. The list is not exhaustive; it is informed by the geopolitical and operational context of 2025-2026. The observations in this section were proposed by Benoit Donnet (private communication, 2026) and are incorporated here as the formal threat scope of the document. (M-1) Circumvention of geographic restrictions and geo-licensing. Content licensing agreements, sports broadcast rights, and financial service regulations are frequently enforced by gating access based on the declared geographic location of the requesting network endpoint. An operator who camouflages a vantage -- making a node physically located in a restricted region appear to be in a neutral region -- can bypass such geographic filters. In the current geopolitical context, state-level actors subject to sanctions regimes (e.g., those applied to Russia after 2022 or to North Korea) have strong incentives to disguise the true location of their network infrastructure. By presenting a vantage located in a sanctioned country as being in a neutral third country, such actors can participate in open measurement infrastructures under a false identity, bypass peering restrictions, or covertly map sensitive network topologies without triggering geographic filters. MVPS camouflage detection is directly applicable as a tool for Regional Internet Registries and IXPs to verify the declared location of network infrastructure. (M-2) Manipulation of SLAs and quality-of-service metrics. Service Level Agreements between carriers and customers often include geographic performance guarantees (e.g., RTT caps between specific city pairs, or packet-loss bounds within a geographic region). By misrepresenting the location of a measurement vantage, an operator can make MPLS-inflated RTTs appear to conform to a tighter SLA than the actual infrastructure supports, suppressing penalty clauses and audit failures. (M-3) CDN fraud and anycast server-selection manipulation. Content Delivery Networks and authoritative DNS resolvers use vantage- geolocation to direct clients to the nearest cache or replica. A vantage that falsely claims to be in a high-demand geographic region (e.g., a major metropolitan area) can capture a disproportionate share of CDN traffic, enabling revenue fraud or cache-poisoning at scale. Anycast routing is similarly vulnerable: an operator can claim proximity to an anycast prefix while actually being several AS-hops further away, distorting traffic-engineering decisions made by third-party networks. (M-4) Sensitive network topology espionage. MVPS vantages conduct systematic path-measurement probing toward anchor sets. A camouflaged vantage placed inside a target AS or IXP can conduct topology measurement from a vantage position that would not be granted access if its true location were known. MPLS invisible tunnels allow the probing node to appear as a well-known public measurement point (e.g., a RIPE Atlas anchor) while actually residing deep inside a private network. (M-5) Circumvention of sanctions and network embargoes. Network-layer sanctions -- such as BGP de-peering of sanctioned ASes or geographic IP block-lists enforced by IXPs -- can be circumvented if the AS can present a measurement vantage that appears to originate from a non-sanctioned region. This is a superset of M-1 applied specifically to routing-layer enforcement mechanisms rather than application-layer content controls. (M-6) Attacks on distributed anomaly detection systems. Distributed measurement systems (including MVPS itself) rely on the independence of geographically separated vantages to detect anomalies via cross-vantage coherence. An adversary who controls multiple vantages and can camouflage their true co-location can fabricate the appearance of geographically distributed measurement while all probes originate from the same physical location, invalidating the statistical independence assumption underlying coherence tests such as Theorem T-CAM-1. This is the camouflage attack applied at the meta-level: it does not attack a single vantage but the measurement infrastructure's notion of diversity itself. (M-7) Advertising fraud and geolocated audience measurement. Digital advertising markets use IP geolocation to price impressions: a user appearing to be in a high-CPM market (e.g., Western Europe or North America) commands a significantly higher bid price than the same user appearing to be in a low-CPM market. An operator that camouflages measurement vantages used for audience verification can systematically inflate reported audience metrics for high-value geographies, defrauding advertisers at scale. Each of these incentive classes is detectable, in principle, by the mechanisms of this document: if a vantage claims a location that is inconsistent with the RTT evidence after tunnel revelation (Theorem T-CAM-1), the claim fails regardless of the operator's motivation. The threat model therefore informs deployment priorities -- operators protecting IXP integrity (M-1, M-5) have different calibration requirements than CDN operators (M-3) or SLA auditors (M-2) -- but does not alter the underlying detection theorem. Melegassi Expires 28 November 2026 [Page 3] Internet-Draft MVPS Vantage Localization under MPLS May 2026 2. Terminology The key terms used in this document are defined as follows. MVPS Multi-Vantage Path Snapshot framework, as defined in [I-D.melegassi-iab-mvps-architecture]. Vantage (v) A measurement point participating in an MVPS bundle. Each vantage has a declared position p_v in geographic or topological space. Anchor (a_i) A reference node with a known, publicly verifiable position. Used as a fixed point for RTT-based localization. Suitable anchors include RIPE Atlas probes, CAIDA Ark nodes, and IXP route servers with published coordinates. RTT(v, a_i) The round-trip time measured from vantage v to anchor a_i. For localization purposes this is the minimum observed RTT over a calibration window. c_fiber Speed of light in standard single-mode optical fibre, approximately 2/3 * c_vacuum, i.e., approximately 2e8 m/s. sigma_NTP Per-vantage NTPv4 synchronisation error. Under MVPS axiom A1 the joint skew satisfies 2 * sigma_NTP + tau_RTT_max < T_tick. Feasible The set of positions consistent with all RTT Location Set measurements to anchor set {a_i}, given timing (F_v) precision sigma_geo = RTT_floor * c_fiber / 2. Delta_mpls Correction term introduced by an MPLS tunnel on the path from a vantage to an anchor. Zero for explicit/implicit tunnels; bounded for opaque; potentially unbounded for invisible. LER Label Edge Router: the ingress (iLER) or egress (eLER) router of an MPLS Label-Switched Path. LSR Label Switching Router: an intermediate router inside an MPLS LSP. DPR Direct Path Revelation: probing technique of [Vanaubel-2017] for revealing IP hops hidden inside invisible MPLS tunnels. BRPR Backward Recursive Path Revelation: recursive probing technique of [Vanaubel-2017]. TNT Traceroute for Network Tunnels: implementation of DPR and BRPR in [Luttringer-2020]. AReST Advanced Revelation of Segment Routing Tunnels: tool for SR-MPLS tunnel revelation [Dekinder-2025]. MVPS-A1..A5 The five structural axioms of the MVPS architecture [I-D.melegassi-iab-mvps-architecture]. T2 Theorem 2 of [v4-proof]: the Mahalanobis D^2 chi-squared coherence test with FAR control. Melegassi Expires 28 November 2026 [Page 4] Internet-Draft MVPS Vantage Localization under MPLS May 2026 3. MPLS Tunnel Taxonomy 3.1. Four Canonical Types The following classification is due to [Donnet-2012], with the opaque type subsequently revised and refined in [Vanaubel-2017] and further replicated at Internet scale in [Huddleston-2025]. Two binary features determine the visibility of an MPLS LSP to traceroute: Feature F1. TTL-propagate. Whether the ingress LER copies the IP-TTL value into the MPLS LSE-TTL field (ttl-propagate ON), or instead sets LSE-TTL to 255 (ttl-propagate OFF, i.e., no-ttl-propagate). Feature F2. RFC 4950 [RFC4950]. Whether LSRs include MPLS label-stack information in their ICMP time- exceeded messages. The four types are: Explicit (E). F1 = ON, F2 = yes. All LSRs inside the LSP respond to traceroute and include MPLS labels in ICMP responses. Full hop-by-hop visibility; semantic label information available. Delta_mpls = 0. Implicit (I). F1 = ON, F2 = no. LSRs respond to traceroute but appear as ordinary IP routers (no label information). RTT measurements are accurate. Delta_mpls = 0. Opaque (O). F1 = OFF, F2 = yes. Ingress LER sets LSE-TTL = 255; LSRs do not respond to traceroute probes; only the exit hop (eLER) is visible. However, the LSE-TTL value returned by the eLER in its ICMP time- exceeded message reveals the tunnel length: n_hidden = 255 - LSE-TTL - 1. Delta_mpls is bounded: see Section 5.2. Invisible (V). F1 = OFF, F2 = no (or RFC 4950 may be present but without PHP/UHP response). All LSRs inside the tunnel are completely hidden. The ingress LER appears as a direct neighbour of the egress LER. No length information is available without revelation. Delta_mpls is unbounded without DPR/BRPR. 3.2. Prevalence (2025 Measurements) [Huddleston-2025] replicated the [Vanaubel-2017] large-scale MPLS study using 2025 vantage-point data. Key findings: - At least 30% of Internet paths traverse at least one MPLS tunnel (consistent with [Donnet-2012]). - Invisible (PHP) tunnels remain the most problematic type; their fraction relative to total tunnels has remained consistent from 2019 to 2025 despite overall MPLS deployment declining. - Each invisible tunnel hides an average of 5.7 routers per tunnel (2025 data). - Explicit tunnels are partially replacing invisible UHP, implicit, and opaque tunnels, suggesting gradual improvement in traceroute transparency -- but not elimination. These figures establish that invisible MPLS tunnels are not a legacy pathology; they are a current, persistent property of the Internet that any vantage-localization scheme must account for. Melegassi Expires 28 November 2026 [Page 5] Internet-Draft MVPS Vantage Localization under MPLS May 2026 4. Vantage Localization in MVPS 4.1. MVPS Axiom A1 and the Tick-Lattice Constraint MVPS axiom A1 [I-D.melegassi-iab-mvps-architecture] requires that all vantages share a common tick lattice, i.e., that their clocks are synchronised to a common stratum with a joint skew bounded by: 2 * sigma_NTP + tau_RTT_max < T_tick where sigma_NTP is the per-vantage NTPv4 synchronisation error (typically < 1 ms on a well-peered stratum-2 source), tau_RTT_max is the maximum observed RTT from any vantage to the NTP server, and T_tick is the measurement cadence (typically 100 ms to 1 s in deployed MVPS bundles). This constraint has a direct implication for localization. The minimum RTT from vantage v to any anchor a_i satisfies: RTT_min(v, a_i) >= 2 * D(p_v, p_{a_i}) / c_fiber where D(p, q) is the great-circle distance between positions p and q, and c_fiber is the speed of light in fibre (approx. 2e8 m/s). The inequality is tight for paths with no queuing delay and negligible processing delay. Equality does not hold in practice due to routing indirectness, but RTT_min provides a hard lower bound. Note on A1 and timing precision: sigma_geo := RTT_floor * c_fiber / 2 is the localization uncertainty attributable to timing noise and routing indirectness. For sigma_NTP < 1 ms, sigma_geo < 100 km -- a resolution appropriate for inter-city localization but not intra-city. Sub-city localization requires additional probing (e.g., multi-anchor FRPLA [Vanaubel-2017]). 4.2. Lemma L-GEO-1: RTT Localization Bound Scope note: L-GEO-1 is the idealised reference case in which no opaque or invisible MPLS tunnels intervene on any anchor path. In the public Internet of 2025, Section 3.2 establishes that at least 30% of paths traverse some MPLS tunnel and invisible PHP tunnels remain prevalent; consequently L-GEO-1 alone is rarely applicable outside controlled environments (data-centre fabrics, intra-AS measurement, audited IXP meshes). In the public Internet, the operationally relevant form is L-MPLS-1 (Section 5), which extends L-GEO-1 to account for tunnel-induced corrections. LEMMA L-GEO-1 (RTT Localization Bound under Transparent Paths). Pre-conditions: (P1) M >= 3 anchors {a_1, ..., a_M} with known positions. (P2) All paths from vantage v to each a_i traverse only Explicit (E) or Implicit (I) tunnels (Delta_mpls = 0). See scope note above. (P3) Minimum RTT r_i = RTT_min(v, a_i) is measured over a calibration window of at least n_calib samples. Statement: Under P1..P3, the feasible location set of v is: F_v = INTERSECTION over i in {1..M} of Ball(a_i, r_i * c_fiber / 2 + sigma_geo) where Ball(c, r) denotes the set of positions within distance r of centre c. A vantage claiming position p_c with p_c NOT in F_v is LOCATION_INFEASIBLE. Proof sketch: Under P2, RTT_min(v, a_i) >= 2 * D(p_v, p_{a_i}) / c_fiber (Section 4.1). Therefore D(p_v, p_{a_i}) <= r_i * c_fiber / 2. Adding sigma_geo for timing noise (bounded by A1) gives p_v in Ball(a_i, r_i * c_fiber / 2 + sigma_geo) for all i. The intersection over M >= 3 non- collinear anchors has bounded diameter (in R^3, three spheres in general position intersect in at most two points, and a fourth anchor resolves the ambiguity). If p_c lies outside this intersection, then D(p_c, p_v) > 0 for all physically feasible p_v, proving infeasibility. Remark: P2 is the critical condition that Sections 5 and 6 relax. When invisible tunnels are present, r_i may undercount the true path length, inflating the apparent feasible set. Remark on scope: L-GEO-1 provides a one-sided geometric constraint -- it can REJECT positions whose distance to some anchor exceeds the RTT-derived ball radius, but it CANNOT reject positions that happen to fall inside every ball even though they differ from the true location. Whether the intersection F_v actually discriminates p_c from p_r depends on the angular distribution of the anchors with respect to the line segment [p_r, p_c]; see Lemma L-GEO-1.1 below. 4.3. Lemma L-GEO-1.1: Anchor Geometry for Discrimination LEMMA L-GEO-1.1 (Anchor Geometry). Pre-conditions: (P1') Same as L-GEO-1 pre-conditions P1..P3. (P4) True position p_r and claimed position p_c with p_r != p_c. Statement: The feasible set F_v excludes p_c (i.e., L-GEO-1 detects the lie) if and only if there exists at least one anchor a_k such that: D(p_c, a_k) > RTT_min(v, a_k) * c_fiber / 2 + sigma_geo >= D(p_r, a_k) A sufficient geometric condition is that the anchor set {a_i} spans the sphere with enough angular diversity that for any two distinct candidate positions p, p' on the surface of Earth, there exists at least one a_k satisfying |D(p, a_k) - D(p', a_k)| > 2 * sigma_geo + Delta_mpls_max. Operational interpretation: The lemma quantifies what "non-collinear anchors" means in L-GEO-1. Three anchors clustered in the same region (e.g., all in Western Europe) leave a large feasible set that may contain both p_r and p_c. Three anchors spanning continents (e.g., one each in North America, Europe, and East Asia) produce a smaller intersection that discriminates inter- continental displacement. Intra-continental claims (e.g., Miami vs. Newark) require either (a) anchors in multiple directions on the same continent, or (b) reliance on the MVPS coherence axes C_2 and C_3 (Theorem T-CAM-1) rather than L-GEO-1 alone. Proof: The biconditional is immediate from the definition of F_v (Lemma L-GEO-1, intersection over anchors of Ball(a_i, r_i * c_fiber/2 + sigma_geo)). p_c is in F_v iff for every a_k, D(p_c, a_k) <= r_k * c_fiber/2 + sigma_geo. The sufficient condition follows by triangle inequality applied to the pair (p_r, p_c). QED. Recommendation: Operators SHOULD select anchors so that at least one pair (a_j, a_k) satisfies D(a_j, a_k) > D(p_r, p_c) for the smallest geographic displacement the operator wishes to detect. For inter-city detection at city-pair scale (~1000 km), at least three anchors with mutual distances above 2000 km are required. Melegassi Expires 28 November 2026 [Page 6] Internet-Draft MVPS Vantage Localization under MPLS May 2026 5. MPLS Camouflage Vulnerability When one or more MPLS tunnels of type Opaque (O) or Invisible (V) lie on the path from vantage v to anchor a_i, the RTT measured at the probe source is the full end-to-end RTT from source to eLER. However, the TOPOLOGY inferred from the traceroute hop sequence is false: intermediate LSRs are absent, making the iLER appear as the direct neighbour of the eLER. An adversary exploiting this property can: (Attack-A) Place vantage v behind an invisible MPLS tunnel at geographic position p_r while declaring claimed position p_c = p_{iLER}, i.e., the position of the ingress LER. External probes will observe RTT(source, eLER) = RTT(source, v) without detecting the tunnel, and the false topology will show a direct link from iLER to v. (Attack-B) Use PHP (Penultimate Hop Popping) within an invisible tunnel to cause the second-to-last LSR to decrement the MPLS TTL instead of the eLER, preventing the eLER from sending an RFC 4950 response. This defeats opaque-tunnel detection at the eLER, converting an opaque to a fully invisible tunnel from the measurement side. 5.1. Lemma L-MPLS-1: MPLS Camouflage Correction LEMMA L-MPLS-1 (MPLS Camouflage Vulnerability). Let P(v, a_i) be the set of MPLS tunnel segments on the path from vantage v to anchor a_i. For each tunnel segment t in P(v, a_i), let type(t) in {E, I, O, V} be its Donnet type, and n_h(t) be the number of hidden hops (zero for E and I). Define the per-anchor correction: Delta_mpls(v, a_i) := SUM over t in P(v, a_i) where type(t) in {O, V} of n_h(t) * RTT_min_hop where RTT_min_hop is the minimum propagation delay attributable to a single router hop. The choice of RTT_min_hop materially affects the magnitude of Delta_mpls and therefore the size of the corrected feasible set F_v^mpls. Operators MUST select RTT_min_hop using a defensible derivation; this document recommends the following calibration procedure: (a) Estimate the per-hop propagation floor from the operator's own measurement infrastructure. For a representative sample of EXPLICIT (type-E) MPLS tunnels of known hop count n on the same anchor pool, compute per_hop_floor := median over tunnels of (RTT_explicit / n). Typical values observed in large-scale measurement (CAIDA Ark, RIPE Atlas) fall in the range 0.5-2 ms for co-located rack-to-rack hops and 2-5 ms for inter-PoP hops within the same metropolitan area. (b) Choose RTT_min_hop as the 10th percentile of the per_hop_floor distribution. Choosing a low percentile is CONSERVATIVE for L-MPLS-1: it gives the adversary the maximum benefit of the doubt by subtracting the largest plausible Delta_mpls, shrinking F_v^mpls as little as possible. (c) Re-calibrate RTT_min_hop quarterly or whenever the operator's anchor topology changes materially. When operator-specific calibration is not available, this document specifies RTT_min_hop = 2 ms as a default. This default is justified as the approximate 10th percentile of the per-hop floor distribution reported in [Huddleston-2025] Table 4 for invisible-tunnel intra-tunnel hop counts in 2025 IPv4 measurements. Operators using the default SHOULD document this choice in their MVPS deployment notes; the default is NOT a normative constant of this specification. Then the corrected feasible-location set under MPLS is: F_v^mpls = INTERSECTION over i in {1..M} of Ball(a_i, (r_i + Delta_mpls(v, a_i)) * c_fiber / 2 + sigma_geo) For type O tunnels: n_h(t) is observable from the LSE-TTL value returned by the eLER (Section 3.1). Delta_mpls is bounded and computable. F_v^mpls is a superset of F_v but remains bounded. For type V tunnels: n_h(t) is unknown without DPR/BRPR/TNT revelation. In the worst case n_h(t) is unbounded (255 - 1 hops maximum in a single LSP label stack), so F_v^mpls degenerates to an unbounded set: L-GEO-1 cannot guarantee localisation. 5.2. Per-Type Analysis Type F1 F2 Delta_mpls L-GEO-1 intact? ----- --- --- ---------- --------------- E ON yes 0 YES I ON no 0 YES O OFF yes bounded YES (superset, bounded) V OFF any unbounded* NO (without revelation) * Unless DPR/BRPR/TNT probing reveals n_h(t); see Section 8. Corollary L-MPLS-1.1 (Implicit PHP Attack). The PHP variant of an invisible tunnel (Attack-B, Section 5) converts an operationally opaque tunnel into a type-V tunnel from the MEASUREMENT perspective, making n_h(t) unobservable via standard ICMP LSE-TTL inspection. DPR is required to recover n_h(t). Operational impact: In the 2025 replication study [Huddleston-2025], invisible PHP tunnels hid an average of 5.7 hops per tunnel. At RTT_min_hop = 2 ms per hop, Delta_mpls = 11.4 ms per invisible tunnel, corresponding to a false position credit of approximately 1140 km per invisible tunnel. An adversary traversing three invisible tunnels in series could mask geographic displacement exceeding 3400 km -- effectively spanning a continent -- while appearing legitimate to any localization scheme that does not perform tunnel revelation. Melegassi Expires 28 November 2026 [Page 7] Internet-Draft MVPS Vantage Localization under MPLS May 2026 6. MVPS-Aware Camouflage Detection 6.1. Theorem T-CAM-1: Detection via Coherence Test THEOREM T-CAM-1 (MPLS-Aware Camouflage Detection). Pre-conditions: (Q1) MVPS bundle with N >= 3 vantages; vantage v claims position p_c. (Q2) M >= 3 anchors with known positions and measured RTTs from v, calibrated over n_calib >= 18,500 observations (MVPS operational contract OC3). (Q3) DPR/BRPR or TNT [Luttringer-2020] has been run on all paths from v to {a_i} and the revelation output has identified all type-V and type-O tunnel segments with their corrected n_h(t). (Q4) The corrected feasible set F_v^mpls (Lemma L-MPLS-1) has been computed. Statement: Let p_r be the true position of vantage v, and let p_c be its declared position. If p_c NOT in F_v^mpls, then the MVPS chi-squared coherence test (Theorem 2 of [v4-proof]) detects the vantage as LOCATION_INFEASIBLE with probability at least 1 - epsilon, where epsilon satisfies the DKW bound [I13]: epsilon <= exp( - 2 * n_calib * gamma^2 ) with gamma = (FAR_target / 2) and FAR_target the operator-chosen false alarm rate. For FAR_target = 0.01 and n_calib = 18,500, epsilon < 1e-9. Proof sketch: Under Q1..Q4, the corrected L-GEO-1 test (L-MPLS-1) maps p_c to LOCATION_INFEASIBLE. This infeasibility manifests as a systematic offset in at least one coherence axis C_j (j in {1,2,3}): the RTT-based C_1 axis reports the ingress-to-egress RTT (which is physically consistent with p_{eLER}), while the path-topology inferred C_3 axis (Jaccard similarity on touched-object sets) is inconsistent with p_c, since the hidden hops DO influence the routing table of p_{eLER} even though they are invisible to traceroute. The joint Mahalanobis D^2 on (C_1, C_2, C_3) detects this inconsistency at threshold q_J (MVPS Theorem 2 + Theorem 4, [v4-proof]). Calibration over n_calib samples bounds the FAR by the DKW inequality (Imported Result I13 of [v4-proof]). Both theorems inherit from the Architecture Invariance Theorem [I-D.melegassi-iab-mvps-architecture] since axioms A1..A5 are satisfied by any vantage that participates in a valid MVPS bundle. QED. Remark: The detection relies on C_3 (topological axis) being inconsistent. If the adversary also spoofs the routing-table content of the eLER (not just its location), detection requires the Byzantine-robust extension described in Theorem 9 of [v4-proof], which bounds the adversarial bias on the centroid. Caveat T-CAM-1.A (Independence assumption). The DKW bound I13 of [v4-proof] requires that the n_calib calibration observations be independent and identically distributed (i.i.d.). An adversary aware of the calibration window can degrade the i.i.d. assumption by correlating tunnel activation with diurnal traffic patterns, BGP convergence events, or peering reconfigurations. Operators SHOULD partition the calibration window across multiple non-overlapping epochs (recommendation: four 90-minute windows separated by at least 24 hours) and verify per-epoch FAR stability before asserting the global bound. Caveat T-CAM-1.B (Empirical FAR hypothesis). Theorem 2 of [v4-proof] guarantees the chi-squared distribution of D^2 under the conditions of axioms MVPS-A1..A3. The realized false-alarm rate within +/- 25% of nominal is Hypothesis H3 of [v4-proof], which is empirically supported but NOT formally proven for non-Gaussian C(t) distributions (see [v4-proof] Section "Hypotheses for empirical validation"). The epsilon < 1e-9 figure quoted above inherits this empirical conditioning. Operators with strict FAR requirements SHOULD validate Hypothesis H3 on a per-deployment basis using the DKW-bound test specified in [v4-proof] OC3, and tighten n_calib if observed FAR departs from nominal by more than 25%. Caveat T-CAM-1.C (Revelation soundness). Pre-condition Q3 assumes that TNT or AReST revelation produces accurate n_h(t). As detailed in Section 10.1, this assumption fails under adversarial MPLS operators (Attacks C and D). In such environments the effective epsilon is bounded by the minimum of the DKW bound and the revelation success probability, which must be characterized operationally. 6.2. Corollary T-CAM-1.1: CWT Cross-Binding COROLLARY T-CAM-1.1 (CWT Cross-Binding). Under the CWT trust model [I-D.melegassi-santos-ippm-mvps-cwt], a vantage v that: (a) presents a valid CWT token (T-AUTH-CWT-1 is satisfied), AND (b) is flagged LOCATION_INFEASIBLE by the L-MPLS-1 test is classified as MPLS_CAMOUFLAGE_SUSPECTED. Rationale: CWT authentication establishes cryptographic identity of the measuring process; it does not authenticate the physical location. A valid CWT token from a vantage at p_r, presented under a claimed location p_c NOT in F_v^mpls, is a combination that the CWT model cannot rule out but that the L-MPLS-1 localization can. The MPLS_CAMOUFLAGE_SUSPECTED label precisely captures this disjunction: "we cannot deny the identity, but physics denies the location." Melegassi Expires 28 November 2026 [Page 8] Internet-Draft MVPS Vantage Localization under MPLS May 2026 7. Phase Taxonomy Extension The MVPS phase taxonomy, introduced in the base bundle [I-D.melegassi-ippm-mvps-bundle], is extended by this document with two new phase labels (MPLS_CAMOUFLAGE_SUSPECTED and REVELATION_UNAVAILABLE) and a new detection pathway. Revised MVPS phase taxonomy (phase labels ordered by severity): COHERENT Normal operation. D^2 < q_J. L-GEO-1 passes. DRIFTING Coherence degrading. D^2 approaching q_J. L-GEO-1 passes. LOCATION_CONSISTENT L-GEO-1: claimed position p_c IN F_v. Revelation: no invisible tunnels detected on anchor paths. LOCATION_MARGINAL L-GEO-1: p_c within sigma_geo of boundary of F_v. Revelation: no invisible tunnels, but path is MPLS-rich. Operator should increase anchor count to M >= 5. MPLS_CAMOUFLAGE_SUSPECTED [NEW -- this document] L-MPLS-1: invisible or opaque tunnels found on anchor paths. Corrected F_v^mpls excludes p_c. CWT: authentication status may be valid or invalid. ACTION: Run DPR/BRPR on all anchor paths; if revelation confirms n_h(t) and p_c remains outside F_v^mpls, escalate to CAMOUFLAGE_CONFIRMED. REVELATION_UNAVAILABLE [NEW -- this document] An anchor path traverses an SRv6-encapsulated segment (H.Encaps) whose hidden hops are not revealable from the VP side (Lemma L-SRv6-1, Section 8.3). Pre-condition Q3 of Theorem T-CAM-1 is unsatisfiable for that path. ACTION: Exclude the affected anchor path from the L-MPLS-1 correction; do NOT treat the SRv6 segment as a direct link. Prefer additional non-SRv6 anchors to restore M >= 3 revealable paths before evaluating T-CAM-1. CAMOUFLAGE_SUSPECTED L-GEO-1: p_c NOT in F_v (no MPLS tunnels involved). CWT: authentication valid (identity present but location physically infeasible without tunneling). SPOOFED_VANTAGE L-GEO-1/L-MPLS-1: p_c outside feasible set. CWT: authentication INVALID. Full rejection; remove vantage from bundle. The ordering is informational; operators may choose their own escalation policy. The MVPS phase state machine [I-D.melegassi-ippm-mvps-bundle] treats any phase from MPLS_CAMOUFLAGE_SUSPECTED upward as requiring operator intervention. Melegassi Expires 28 November 2026 [Page 9] Internet-Draft MVPS Vantage Localization under MPLS May 2026 8. Tunnel Revelation Integration 8.1. DPR and BRPR (Classical MPLS) [Vanaubel-2017] introduced two techniques for revealing IP hops hidden inside invisible MPLS tunnels. Direct Path Revelation (DPR): DPR sends probes with systematically decremented MPLS TTL values toward the tunnel, causing individual LSRs to issue ICMP time-exceeded messages. The source IP addresses of these messages reveal the hidden hops in forward order. DPR requires that the measurement vantage be co-located with (or close to) the iLER, so that it can manipulate the MPLS label stack. Backward Recursive Path Revelation (BRPR): BRPR uses traceroute probes from the OUTSIDE toward the tunnel egress, with TTL values set to exactly reach each hidden LSR from the probe source. This does not require access to the iLER. BRPR is iterative: it discovers hops one by one from the eLER backward. For the MVPS vantage-localization use case, BRPR is the preferred technique because: (a) The measurement point (probe source) is NOT inside the tunnel (the adversary's tunnel is between the claimed vantage and the anchor). (b) BRPR requires only standard traceroute probing capability from the probe source, with no access to the iLER. Once revelation is complete, n_h(t) is known for each tunnel segment, Delta_mpls is computable, and the corrected feasibility test F_v^mpls can be evaluated (Theorem T-CAM-1, pre-condition Q3). TNT [Luttringer-2020] implements DPR and BRPR in a single tool (forked from scamper [scamper]). It is the recommended implementation for integrating tunnel revelation into an MVPS measurement pipeline. 8.2. SR-MPLS Revelation via AReST As operators migrate from classical MPLS LSPs to Segment Routing, the tunnel-camouflage threat surface migrates with them. This migration MUST be split into two cases that behave very differently under traceroute-based revelation: SR-MPLS (an MPLS data plane under segment-routed control) and SRv6 (a native IPv6 data plane with encapsulation, treated separately in Section 8.3). SR-MPLS tunnels retain the MPLS data plane. They can exhibit the same visibility categories as classical MPLS tunnels, depending on SID type and TTL-propagation configuration, because the ICMP Time Exceeded generated by an interior LSR is still addressed to the original probe source. The return path of the error signal to the vantage is therefore preserved, exactly as in classical MPLS. [Dekinder-2025] (AReST -- Advanced Revelation of Segment Routing Tunnels) extends the revelation corpus to SR-MPLS infrastructure. For MVPS vantage-localization purposes, AReST provides the same kind of output as TNT: the revealed list of hidden hops for each SR-MPLS tunnel segment on the anchor paths. This parity is NOT unconditional. As with classical MPLS, only the tunnel types that quote a usable label stack in the ICMP response are fully revealable; SR-MPLS tunnels of the implicit, opaque, or invisible classes (Section 5.2) retain the same blind spots as their classical counterparts. AReST therefore inherits, rather than removes, the per-type visibility limits of the Donnet taxonomy. An MVPS deployment MUST apply the L-MPLS-1 correction (and, where revelation is only partial, the Delta_mpls worst-case bound) to SR-MPLS paths exactly as it does to classical MPLS paths. The integration is mechanical: replace the TNT revelation step in pre-condition Q3 of Theorem T-CAM-1 with AReST for SR-MPLS paths. All other steps, including the L-MPLS-1 correction and the T-CAM-1 coherence test, are unchanged. Forward compatibility note: this document recommends that MVPS implementations maintain a revelation backend abstraction that can be satisfied by either TNT (classical MPLS) or AReST (SR-MPLS), with the backend selected based on the label type observed in the Explicit-tunnel responses on anchor paths. SRv6 paths are NOT covered by either backend FOR VP-SIDE FORWARDING-PLANE REVELATION; see Section 8.3 for why, and how such paths MUST be handled. (This statement is specific to VP-side hidden-hop recovery for the MVPS localization pipeline; a tool such as AReST may still address SRv6 through cooperative or control-plane channels, which is precisely the recoverable case characterised in Section 8.4.) 8.3. SRv6 Forwarding-Plane Limitation (Lemma L-SRv6-1) SRv6 MUST be treated separately from SR-MPLS. Under the native IPv6 data plane with the Endpoint behaviour H.Encaps [RFC8986], the hidden hops of an SRv6-encapsulated segment are NOT revealable by VP-side traceroute. This subsection states that limitation as an indistinguishability result. The underlying observation is due to Benoit Donnet (private communication, 2026); its formalisation here is the author's. Observation model. A vantage v sends probes toward a destination with increasing IPv6 Hop Limit HL = 1, 2, .... A node r at hop-distance k receives the probe with HL = 1, discards it, and emits an ICMPv6 Time Exceeded [RFC4443] whose source is r and whose destination is the source address of the discarded packet. The vantage v OBSERVES r if and only if it receives a Time Exceeded with source r. MPLS contraposition (why MPLS is revealable). A probe is an IP packet with src = v. When the MPLS LSE-TTL expires at an interior LSR, the quoted inner IP packet still carries src = v, so the Time Exceeded is delivered to v (and [RFC4950] even quotes the label stack). The return path of the error signal to the vantage is preserved; hence DPR, BRPR, and TNT can reconstruct n_h. SRv6 H.Encaps. At the ingress I the original packet (src = v) is encapsulated in an outer IPv6 header with src = I and dst = the active segment, plus a Segment Routing Header (SRH). Let r be any node strictly between I and the egress E. A Time Exceeded triggered at r is addressed to the OUTER source, i.e. to I, not to v: src(outer) = I != v => ICMP returns to I, not v. - In uniform mode (outer HL initialised from inner HL), the probe expires at interior nodes, but each Time Exceeded is delivered to I. I, as the encapsulator, does not relay it to v: the inner source is not copied, for the security and IPv6-extension-header-filtering reasons documented in [SRv6-EH]. The vantage observes only ***. - In pipe mode (outer HL set to a constant), the packet does not expire inside the SR domain; only I and E appear. The tunnel collapses to a single apparent hop, exactly as an invisible MPLS tunnel would. LEMMA L-SRv6-1 (Non-revelation of the SRv6 interior). Let G_1 and G_2 be two topologies identical outside an SRv6 H.Encaps segment [I -> E] but with different interiors (hop counts n_h^1 != n_h^2 and distinct interior addresses). Let O_v(.) be the VP-side observation sequence and R_v(.) the subsequence of interior hop ADDRESSES the VP recovers -- the output a revelation primitive such as DPR/BRPR must produce. Then: (a) Identity non-recovery (both TTL modes). R_v(G_1) = R_v(G_2) = . No VP-side probe recovers any interior hop address. (b) Strict count-indistinguishability (pipe mode). O_v(G_1) = O_v(G_2): the segment collapses to one apparent hop, so n_h is not even countable. (c) Count leakage without attribution (uniform mode). O_v(G_1) != O_v(G_2) in general, since the VP sees one timeout (***) per interior hop and MAY count n_h. But those timeouts are indistinguishable from n_h ordinary non-responsive IP hops; they carry no address, no label, and no evidence that the segment is SRv6. Consequently the revelation required by pre-condition Q3 of Theorem T-CAM-1 -- recovery of interior hop identities, as DPR/BRPR provide for MPLS (the source-preserving case) -- is impossible from the VP side for SRv6 H.Encaps in BOTH modes. Proof. (a) By the H.Encaps source-substitution rule [RFC8986] the outer source is I, so every ICMPv6 Time Exceeded [RFC4443] raised by an interior node is delivered to I, never to v, and I does not relay it (no inner-source copy; extension-header filtering [SRv6-EH]). Hence no interior address reaches v and R_v is empty for any interior. (b) In pipe mode the constant outer Hop Limit prevents interior expiry, so the only TTL positions observed on the segment are I and E, identical in G_1 and G_2 by hypothesis. (c) In uniform mode the propagated Hop Limit causes one interior expiry per hop, each yielding a timeout at v; the timeout count equals n_h but, by (a), none is attributable. QED. Computational verification. The simulation in scripts/simulate_srv6_revelation.py constructs G_1 (n_h = 3) and G_2 (n_h = 5) and confirms (a) zero interior identities recovered under both SRv6 modes, (b) identical observation sequences under pipe mode, and -- as a deliberate falsification test -- (c) that uniform mode leaks the count. This is why the lemma scopes strict indistinguishability to pipe mode rather than asserting it unconditionally. Consequence for T-CAM-1. Pre-condition Q3 (accurate n_h(t) from revelation) is UNSATISFIABLE for SRv6 H.Encaps segments under VP-side measurement. An MVPS deployment therefore MUST NOT claim SRv6 tunnel revelation; anchor paths whose Explicit-tunnel responses indicate SRv6 encapsulation MUST be flagged REVELATION_UNAVAILABLE and excluded from the L-MPLS-1 correction, rather than silently treated as direct links. The uniform-mode timeout count (part (c) above) MUST NOT be used as a substitute for n_h(t): being unattributable, it cannot distinguish tunnel-detour latency (which L-MPLS-1 subtracts) from genuine propagation latency (which it must not), and so cannot satisfy Q3. Open problem. Closing this gap requires a revelation primitive that does not depend on interior Time Exceeded returning to v -- for example, using the ingress I as an active reflector, SRH OAM with the O-flag [RFC9259], or behaviour-specific signals from PSP/USP flavours. Designing such a primitive (an SRv6 analogue of DPR/BRPR) is left as future work and is a natural candidate for collaborative experimental study. 8.4. Relativity of SRv6 Revelation to the Information Set (Lemma L-SRv6-2) Lemma L-SRv6-1 is a VP-side impossibility. It is RELATIVE to one information set: passive VP-side traceroute, with extension-header filtering and no inner-source copy. This subsection makes that relativity precise and identifies the channels under which the SRv6 interior IS recoverable -- and why none of them is available in the MVPS adversarial threat model. The interior information is not destroyed by encapsulation; it is merely relocated to channels the VP does not observe. Information channels. For an SRv6 H.Encaps segment [I -> E]: C_vp VP-side passive traceroute (the L-SRv6-1 channel). C_ing The ingress I (the outer source). In uniform mode I passively receives every interior ICMPv6 Time Exceeded; in pipe mode no interior expiry occurs, so I must act as an ACTIVE reflector, launching its own SR-probes into the segment. In both cases the recovery accrues to I, not to the VP. (A live seg6 testbed confirms the uniform case: the interior Time Exceeded are observed arriving at I and never at the VP.) C_cp The control plane: IGP-SR / BGP-LS state exposing the SID-to-node mapping and the active SR policy. C_eg The egress E, used for reverse-direction probing. C_srh An on-path observer reading the SRH segment list directly (where the SRH is not stripped/filtered). Let R(C) be the set of interior hop identities recoverable from a channel set C, and let N denote the (fixed) interior as a source variable. LEMMA L-SRv6-2 (Relativity of SRv6 revelation). (a) Monotonicity. R(C) is monotone under union: R(C) subset-or-equal R(C union C'). Equivalently, by the chain rule I(N; Y, Y') = I(N; Y) + I(N; Y' | Y) and the non-negativity of conditional mutual information, adding a channel never reduces what is recoverable. Conversely, by the data-processing inequality no post-processing of C_vp alone can exceed I(N; C_vp) = 0. (b) VP-side floor. R({C_vp}) = (Lemma L-SRv6-1). (c) Cooperative sufficiency. R({C_ing}) = R({C_cp}) = R({C_eg}) = N (the full interior); R({C_srh}) = the SID waypoints only (a strict subset: transit routers between two SIDs are not listed in the SRH). (d) Adversarial collapse. If the measurer is external to the SR domain and the domain is adversarial, then C_ing, C_cp, C_eg, and C_srh are all denied -- the adversary controls them -- so the available channel set reduces to {C_vp} and, by (b), R = . Corollary L-SRv6-2.1 (Tightness in the threat model). The SRv6 interior is recoverable IF AND ONLY IF the measurer holds at least one cooperative channel. The MVPS adversarial threat model (Section 1.3, incentives M-1..M-7) denies all cooperative channels by construction. Therefore L-SRv6-1 is TIGHT in that model: the VP-side impossibility is not an artefact of weak measurement but a structural property of adversarial SRv6. Proof. (a) Each channel is an observation of the fixed source N; I(N; Y, Y') >= I(N; Y) by the chain rule and non-negativity of conditional mutual information, and no function of C_vp can exceed I(N; C_vp) = 0 by the data- processing inequality. (b) is Lemma L-SRv6-1. (c) C_ing collects every interior Time Exceeded; C_cp resolves every SID and intermediate node through its IGP presence; C_eg observes the segment from the far end; C_srh exposes only the listed SIDs. (d) Adversarial control of the SR domain removes C_ing, C_cp, C_eg, and C_srh from the available set, leaving {C_vp}. QED. Research consequence. Closing the cooperative case is the natural SRv6 analogue of DPR/BRPR: an ingress-reflector (C_ing) or control-plane (C_cp) recovery primitive reconstructs the interior wherever the operator cooperates. This is the recommended target for the experimental follow-on work noted in Section 8.3. Computational verification. The simulation in scripts/simulate_srv6_information_layers.py constructs the five channels for two interiors (n_h = 3 and n_h = 5) and confirms (b)-(d): empty recovery for C_vp; full recovery for the cooperative channels; partial (SID-only) recovery for C_srh; and a total collapse to across ALL channels once the adversarial flag is set. Melegassi Expires 28 November 2026 [Page 10] Internet-Draft MVPS Vantage Localization under MPLS May 2026 9. Deployment Considerations 9.1. Anchor Selection For the L-GEO-1 and L-MPLS-1 bounds to be useful, anchors must satisfy three properties: (i) Known geographic position, independently verifiable (e.g., RIPE Atlas site data, published IXP location). (ii) Paths from the vantage under test to each anchor are route-stable over the calibration window. (iii) Anchors are geographically distributed, not co-located in the same facility. Suitable anchor pools: RIPE Atlas anchors (globally distributed, publicly queryable, route-stable by design), CAIDA Ark vantage points, or IXP route-server addresses published in the PeeringDB database. 9.2. Calibration Window n_calib >= 18,500 observations (MVPS OC3) yields epsilon < 1e-9 in Theorem T-CAM-1 at FAR_target = 0.01. At a 1-second measurement cadence, this requires approximately 5.1 hours of continuous measurement. Operators SHOULD run an initial calibration phase of at least 6 hours before treating MVPS_CAMOUFLAGE_SUSPECTED labels as actionable. 9.3. Revelation Frequency TNT/BRPR probing is heavier than normal MVPS path probing. Operators SHOULD run revelation on: (a) Initial vantage enrollment. (b) After any BGP route change that affects anchor paths. (c) At a low-frequency periodic interval (e.g., weekly) to detect newly deployed tunnels. Melegassi Expires 28 November 2026 [Page 11] Internet-Draft MVPS Vantage Localization under MPLS May 2026 10. Security Considerations An adversary with access to MPLS-capable infrastructure can deploy invisible tunnels to camouflage the true geographic position of an MVPS vantage. The techniques in this document detect such camouflage but do NOT prevent it. Prevention requires either: (a) Operator-side enforcement of ttl-propagate on all MPLS edges (eliminating invisible tunnels), or (b) Cryptographic location attestation (e.g., hardware- anchored GPS or eLoran timestamps) that is independent of network-layer path measurement. Neither (a) nor (b) is proposed in this document; they are operational choices outside the MVPS framework. The Byzantine-robust extension (Theorem 9 of [v4-proof]) provides additional protection when the adversary also manipulates the routing-table content of the compromised vantage. Operators facing sophisticated adversaries SHOULD also deploy the geometric-median centroid estimator (MVPS Design D9(ii)) and enforce N >= 3f + 1 vantages, where f is the maximum number of Byzantine vantages the operator wishes to tolerate. Pre-condition Q1 of Theorem T-CAM-1 (N >= 3) is the geometric minimum for localization, NOT the Byzantine minimum; see Section 10.4 below. 10.1. Limitations of DPR/BRPR/TNT under Adversarial Operators Theorem T-CAM-1 pre-condition Q3 assumes that DPR, BRPR, or TNT [Vanaubel-2017] [Luttringer-2020] revelation correctly identifies hidden hops n_h(t) for every tunnel segment. This assumption is sound when the MPLS operator merely CONCEALS tunnel topology (the threat model under which DPR/BRPR were originally analysed) but is NOT sound when the operator is itself the adversary. Specifically, an adversary who controls the MPLS infrastructure can: (Attack-C) Forge ICMP time-exceeded responses. DPR and BRPR rely on receiving ICMP responses from intermediate LSRs. Source IP, TTL value, and timestamps in these responses are not authenticated. An adversarial LSR can fabricate responses consistent with a benign tunnel topology, causing TNT to report a smaller n_h(t) than the true value. (Attack-D) Suppress revelation probes. An adversary can rate-limit or drop probes whose pattern matches known DPR/BRPR signatures, leaving the defender with no observation at all (which under Q3 must be treated as "no tunnel found", a soft failure of the test). This document does NOT solve Attack-C or Attack-D. Operators deploying T-CAM-1 in environments where the on-path MPLS operator may be adversarial SHOULD: (i) Run revelation from multiple geographically and administratively independent probe sources, accepting n_h(t) only when at least two independent sources report values within tolerance. (ii) Augment T-CAM-1 with the CWT trust binding (Corollary T-CAM-1.1) so that a forged revelation report cannot in itself validate a forged vantage. (iii) Treat absence of revelation response (Attack-D) as equivalent to "invisible tunnel suspected" rather than "no tunnel". Limitation note: even with mitigations (i)-(iii), an adversary who controls the entire forwarding path between vantage and anchor remains outside the protection envelope of this document. Such adversaries require physical-layer attestation (Security Considerations (b)) which is out of scope here. 10.2. RTT Inflation Attack (Dual of Camouflage) The MPLS camouflage analysed in Sections 5 and 6 is the case where invisible tunnels HIDE distance, causing the apparent feasible set F_v to undercount the true path length. The symmetric "RTT inflation" attack is the case where the adversary INFLATES the measured RTT to claim a distant location. Mechanisms for RTT inflation include: - Kernel-side deterministic delay injection in the vantage's TCP/UDP probe response path. - BGP path prepending to force a longer AS path. - Routing through a deliberately distant intermediate hop under operator control. Lemma L-MPLS-1 does not detect inflation because Delta_mpls only SUBTRACTS hidden-hop time from the measured RTT; it never challenges measured RTT as anomalously large. An adversary at true position p_r who inflates RTT(v, a_i) by tau_inflate appears to occupy a Ball(a_i, (r_i + tau_inflate) * c_fiber / 2) which can extend to a falsely distant p_c. Detection of inflation requires two complementary techniques not formalized in this document: - Multi-anchor RTT consistency: comparing measured RTT to the minimum RTT predicted by the speed-of-light floor 2 * D(p_c, a_i) / c_fiber. Excessive ratio measured/ floor across multiple anchors is suspect. - Cross-stratum NTP/PTP timing audit: an adversary inflating RTT generally also inflates timestamps at the wire, which can be detected by comparing to an external time reference (e.g., GPS PPS or NIST stratum-1). Operators SHOULD treat both camouflage (this document) and inflation (this section) as a coupled threat surface and deploy detection for both. A "Lemma L-INFL-1" formalizing inflation detection is left to a future document. 10.3. PHP Tunnel Coverage Gap Corollary L-MPLS-1.1 (Section 5) notes that a PHP (Penultimate Hop Popping) configuration converts an operationally opaque tunnel into a type-V tunnel from the measurement perspective, requiring DPR to recover n_h(t). However, DPR requires that the measurement source be CO-LOCATED with (or have privileged access to) the ingress LER of the tunnel under inspection [Vanaubel-2017]. In an adversarial scenario the defender does NOT have access to the adversary's iLER, by construction. Hence: - BRPR can be attempted from the defender's side; it partially recovers n_h(t) for type-V tunnels but its success rate degrades when PHP is combined with selective label-stack popping. - TNT, which implements both DPR and BRPR, is constrained to its BRPR mode in this case. Operators facing PHP-rich adversarial environments SHOULD: (i) Increase n_calib and tighten FAR_target to compensate for the increased revelation uncertainty. (ii) Treat any anchor path showing PHP-suspect ICMP response patterns as inflating Delta_mpls to its worst-case bound (n_h(t) = 17 hops, the 99th-percentile observed in [Huddleston-2025]) rather than the average. (iii) Prefer anchors connected via SR-MPLS infrastructure where AReST [Dekinder-2025] applies, since AReST's revelation primitives operate on the segment list rather than relying on LER-side label manipulation. Do NOT prefer SRv6 anchors for this purpose: by Lemma L-SRv6-1 (Section 8.3) the SRv6 forwarding plane is not revealable from the VP side, so such anchors MUST be treated as REVELATION_UNAVAILABLE. 10.4. Pre-condition Alignment with Byzantine Bound Pre-condition Q1 of Theorem T-CAM-1 requires N >= 3 vantages. This is the GEOMETRIC minimum for trilateration. The MVPS architecture also imposes a BYZANTINE minimum of N >= 3f + 1 for resilience against f compromised vantages (axiom MVPS-A5, Theorem 9 of [v4-proof]). These two minima are independent: - For pure localization with f = 0 (trusted vantages, MPLS infrastructure may be hostile), N = 3 suffices. - For localization with f = 1 (one vantage may be compromised in addition to MPLS hostility), N >= 4. - For localization with f = 2, N >= 7. Operators MUST select N as the maximum of the geometric and Byzantine minima for their threat model. This document's probability bound (epsilon < 1e-9 with n_calib = 18,500, FAR_target = 0.01) assumes N satisfies BOTH minima. 11. IANA Considerations This document has no IANA actions. 12. Acknowledgments This document would not exist without the 14-year corpus of work on MPLS tunnel revelation by Benoit Donnet (Universite de Liege) and his collaborators. The four-type taxonomy of MPLS tunnels (explicit, implicit, opaque, invisible), the DPR and BRPR revelation primitives, the TNT implementation, and the AReST extension to Segment Routing form the structural foundation on which Lemma L-MPLS-1 and Theorem T-CAM-1 are built. In particular, [Donnet-2012], [Vanaubel-2017], [Luttringer-2020], and [Dekinder-2025] provide the measurement-theoretic vocabulary that makes the MVPS vantage- authentication problem tractable. The author is further indebted to Benoit Donnet for the observation, communicated privately in 2026, that the SRv6 forwarding plane is not revealable by VP-side traceroute under H.Encaps -- both because of IPv6 extension-header filtering [SRv6-EH] and because the encapsulating ingress becomes the source of the outer packet, so interior ICMP Time Exceeded messages never return to the vantage. Lemma L-SRv6-1 (Section 8.3) is the author's formalisation of that observation, and Lemma L-SRv6-2 (Section 8.4), which locates the recoverable information in cooperative channels, is the author's response to Donnet's suggestion that a new DPR/BRPR-class primitive is required to close the gap. The originating insight and that suggestion are Donnet's. Any errors of formalisation or attribution in the present document are the author's own. The author also thanks the IPPM, INTAREA, and DISPATCH working groups for the discussions that shaped the MVPS architecture series referenced herein, and the Catellix engineering team for the validator scaffolding referenced in Appendix B. Melegassi Expires 28 November 2026 [Page 12] Internet-Draft MVPS Vantage Localization under MPLS May 2026 13. References 13.1. Normative References [I-D.melegassi-iab-mvps-architecture] Melegassi, L., "Multi-Vantage Path Snapshot: Architecture Invariance Theorem", draft-melegassi- iab-mvps-architecture-00, May 2026. [I-D.melegassi-ippm-mvps-bundle] Melegassi, L., "Multi-Vantage Path Snapshot: Bundle Envelope and Coherence Algebra", draft- melegassi-ippm-mvps-bundle-00, May 2026. [I-D.melegassi-santos-ippm-mvps-cwt] Melegassi, L. and R. Santos, "Coherent-Witness Trust for MVPS Vantage Authentication", draft- melegassi-santos-ippm-mvps-cwt-00, May 2026. [RFC4950] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, "ICMP Extensions for Multiprotocol Label Switching", RFC 4950, DOI 10.17487/RFC4950, August 2007, . [v4-proof] Melegassi, L., "MVPS Mathematical Existence Proof -- Version 4.0", May 2026, . 13.2. Informative References [Donnet-2012] Donnet, B., Luckie, M., Merindol, P., and J.-J. Pansiot, "Revealing MPLS Tunnels Obscured from Traceroute", ACM Computer Communication Review, vol. 42, no. 2, pp. 87-93, DOI 10.1145/2185376.2185388, April 2012. [Vanaubel-2017] Vanaubel, Y., Merindol, P., Pansiot, J.-J., and B. Donnet, "Through the Wormhole: Tracking Invisible MPLS Tunnels", ACM Internet Measurement Conference (IMC 2017), DOI 10.1145/3131365.3131378, November 2017. [Luttringer-2020] Luttringer, J.-R., Vanaubel, Y., Merindol, P., Pansiot, J.-J., and B. Donnet, "Let There Be Light: Revealing Hidden MPLS Tunnels with TNT", IEEE Transactions on Network and Service Management, vol. 17, no. 2, pp. 1239-1253, DOI 10.1109/TNSM.2019.2962278, June 2020. [Dekinder-2025] Dekinder, F., Vermeulen, K., and B. Donnet, "Autonomous Systems under AReST: Advanced Revelation of Segment Routing Tunnels", ACM Internet Measurement Conference (IMC 2025), pp. 325-341, DOI 10.1145/3730567.3764436, October 2025. [Huddleston-2025] Huddleston, J., Luckie, M., and A. Marder, "Replication: Characterizing MPLS Tunnels over Internet Paths", ACM Internet Measurement Conference (IMC 2025), Madison, WI, USA, DOI 10.1145/3730567.3764457, October 2025. [Poese-2011] Poese, I., Uhlig, S., Kaafar, M. A., Donnet, B., and B. Gueye, "IP Geolocation Databases: Unreliable?", ACM Computer Communication Review, vol. 41, no. 2, pp. 53-56, DOI 10.1145/1971162.1971171, April 2011. [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, March 2006, . [RFC8986] Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming", RFC 8986, DOI 10.17487/RFC8986, February 2021, . [RFC9259] Ali, Z., Filsfils, C., Matsushima, S., Voyer, D., and M. Chen, "Operations, Administration, and Maintenance (OAM) in Segment Routing over IPv6 (SRv6)", RFC 9259, DOI 10.17487/RFC9259, June 2022, . [SRv6-EH] Iurman, J. and B. Donnet, "The Razor's Edge: IPv6 Extension Headers Survivability", Passive and Active Measurement Conference (PAM 2025), Springer, March 2025, ORBi handle 2268/325234, . [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010. [scamper] Luckie, M., "Scamper: A Scalable and Extensible Packet Prober for Active Measurement of the Internet", ACM Internet Measurement Conference (IMC 2010), 2010. [I13] Massart, P., "The Tight Constant in the Dvoretzky-Kiefer-Wolfowitz Inequality", Annals of Probability, vol. 18, no. 3, 1990. Melegassi Expires 28 November 2026 [Page 13] Internet-Draft MVPS Vantage Localization under MPLS May 2026 Appendix A. Worked Example: Invisible-Tunnel Attack This appendix illustrates Attack-A (Section 5) with concrete numbers, using the 2025 prevalence data from [Huddleston-2025]. The scenario is constructed so that the attack defeats L-GEO-1 in isolation but is caught by L-MPLS-1 after tunnel revelation; this is the regime where the contribution of this document is operationally significant. Note A.1 (Physics constraint). Because RTT_min(v, a_i) >= 2 * D(p_r, p_{a_i}) / c_fiber by Section 4.1, an adversary cannot REDUCE the measured RTT below the great-circle floor. Examples in which the adversary "appears closer" than physically possible are inadmissible. The example below respects this floor: the adversary's true location p_r is closer to the anchor than the claimed location p_c, so MPLS inflation of the RTT is what creates room for the false claim. See also the dual "RTT inflation" attack discussed in Section 10.2. Scenario: - Adversary places vantage v at p_r = Newark, NJ, USA. - Adversary claims vantage position p_c = Miami, FL, USA (e.g., to satisfy a regional SLA or geo-licensing requirement that demands a Southeast U.S. presence). - D(p_r, p_c) approximately 1750 km. - Anchor a_1 located in Chicago, IL. - D(Newark, Chicago) approximately 1170 km (physical RTT floor ~= 11.7 ms). - D(Miami, Chicago) approximately 2090 km (physical RTT floor ~= 20.9 ms). - One invisible MPLS tunnel on the path from v to a_1, hiding 5.7 hops (2025 average per tunnel, see Section 3.2). - RTT_min_hop = 2 ms (per-hop conservative estimate, see Section 5.1). Without revelation: - RTT(v, a_1) measured = 25 ms. This value is physically admissible: 25 ms > 11.7 ms (Newark-Chicago floor) AND 25 ms > 20.9 ms (Miami-Chicago floor), so neither location is geometrically rejected by RTT alone. The adversary's true path (Newark -> MPLS LSP hiding 5.7 routers in a detour through Dallas -> Chicago) produces a higher RTT than the direct Newark-Chicago path would, plausibly attributable to BGP indirectness. - L-GEO-1 (uncorrected): F_v = Ball(Chicago, 25 ms * c_fiber / 2 + sigma_geo) approx Ball(Chicago, 2500 km). Miami (at 2090 km from Chicago) is INSIDE F_v. Attack succeeds against L-GEO-1; vantage appears legitimate. After BRPR/TNT revelation: - One invisible tunnel detected on the Newark-Chicago path; 5.7 hidden hops recovered by BRPR probing. - Delta_mpls(v, a_1) = 5.7 * 2 ms = 11.4 ms. - Corrected bound: (25 - 11.4) ms * c_fiber / 2 + sigma_geo approx Ball(Chicago, 1360 km). - Miami-Chicago distance = 2090 km > 1360 km. - p_c = Miami is NOT in F_v^mpls. - Vantage is flagged MPLS_CAMOUFLAGE_SUSPECTED. After MVPS coherence test: - C_3 (topological axis): Jaccard similarity on touched objects between the actual Newark-originated AS path and the AS path expected from a Miami-originated probe to Chicago. Illustrative values (calibration-dependent; see Note A.2): typical co-located coherence approximately 0.85 +/- 0.05; observed value approximately 0.30 +/- 0.10. D^2 > q_J at FAR_target = 0.01. - Phase escalates to CAMOUFLAGE_CONFIRMED. Note A.2 (Illustrative Jaccard values). The values 0.85 and 0.30 above are operationally typical for the BGP-AS topology of the U.S. East Coast as observed in CAIDA Ark and RIPE Atlas datasets (2024-2025). They are NOT theoretical constants and MUST be re-calibrated per anchor pool and per measurement epoch before being used as decision thresholds. See Section 9.2 and the MVPS calibration contract OC3 [I-D.melegassi-ippm-mvps-bundle]. The attack is defeated by the combination of: (1) TNT/BRPR tunnel revelation (Donnet's techniques), and (2) MVPS coherence test (Theorem 2 + Theorem 4 of [v4-proof]). The example is deliberately conservative (one tunnel, one anchor, modest geographic displacement). Attacks involving multiple chained invisible tunnels or larger displacements produce proportionally larger Delta_mpls corrections and are easier to detect once revelation is performed. Melegassi Expires 28 November 2026 [Page 14] Internet-Draft MVPS Vantage Localization under MPLS May 2026 Appendix B. Validator Notes A companion validator is being developed at: scripts/validate_vantage_localization.py The validator takes as input: - Anchor positions {p_{a_i}} (lat/lon) - Measured RTTs {r_i} from vantage to each anchor - TNT/AReST revelation output (hidden hop counts per tunnel) - Claimed vantage position p_c It outputs: - F_v (L-GEO-1 feasible set, assuming transparent paths) - F_v^mpls (L-MPLS-1 corrected feasible set) - Membership of p_c in F_v and F_v^mpls - Phase label recommendation (from Section 7); anchor paths flagged as SRv6-encapsulated are reported REVELATION_UNAVAILABLE and excluded from F_v^mpls per Lemma L-SRv6-1 (Section 8.3) - JSON receipt for SHA-256 verification The validator follows the same structure as scripts/validate_ixp_vantage.py (D-18) and is designed for exit-code 0 on PASS, 1 on FAIL. A separate companion simulation at scripts/simulate_srv6_revelation.py provides the computational evidence for Lemma L-SRv6-1 (Section 8.3). It constructs two SRv6 topologies that differ only in their encapsulated interior and confirms, under both the pipe and uniform Hop-Limit modes, that no interior hop identity is recoverable from the VP side (and that strict observation indistinguishability holds in pipe mode, while uniform mode leaks only an unattributable hop count). It emits its own SHA-256-stamped JSON receipt and uses the same exit-code convention. A third companion at scripts/simulate_srv6_information_layers.py provides the evidence for Lemma L-SRv6-2 (Section 8.4). It models the five information channels (C_vp, C_ing, C_cp, C_eg, C_srh) and confirms that the interior is fully recoverable from the cooperative channels but collapses to empty across all channels under an adversarial SR domain -- the tightness result of Corollary L-SRv6-2.1. Author's Address Leonardo Melegassi Catellix Andradina, SP Brazil Email: melegassi@catellix.com URI: https://www.catellix.com