Lang
Henri Poincaré, c. 1900

La mathématique est l'art de donner le même nom à des choses différentes.

Henri Poincaré 1854 – 1912
Work in progress · May 2026

MVPS — Multi-Vantage
Path Synchrony

A mathematical framework that treats a distributed network as a geometric coherence space. Started as a single algebraic idea submitted to the IETF IPPM working group. Grew — unexpectedly — into thirteen complementary internet-drafts.

✓ 9 REAL datasets (R1–R9) 13 IETF I-Ds Reference impl: Python, 0 deps Live: RIPE Atlas · BGP
Status (2026-05-28): thirteen IETF I-Ds. D-1 through D-5 posted on Datatracker. D-5 draft-melegassi-mvps-ai-coherence-01 updated 2026-05-27 with Part D (Sections 22-25): composition with Trust/CWT (D-10), PerfSec-Coupling (D-17), and Architecture (D-16); introduces T-JCOST-AI-1 (joint broker CPU for AI-Coherence, instantiation of T-JCOST-1), T-VOLINV-AI (volume independence), and Lemma L-AI-A4 (three conditions for MVPS-A4 conformance under shared embedding models). Without D-17, broker under-provisioning ~10-100×. D-6 draft-melegassi-ippm-mvps-coherence-leadtime-00 and D-7 draft-melegassi-ippm-mvps-orbital-coherence-00 uploaded 2026-05-25 (awaiting Datatracker confirmation). D-6 adds three closed-form lemmas (L_ZD.1', L_ZD.2', L_ZD.3) on multi-vantage coherence lead-time; D-7 maps MVPS onto satellite-segment paths with seven theorems (T-1..T-7) — Stein-Lemma + KL-additivity (L_ORB.1/2/3 PASS) — and explicitly declares operational prerequisites (H-5 path-identity exposure) and seven open problems. D-8 draft-melegassi-iab-mvps-architecture-00 (MVPS Architecture / structural capstone, Invariance Theorem axiom-by-axiom proof) and D-9 draft-melegassi-iab-mvps-planetary-floor-00 (Planetary Coherence Floor / operational capstone, the world number: MVPS ~1220x faster than the classical Internet at antipodal scale, causality-limited at 145–196 ms vs BGP-convergence 300 s) finalised 2026-05-25; both reduce by finite chain to v4.0 + L_DL + RFC 4271/5880/2181/6298 — no new mathematics introduced; receipt scripts/validate_planetary_floor.py exit 0 (PASS). D-10 draft-melegassi-santos-ippm-mvps-cwt-00 (MVPS Trust Profile / security capstone, co-authored by Leonardo Melegassi & Joas Antonio dos Santos Barbosa) finalised 2026-05-25; establishes HMAC-SHA256 per-snapshot authentication, Ed25519 epoch anchors, and independent witness cosignatures; proves T-COAL-1 (coalition resistance) and T-SPLIT-1 (split-view resistance); measured CWT hot-path: 2.1 μs — strictly below the 4.2 μs JSON-parse baseline; validator 12/12 PASS. D-11 draft-melegassi-dispatch-mvps-snap-backup-01 (SNAP: Simple Native Archive Protocol / atomic backup substrate, authored by Rodrigo Yoshioka, Guilherme Labadessa, Pedro Scalon, Diego Canton de Brito, Eduardo Belotto; contributor: Leonardo Melegassi) submitted 2026-05-26 to IETF DISPATCH; defines a YANG-modelled, JCS-canonicalised, Brotli-compressed single-JSON backup envelope with per-file SHA-256 and a deterministic envelope hash; proves six theorems A.1–A.6 (Shannon compression lower bound, SHA-256 collision resistance, Base64+Brotli overhead, minimum RTT, manifest verification complexity, round-trip correctness) plus four MVPS composition theorems M.1–M.4 (Bundle Preservation, Architectural Conformance, Byzantine-Resilient Backup, Planetary Floor for SNAP); validator 20/20 PASS · 0 idnits errors · 0 non-ASCII characters after sanitisation. D-19 draft-melegassi-ippm-mvps-vantage-mpls-00 (MVPS Vantage Localization Feasibility under MPLS Path Camouflage) finalised 2026-05-28; first composition between the MVPS vantage-authentication problem and the Donnet-Vanaubel-Luttringer-Dekinder corpus on MPLS tunnel revelation; proves three results — Lemma L-GEO-1 (RTT localization bound under transparent paths), Lemma L-MPLS-1 (camouflage correction Delta_mpls, unbounded for invisible tunnels without DPR/BRPR/TNT revelation), and Theorem T-CAM-1 (chi-squared coherence detects camouflaged vantage with epsilon ≤ exp(-2 n_calib gamma^2), < 1e-9 at n_calib=18,500 and FAR_target=0.01) — plus an auxiliary Lemma L-GEO-1.1 (anchor geometry for discrimination), three explicit caveats (T-CAM-1.A i.i.d., T-CAM-1.B Hypothesis H3, T-CAM-1.C revelation soundness), and four security limitations (DPR/BRPR forging Attacks C/D, RTT-Inflation dual attack, PHP coverage gap, Byzantine vantage minimum). Worked example: Newark vantage claiming Miami location is caught by BRPR + L-MPLS-1 + C_3 Jaccard. No new wire format; reduces by finite chain to MVPS v4.0 + Donnet taxonomy. Master validator 44/44 attacks defended. Real-data corpora (T_ZD* historical zero-day, OP-1 orbital reference simulation) are explicitly NOT YET CONFIRMED and recorded as open. All 7 framework theorems (T_phi, T_LT, T_BE, T_DDoS, T_RW, T_CBF, τ_C) of the v5.0 unified proof remain SHA-256 stamped on the catellix.com server. Synthetic simulations remain in the drafts as sanity-check sections; honest catalogue in docs/MVPS_V5_UNIFIED_PROOF.txt.

IODA Live Cybermap

Real-time global internet outage map · server-side cache: /api/mvps/incidents (IODA polled every 2 min) · fallback: RIPEstat live + BGP leaderboard + historical replay when Georgia Tech API is blocked
Active outages
In window
Countries hit
MVPS D² triggered
drag to rotate · pulses = active outages

LIVE FEED

connecting…
Awaiting first event from IODA…
Critical (active or <1h) Warning (1–24h) Recovered
endpoint: /v2/outages/events · poll: 30s · mode: init
How this started

From a sanity check to a protocol stack

This is the unedited account of how the MVPS framework evolved, including the peer review that started everything.

May 2026 · IETF Datatracker submission

Draft #1 submitted: draft-melegassi-ippm-mvps-bundle-00

The first draft introduced a single idea: model a distributed network as a coherence space where health is measured by Mahalanobis distance D² from a learned baseline (μ₀, Σ₀). The bundle envelope defined a multi-vantage snapshot in ℝᵈ with a concrete wire format — UDP, 56–122 bytes depending on packet type.

Response from Benoit Donnet · Université de Liège (ULiège) · within 48 h of submission

A finding from a small sanity check

"I performed a small sanity check on the math of this draft and found a potential issue that I would like to discuss."
— Benoit Donnet (Full Professor, ULiège · network-measurement researcher)

Benoit raised a technical question about the normalization of the coherence axes. The response required a formal proof that the composite distance is well-defined when C₁, C₂, C₃ are measured in different units. This forced a more rigorous treatment of the algebra, ultimately strengthening the foundation of the entire framework.

Suggestion from Benoit Donnet · Université de Liège (ULiège) · 2026-05-19

The canonical-representation audit

"I would suggest that this would be the first part of the Master Thesis: running through the draft and looking for potential places that could benefit from canonical representation. The example of IPv6 address is one of those places."
— Benoit Donnet (Full Professor, ULiège · network-measurement researcher)

That single suggestion reframed the work. It turned an open-ended draft into a disciplined audit: two independently re-derived implementations of the path-fingerprint algorithm, run against 30 hand-curated test vectors plus 5 000 property-based random vectors, classifying every divergence into spec ambiguity, implementation defect, or input non-determinism. The audit produced finding F001 (IPv6 canonical textual form not specified, fixed by normatively citing RFC 5952) and a chain of related findings (F002, F005, F007–F012) that now drive the -01 revision. Without that prompt, the canonicalization layer would still be implicit. The acknowledgement is on the record here, and remains here, regardless of what happens next with the drafts.

MVPS LIVE — real-time mathematical validation

Every collected sample is validated on the spot against the 9 theorems and 6 operational contracts from MVPS_MATHEMATICAL_EXISTENCE_PROOF_V4.txt. As long as every check passes, the logic is mathematically proven on live data. If any fails, this page shows immediately which one broke.

--

Waiting for first sample...

endpoint: /api/mvps/live (fallback: /static/data/mvps-live.json)
0/15 checks
tick --
--

15 checks applied to every sample

Live readout

C1---
C2---
C3---
H--/ H_max
--/ q_emp
FAR--/ 0.05 ± DKW
ρ₁--|.| < 0.15
λ₂--[φ²/2, 2φ]
GM bias--/ T9 bound
N | f--vantages
proof v4.0 + v5.0 (T_φ, T_LT, T_BE, T_DDoS, T_RW, T_CBF)
35/35 attacks defended
poll 2.0s
contract: MVPS_LIVE_API_CONTRACT.md
collector: scripts/mvps_live_collector.py
Two-channel rule (T_φ):
DECIDE on χ²(3) quantiles  ·  WATCH = 7.815  ·  ALARM = 11.345
DISPLAY Φ_D = exp(−D² / k) with k = 6.25 is a gradient, not a threshold
v1.0 prose errata corrected in docs/MVPS_V5_UNIFIED_PROOF.txt §1
How it works. This page requests a sample from the endpoint every 2 seconds. Each sample carries the vector C = (C₁, C₂, C₃), the Mahalanobis statistic , the aggregated graph spectrum G(B(t)), the Byzantine centroid bias, the realised empirical FAR and the operational parameters (N, n_calib, cadence G).

For each sample, 15 independent checks are evaluated on the JSON: T1 (C, H bounded) T6 (Cheeger) T7 (connectivity) T9 (GM max-bias) T3' (FAR ⊂ DKW) OC1-OC4 |ρ₁| < 0.15. Exhaustive list in MVPS_LIVE_API_CONTRACT.md.

If all pass, the green banner LOGIC OPERATING is shown. If any fails, the red banner LOGIC BROKEN appears with the code of the failed check. To demonstrate live detection, the collector accepts --break OC2, --break T9, --break T6, --break T1.a, --break OC3, --break OC4, --break iid, --break T7 or --break T3prime.
Real-time mathematical proof matrix

5 (+1) theorems from the MVPS drafts — proven live

Each theorem from the five IETF internet-drafts has here the live signal that sustains it now — not archived evidence. Each card reads from the server's autonomous collector (RIPE Atlas, IODA, BGP, Ollama qwen2.5:3b, scale test) via /api/mvps/proofs/realtime and shows the mathematical verdict against the MVPS_V5_UNIFIED_PROOF threshold. Refresh every 30 s.

connecting…
How to read. Verdict PROVED = the collector has a live signal + the mathematical decider passed the draft threshold (e.g. AUC ≥ 0.85 for T_CBF). WATCHING = decider did not trigger, awaiting more events (e.g. τ_C needs ≥ 8 calibrated BGP events). STALE = evidence file aged beyond window; collector needs to run. NEEDS_DATA = never collected. Each card exposes the evidence file path and the SHA-256 of the first 1 MB (in /api/mvps/proofs/realtime) to detect collector/API desync. The meta-API /api/mvps/sync-status gives the cross-cutting view of everything synced.
Detection agility · by detector class · no vendors named

Two-axis view: speed on volumetric · breadth on non-volumetric

A detector that catches one class fast does not necessarily catch another at all. We chart class-level doctrinal bands — not specific vendors — because vendor internal telemetry is not exposed for a direct minute-by-minute comparison. MVPS shown in gold.

Volumetric-threshold school Single-vantage anomaly school ML-classifier school Multi-vantage statistical school BGP-route-monitor school MVPS / Coherence-BFD (us)

Chart A · Time-to-detection on volumetric DDoS

Doctrinal latency range for each detector class on a classic volumetric flood (Gbps spike). Log scale. Lower is faster. Several schools beat MVPS here — that is fine; volumetric is not where MVPS competes.

Chart B · Event-class coverage breadth

For each event class observed in the May 2026 window — would a detector of that school fire? Score: catches = 1.0 · partial = 0.5 · misses = 0. MVPS is the only class with non-zero score on all four columns.
How to read these two charts together Chart A says "on volumetric, the volumetric-threshold school is faster than us — by design". Chart B says "on DNSSEC failures, backend outages, and BGP-exploit DoS, that school sees nothing, and we still fire". The trade-off is the point: MVPS swaps a few seconds of volumetric latency for coverage of three event classes that volumetric defenses are structurally blind to. Theorem D1 of draft-melegassi-mvps-ddos-resilience-00 formalises this swap.
Bands are doctrinal, drawn from public protocol literature (sFlow / NetFlow alarm cycles, statistical anomaly detection windows, BGP-monitor convergence times). No specific vendor implementation is identified or benchmarked. MVPS numbers come from scripts/v5_numerical_receipts.py and the cards above.
Lead-Time Audit · MVPS vs. Public Sources

What the detector saw on those days — and what others reported

Every MVPS BGP-coherence alarm from the 30-day window (2026-04-22 → 2026-05-22) cross-referenced against the first dated public report of an Internet incident on the same UTC day. Gold = independently corroborated · Amber = unattributed (no public anchor yet). Click any card to expand.

Loading...
awaiting data...
The ecosystem

Twenty-two drafts — seven instantiations, three capstones, the SNAP substrate, the PerfSec composition profile, and the Vantage-MPLS authentication theorem

Each of the first seven drafts raised a question that the next resolved — not planned expansion, but the mathematics forcing the work forward. D-8 (Architecture) and D-9 (Planetary Floor) close the mathematical family: D-8 names the abstract specification that unifies the seven (Invariance Theorem, axiom-by-axiom); D-9 composes everything into the world number (~1220× faster than the classical Internet at antipodal scale, causality-limited). D-10 (CWT Trust Profile) adds the security capstone, proving coalition and split-view resistance with sub-parse-cost overhead. D-11 (SNAP — Simple Native Archive Protocol) defines the atomic backup substrate on which the entire MVPS family is operationally realised: a single self-describing, cryptographically verifiable JSON document that backs up the runtime state of any conformant deployment, with six foundational theorems A.1–A.6 and four formal composition theorems M.1–M.4 proving MVPS coherence is preserved across the substrate. D-17 (PerfSec-Coupling) is the Profile-of-Profiles that closes the five composition gaps between security and performance: three theorems (T-JCOST-1 joint cost bound, T-VDOS-1 insider verification-DoS sub-linear, T-RC-1 replay-counter coherence) by finite chain to the v4.0 catalogue — no new mathematics introduced.

Draft #1 · Foundation · IPPM

Bundle Envelope & Vector Algebra

draft-melegassi-ippm-mvps-bundle-00 — Defines the multi-vantage snapshot wire format and proves that a network can be represented as a vector in ℝᵈ with Mahalanobis distance D² over (μ₀, Σ₀). This is the algebra base on which all other drafts are built.

IETF IPPM Submitted -00
↓ Draft (txt) Datatracker ↗
Open question → "If vantages are instrumented by AI models, how does semantic coherence fit the same algebra?"
Draft #2 · AI Extension · MLSys / OPSAWG · updated -01 · 2026-05-27

MVPS AI-Coherence: Semantic, Byzantine, Infrastructure-Cognitive + Composition (Part D)

draft-melegassi-mvps-ai-coherence-01 — Quatro partes:
Part A (Semântica): substitui C₂→C₂^W2 (Wasserstein-2 em embeddings), C₃→C₃^CKA (CKA em matrizes de atenção), adiciona C₄ (estabilidade de perturbação) e o label lateral COHERENT_BUT_FALSE (CBF) para detecção de alucinação por consenso.
Part B (Byzantine-robusto): estimador de mediana geométrica C₂^gm, minimax coherence C^mm(f), distância de fase MCD Φ_D^byz, label SUSPECTED_BYZANTINE e modelo SIR τ_C para janela de cascata sob BGP hijack.
Part C (IC Coupling): vetor conjunto z(t)∈[0,1]⁶, matriz R_cross, função de transferência de drift, diagrama de fase 5 regiões — falhas acopladas invisíveis a cada monitor isolado (analogia Poincaré três corpos).
Part D [NOVO -01] (Composição — Seções 22-25): vincula normativamente a D-10 (Trust/CWT), D-17 (PerfSec), D-16 (Architecture). Introduz T-JCOST-AI-1 (custo joint do broker para AI-Coherence; instantiation de T-JCOST-1 do D-17 com c_path^AI = c_hmac_cwt + c_parse + c_sw2 + c_cka + c_c4); T-VOLINV-AI (independência de volume para AI-Coherence, analogia de D1 do D-4); Lemma L-AI-A4 (3 condições para axioma A4 sob embedding compartilhado). Sem D-17, o operador sub-dimensiona o broker em ~10–100×.

MLSys · OPSAWG High disruption Updated -01 · 2026-05-27 Part D: Composition
↓ Draft -01 (txt) ↓ Draft -00 (txt) HTML page
Open question → "O(N²) recomputation: com N=10 000 vantagens, o c_path^AI domina. Can SW₂ approximation + CKA amortization make it incremental? Part D (Section 23.5) mandates pre-aggregation at vantage GPU — but A4 conformance under shared embedding (Lemma L-AI-A4.a/b/c) still requires n_models≥3 for full empirical validation (open question AI9.7)."
Draft #3 · Performance Layer · NSDI / IPPM

BE-MVPS — Bandwidth-Efficient Incremental MVPS (9 theorems)

draft-melegassi-mvps-incremental-be-00 — Partitions vantages into k coherence cells; uses Sherman-Morrison-Woodbury for O(1) D² updates per vantage instead of O(d³); uses CRDTs for lock-free merging; gates edge transmission by a local ε threshold (4% of ticks in BAU). Trade-off (T_BE of v5.0 unified proof): ~25× bandwidth reduction at the cost of ~2× CPU vs MVPS-classic — a Pareto move, not a free speed-up. Crossover where BE-MVPS dominates: λ* = (C_be − C_mc) / (B_mc − B_be). 9 formal theorems. Rename note: the earlier "FMVPS / Fast" label has been retired — both in the IETF identifier (now mvps-incremental-be) and the document title — because the genuine advantage is BANDWIDTH, not CPU latency.

NSDI · IPPM High disruption Draft -00
↓ Draft (txt) HTML page
Open question → "The theoretical tick bound is 50 ms. Can detection happen in under 50 ms without a new protocol?"
Draft #4 · Sub-millisecond Detection · IETF BFD WG

Coherence-BFD: Sub-Tick Detection over BFD

draft-melegassi-coherence-bfd-00 — Extends RFC 5880 BFD with: a 5-state machine (AdminDown/Init/WATCH/ALARM replacing BFD's 3), the C flag + 4-byte D² field appended to the mandatory section, and 10 Coherence TLVs in experimental range 0xE0–0xE9. Variant V3 (Echo) achieves τ_detect = 55 ms (M=1, T_tick=50 ms, RTT=5 ms) in the software harness (scripts/benchmark_coherence_bfd.py); the wire format is implemented end-to-end in the reference implementation, but the 55 ms figure has not yet been corroborated on real BFD hardware — that validation gap is explicitly catalogued.

IETF BFD WG Medium disruption Draft -00
↓ Draft (txt) HTML page
Open question → "If a 1 Tbps DDoS hits the monitored infrastructure, does the broker collapse along with the target?"
Draft #5 · Security · OPSEC / DDOS

MVPS DDoS Resilience: Volume-Independent Detection (3 theorems)

draft-melegassi-mvps-ddos-resilience-00 — Emerged from stress tests injecting up to 5 Tbps equivalent. Proves three theorems: D1 (detection latency is independent of attack volume — same 100 ms at 10 Mpps and at 2 Gpps), D2 (Byzantine bound for distributed multi-region attacks), D3 (broker NIC sizing depends only on legitimate telemetry, not attack traffic). Validated across 11 synthetic scenarios. Largest open gap: validation against real DDoS traces.

OPSEC · OPSAWG High disruption Submitted -00
↓ Draft (txt) Datatracker ↗
Open question → "Can we prove, in closed form, when a multi-vantage coherence detector D² fires before per-vantage z-score on coordinated rank-low signals?"
Draft #6 · Coherence Lead-Time · IPPM · submitted 2026-05-25

Multi-Vantage Coherence Detection: Closed-Form Lead-Time on Rank-Low Propagating Signals (3 lemmas)

draft-melegassi-ippm-mvps-coherence-leadtime-00 — Companion to Draft #1. States and proves three lemmas (L_ZD.1', L_ZD.2', L_ZD.3) that bound, in closed form, the expected lead-time of the multi-vantage Mahalanobis detector D² over per-vantage max-|z| under matched per-step false-alarm rate α. Covers linear-growth, exponential worm-style growth, and the degenerate sparse-direction regime where the multi-vantage detector LOSES the advantage (L_ZD.3 sign-reversal). Section 5.5 Monte Carlo: SIGN-CLAIM (positive expected lead) holds on 9/9 configurations (Wilson 95% lower bound > 0.30, 0 falsifying), magnitude within ±40% of closed form on fast-growth (Slammer-class, N≥30). Section 1.4 Corrigendum: a prior v0 derivation that omitted the E[M_N] term is explicitly retired; Slammer-class lead at N=30 corrected from ~17.9 s to ~7.6 s. Does NOT claim unconditional zero-day vulnerability detection; scope is strictly network-propagating rank-low events.

IETF IPPM Submitted -00 · awaiting confirmation
↓ Draft (txt) ↓ Lemma proofs Datatracker ↗
Open question → "Can the multi-vantage coherence framework be mapped onto satellite-segment paths where one leg propagates at vacuum-c via inter-satellite links?"
Draft #7 · Orbital Profile · IPPM · submitted 2026-05-25

Multi-Vantage Path Snapshot Profile for Satellite-Segment Paths: Mapping and N-Vantage Error-Exponent Scaling (7 theorems)

draft-melegassi-ippm-mvps-orbital-coherence-00 — Maps base MVPS onto network paths that traverse satellite constellations, with TWO targeted adaptations: (i) a mixed-medium causal lower bound for C_1 admitting vacuum-c on space-segment legs and fiber-c on terrestrial legs, and (ii) a predicted-topology component C_3^pred derived from public Two-Line Element (TLE) data via the SGP4 propagator. Seven theorems (T-1..T-7) all reduce by finite chain to base MVPS theorems or classical results (special relativity for T-1, SGP4 determinism for T-2, Stein's Lemma + KL chain rule for the N-vantage error-exponent in Appendix A). L_ORB.1/L_ORB.2/L_ORB.3 PASS (KL additivity + Stein-rate finite-n + indistinguishability defeat; receipt evidence/orbital_error_exponent_receipt.json). Operational prerequisite (H-5): path-identity exposure at the vantage; no major LEO operator publishes such mappings today, so the framework degenerates to a single-axis C_1 detector in their absence. Path-identity exposure protocol catalogued as Open Problem OP-2. NO numerical claims on detection latency, FAR, or "X% improvement"; reference simulation is OP-1.

IETF IPPM Submitted -00 · awaiting confirmation
↓ Draft (txt) ↓ Proof companion Datatracker ↗
Open question → "Seven instantiations are now on the record (D-1..D-7). Are they seven independent specifications, or seven faces of one underlying specification? If the latter, what is the abstract algebraic object that all seven satisfy, and which classical Internet protocols (BGP, BFD, DNS, TCP) STRUCTURALLY fail to satisfy it?"
Draft #8 · MVPS Architecture · IAB / IRTF · finalised 2026-05-25

MVPS Architecture: Specification Conformance for the Multi-Vantage Path-Coherence Drafts (Invariance Theorem)

draft-melegassi-iab-mvps-architecture-00 — The structural capstone. Defines MVPS as an abstract 5-tuple A = (V, B, (C,H), D², Pub) and states five axioms (MVPS-A1..A5: multi-vantage on a common tick lattice; bounded coherence triple; Mahalanobis decision with FAR control; conditional independence of vantages; Byzantine resilience via geometric median). The Invariance Theorem proves, by axiom-by-axiom chase (10 mechanical-substitution steps), that any architecture satisfying A1..A5 INHERITS the entire v4.0 catalogue: Theorems 1, 2, 3, 3', 4, 5, 9 of [v4-proof], L_DL of [LDL-doc], and Stein's Lemma under A4. Strictly WEAKER than a categorical functor — no morphisms between surfaces required — but strictly STRONGER than v4.0's "parallel construction" disclaimer: a single axiom set whose satisfaction implies inheritance. Catalogue: D-1..D-7 are proved conformant (network / AI / orbital surfaces); D-8 IoT, kernel, dataplane, datacenter, post-quantum link are anticipated conformant; BGP-4 [RFC4271], BFD [RFC5880], DNS [RFC1034/2181], TCP-RTX [RFC6298] are catalogued as STRUCTURALLY non-conformant — and the specific axiom each violates (A1 single-vantage, A4 correlated propagation) is precisely the τ_sampling-binding floor that PCF computes for them. No new mathematics: every step reduces to an existing import.

IAB / IRTF NMRG Finalised -00 · ready to submit
↓ Draft (txt) ↓ Formal proof companion
Open question → "If MVPS is an abstract specification whose conformant instantiations inherit a finite theorem catalogue, what is the WORLD NUMBER — the absolute lower bound on reactive latency for any detect-and-react architecture at planetary scale, and how far below that floor can a conformant MVPS deployment operate?"
Draft #9 · Planetary Coherence Floor · IAB · finalised 2026-05-25

Planetary Coherence Floor (PCF): Composition Theorem for Reactive Latency in Multi-Vantage Network Infrastructure (the world number)

draft-melegassi-iab-mvps-planetary-floor-00 — The operational capstone. States and proves the PCF Composition Theorem: for any planet-scale detect-and-react architecture, the reactive-latency floor is R* = max{τ_causal, τ_sampling, τ_information, τ_consensus, τ_coupling}. Each of the five floors reduces by finite chain to existing v4.0 results plus published RFCs — τ_causal from special relativity + fiber index of refraction (RFC 5905 §11 reference for time-distribution geometry); τ_sampling from RFC 4271 §10 (BGP keepalive), RFC 5880 §6.8.1 (BFD MinTx·M), RFC 2181 (DNS TTL_min), RFC 6298 §2.4 (TCP RTO_min); τ_information from Stein's Lemma under A4; τ_consensus from Theorem 9 geometric-median bias; τ_coupling from Pub_A subscriber-arrival envelope. Sharpness Corollary PCF.1 proves each floor is attained by an explicit construction; Falsification Corollary PCF.2 states the exact empirical signature whose observation would refute the theorem. The world number: antipodal classical Internet floor ≈ 60–300 s (BGP-convergence-bound); antipodal MVPS floor ≈ 145–196 ms (causality-bound). Speedup ≈ 1220× over BGP convergence at antipodal scale; ≈ 7.7× over BFD sub-second; causality-limited otherwise. Receipt: scripts/validate_planetary_floor.py exit 0 (PASS), evidence/planetary_floor_receipt.json with SHA-256 stamp.

IAB / IRTF NMRG Finalised -00 · ready to submit
↓ Draft (txt) ↓ Formal proof companion
Open question → "PCF is sharp by Corollary PCF.1 and falsifiable by Corollary PCF.2. D-10 adds the security capstone (MVPS-CWT), D-11 adds the atomic backup substrate (SNAP), and D-17 closes the five composition gaps between security and performance (PerfSec-Coupling). The family now spans TWELVE drafts — mutually independent, jointly exhaustive, and operationally complete: from algebra (D-1) to security (D-10) to the wire-format (D-11) to the composition profile (D-17). The next question is no longer mathematical: it is whether the operator community will deploy a conformant MVPS-on-SNAP instance large enough to MEASURE the τ_causal floor in the wild."
Draft #10 · MVPS Trust Profile · IETF IPPM · finalised 2026-05-25
✦ Co-authored · Leonardo Melegassi & Joas Antonio dos Santos Barbosa

MVPS Trust Profile: Lightweight Authentication via HMAC-SHA256, Operator Epoch Anchors, and Independent Witness Cosignatures (2 new theorems)

draft-melegassi-santos-ippm-mvps-cwt-00 — The security capstone, co-authored by Leonardo Melegassi and Joas Antonio dos Santos Barbosa (RedTeamLeaders). Establishes three-layer lightweight trust for MVPS bundles: (1) HMAC-SHA256 per snapshot with per-vantage keys derived via HKDF; (2) Ed25519 epoch manifests committing every bundle in a one-hour window; (3) independent witness cosignatures (Sigsum-style, quorum 2-of-5). Proves T-COAL-1 (multi-operator coalition resistance: adversary must control >N/2 independent operators) and T-SPLIT-1 (collector split-view resistance via witness cross-check). Measured overhead: CWT hot path 2.1 µs < 4.2 µs JSON parse — 0.21% of one CPU core at 1000 vantages/1Hz vs 7.88% for per-snapshot Ed25519; receipt evidence/mvps_cwt_overhead_receipt.json. Validator 12/12 PASS (scripts/validate_cwt_theorems.py). 72-col PASS.

IETF IPPM Finalised -00 · ready to submit Security capstone
↓ Draft (txt) ↓ Proof companion Datatracker ↗
Open question → "Post-quantum upgrade path: HMAC-SHA256 is Grover-resistant with margin; Ed25519 epoch anchors are vulnerable in a long-horizon PQ threat model. Future PQ-CWT replaces Ed25519 with ML-DSA-65 [FIPS 204] at the epoch layer while preserving the HMAC hot path."
Draft #11 · SNAP — Simple Native Archive Protocol · IETF DISPATCH · -01 submitted 2026-05-26
✦ Co-authored · Rodrigo Yoshioka (e.Mix) · Guilherme Labadessa (OrcaTI) · Pedro Scalon (Sysbrasil) · Diego Canton de Brito (Vero Internet) · Eduardo Belotto (Zadara) · Contributor: Leonardo Melegassi (Catellix)

SNAP: the atomic backup substrate for MVPS state, with 6 foundational theorems + 4 MVPS composition theorems

draft-melegassi-dispatch-mvps-snap-backup-01 — The atomic backup substrate for the MVPS family. Defines a single self-describing JSON document that encodes a complete file backup: a YANG-1.1 manifest (RFC 7950) with per-file SHA-256 hashes (FIPS 180-4), JSON Canonicalization Scheme envelope (RFC 8785), Brotli compression (RFC 7932), Base64 encoding (RFC 4648), HTTP/2 (RFC 9110) and WebSocket (RFC 6455) transport bindings, and a SNAP-Profile header for conformance negotiation (Minimal / Standard / Full). Proves six theorems A.1–A.6: Shannon compression lower bound, SHA-256 collision resistance (FIPS), Base64+Brotli overhead near unity, minimum round-trip transport time, manifest verification complexity O(n · size), and round-trip correctness over the YANG schema closure. Plus four MVPS composition theorems M.1–M.4: Bundle Preservation (snap_encode preserves Theorem 1 + OC4 of MVPS v4.0), Architectural Conformance (SNAP satisfies axioms MVPS-A1..A5 of D-8), Byzantine-Resilient Backup (inherits Theorem 9 geometric-median floor of MVPS v4.0), and PCF Backup (preserves τcausal saturation under D-9 Planetary Coherence Floor). Validator 20/20 PASS · 0 idnits errors / 0 flaws · 0 non-ASCII characters after RFC 7997 sanitisation · 5 reproducible test vectors in Appendix C · reference pseudocode in Appendix B · YANG module included. Every claim chases to an existing IETF RFC, to MVPS v4.0, or to a foundational result (Shannon, Merkle, FIPS) — no new mathematics introduced.

IETF DISPATCH Submitted -01 · Datatracker canonical Atomic backup substrate 20/20 validator PASS
↓ Draft (txt) ↓ XML2RFC v3 ↓ YANG module Datatracker ↗
Open question → "With D-17 PerfSec-Coupling the twelve drafts now form a closed operational stack — D-1..D-7 instantiate, D-8..D-9 capstone, D-10 secures, D-11 backs up and transports atomically, D-17 closes the composition gaps between security and performance. The remaining open question is whether a real operator network will run a SNAP-on-MVPS deployment and publish the receipt corpus so that the τcausal floor and the SNAP overhead constants can be re-measured against a production workload."
Draft #12 · PerfSec-Coupling Profile · IETF IPPM · finalised 2026-05-27
◆ Profile-of-Profiles · D-3 + D-4 + D-10 composition · 3 theorems proved · 12/12 PASS

MVPS Performance-Security Coupling: Joint Cost, Verification-DoS Bound, and Replay-Counter Coherence (3 new theorems)

draft-melegassi-mvps-perfsec-coupling-00 — The composition capstone. Binds CWT (D-10) + Coherence-BFD (D-3) + DDoS-Resilience (D-4) into a single deployable contract, closing five composition gaps identified in docs/MVPS_PERFSEC_COUPLING_AUDIT.txt.
Proves three theorems — all by finite chain to the v4.0 catalogue + L_DL; no new mathematics introduced:
T-JCOST-1 (Joint Cost Bound): broker CPU = PPSt · (cjson+chmac) + PPSt · (cbfd+chmac) + bundles/s · q · ced25519. Closed-form dimensioning rule; cost independent of attack rate R.
T-VDOS-1 (Verification-DoS Bound): insider flood at F × natural rate drives cost up by at most RL + F · (cxdp/cpath). Slope cxdp/cpath = 0.00575 — F=1024 gives ratio ≤ 9.89× (with rate-limit) vs 1024× (without). Sub-linear.
T-RC-1 (Replay-Counter Coherence): joint BFD-seq × CWT-counter acceptance predicate accepts every honest packet and rejects every replay/forge except with probability ≤ 2−128 (HMAC PRF security).
Validator: 12/12 PASS (scripts/validate_perfsec_coupling.py) · receipts: evidence/perfsec_joint_cost_receipt.json and evidence/perfsec_verification_dos_receipt.json.

IETF IPPM Finalised -00 · submit-ready 2026-05-27 Profile-of-Profiles 12/12 validator PASS
↓ Draft (txt) ↓ Formal proof companion
Open question → "T-JCOST-1 gives the dimensioning rule; the open gap is a large-scale operator measurement to confirm the c_path and c_xdp constants hold under production workloads (non-x86 hardware, kernel-bypass paths). PQ migration of the Ed25519 epoch anchor (from D-10) propagates into the T-JCOST-1 cost model when ML-DSA-65 replaces Ed25519."
Draft #13 · Vantage-MPLS · IETF IPPM · finalised 2026-05-28
◆ MVPS vantage-authentication × Donnet MPLS taxonomy · 3 lemmas + 1 theorem proved

MVPS Vantage Localization Feasibility under MPLS Path Camouflage: turning the Donnet taxonomy into a defence toolkit

draft-melegassi-ippm-mvps-vantage-mpls-00 — First composition between the MVPS vantage-authentication problem (the structural assumption that vantages actually occupy the location they declare) and the Donnet-Vanaubel-Luttringer-Dekinder corpus on MPLS tunnel revelation [Donnet-2012, Vanaubel-2017, Luttringer-2020, Dekinder-2025] — fourteen years of academic work on a vulnerability that, until now, had no formal defensive theorem attached.
Proves three results, all by finite chain to the MVPS v4.0 catalogue + Donnet's four-type tunnel taxonomy:
L-GEO-1 (RTT Localization Bound): closed-form feasible-location set Fv = ∩i Ball(ai, ri·cfiber/2 + σgeo) valid under transparent paths (E/I tunnels, Deltampls=0).
L-MPLS-1 (MPLS Camouflage Correction): Deltampls(v, ai) = Σt∈{O,V} nh(t)·RTTmin_hop. Bounded for opaque tunnels (nh recoverable from LSE-TTL); unbounded for invisible tunnels without DPR/BRPR/TNT revelation — 2025 prevalence (5.7 hidden hops/tunnel × 2 ms) credits the adversary ≈ 1 140 km of false position per invisible tunnel.
T-CAM-1 (MPLS-Aware Camouflage Detection): under N≥3, M≥3, ncalib≥18,500, the joint Mahalanobis D² on (C1, C2, C3) detects pc ∉ Fvmpls with probability ≥ 1-ε, where ε ≤ exp(-2·ncalib·γ²) by DKW (I13 of [v4-proof]); ε < 10-9 at FARtarget=0.01.
Plus an auxiliary Lemma L-GEO-1.1 (anchor geometry: minimum angular distribution needed for L-GEO-1 to discriminate pc from pr), a Corollary T-CAM-1.1 (CWT cross-binding — "we cannot deny the identity, but physics denies the location"), and a new phase label MPLS_CAMOUFLAGE_SUSPECTED in the MVPS taxonomy.
Three explicit caveats — T-CAM-1.A (DKW requires i.i.d. observations), T-CAM-1.B (Theorem 2 of v4-proof rests on Hypothesis H3, empirical), T-CAM-1.C (revelation soundness fails under adversarial operators) — and four security limitations (§10.1 DPR/BRPR forging Attacks C/D, §10.2 RTT-Inflation dual attack, §10.3 PHP coverage gap, §10.4 Byzantine vantage minimum N≥3f+1) qualify every claim. No new wire format; no new IANA codepoints; no RFC 2119 obligations — informational.

IETF IPPM Finalised -00 · submit-ready 2026-05-28 MPLS taxonomy composition 3 lemmas + 1 theorem
↓ Draft (txt) Datatracker ↗
Open question → "T-CAM-1 closes the vantage-authentication gap against the camouflage attack but leaves three operationally significant open problems: (i) the dual RTT-inflation attack (§10.2) needs its own lemma L-INFL-1 with a multi-anchor RTT-consistency test plus cross-stratum NTP/PTP audit; (ii) DPR/BRPR/TNT response forging by an adversarial MPLS operator (§10.1, Attacks C and D) remains uncovered without physical-layer attestation; (iii) PHP tunnels combined with iLER capture leave a coverage gap (§10.3) that AReST mitigates only on SR-MPLS/SRv6. The next document in the series should formalise Lemma L-INFL-1 and document operator deployment recipes for multi-source revelation under adversarial MPLS edges."
Draft #14 · Proof Envelope + PQ · IETF IPPM · validado 2026-05-29
◆ Capstone de integridade familiar · Merkle root + CWT anchor · 3 teoremas · 11/11 PASS

MVPS Proof Envelope: Tamper-Evident Binding of the Entire Theorem Family + Post-Quantum Migration Path

draft-melegassi-ippm-mvps-proof-envelope-00 — Capstone de integridade: vincula todos os catálogos de teoremas MVPS, documentos de prova, scripts de validação e recibos numéricos em um manifesto canônico (JCS, RFC 8785), enraizado em Merkle (RFC 9162), assinado e ancorado pelo operador-epoch CWT.
T-BIND-1: tamper-evidence — alterar qualquer artefato vinculado é detectado pela raiz Merkle do manifesto (SHA-256 + EUF-CMA).
T-TRACE-1: rastreabilidade — todo theorem_id transportado por um envelope resolve para um documento de catálogo nomeado (nenhuma afirmação órfã).
T-PQ-MIG-1: migração PQ — o hot path HMAC Layer-1 é invariante sob substituição da assinatura âncora (Ed25519 → ML-DSA-65, FIPS 204).
Validador: 11/11 PASS · vincula 109 artefatos · proof_envelope_receipt.json

IETF IPPM Validado · 11/11 PASS Integrity capstone Post-Quantum ready
↓ Draft (txt)
Draft #15 · Latency Reconciliation · IETF IPPM · validado 2026-05-29
◆ L_DL · reconcilia D-2, D-3, D-4 · erro 0 ms · PASS

MVPS Detection-Latency Reconciliation: the L_DL Lemma

draft-melegassi-ippm-mvps-latency-reconciliation-00 — Prova e reconcilia o Lema de Latência de Detecção L_DL, que une os perfis de detecção de D-2 (BE-MVPS incremental), D-3 (Coherence-BFD sub-segundo) e D-4 (DDoS volume-independente) em uma única garantia de latência com erro numérico de 0 ms. Validador: PASS (0 ms error)

IETF IPPM Validado · PASS L_DL reconciliation
↓ Draft (txt)
Draft #16 · Methodology · IRTF · validado 2026-05-29
◆ M-1..M-9 discipline invariants · 11/11 PASS · IRTF Informational

MVPS Adversarial-Audit Methodology: 9 Discipline Invariants (M-1..M-9)

draft-melegassi-irtf-mvps-methodology-00 — Meta-draft IRTF que formaliza os 9 invariantes de disciplina (M-1..M-9) sobre os quais toda a família MVPS é construída. Cada invariante é uma condição necessária e suficiente para que qualquer rascunho MVPS satisfaça o padrão de auditoria adversarial.
Validador: 11/11 PASS · recibo: methodology_discipline_receipt.json

IRTF Validado · 11/11 PASS M-1..M-9 invariants Informational
↓ Draft (txt)
Draft #17 · Log Format · OPSAWG · validado 2026-05-29
◆ Append-only · tamper-evident · T-LOG-* · 8/8 PASS

MVPS Operational Log Format: Append-Only Tamper-Evident Audit Log

draft-melegassi-opsawg-mvps-logging-00 — Define o formato de log operacional MVPS: append-only, tamper-evident, audit-grade. Prova os teoremas T-LOG-* que garantem detecção de adulteração e não-repúdio para eventos de coerência.
Validador: 8/8 PASS · recibo: logging_format_receipt.json

IETF OPSAWG Validado · 8/8 PASS Tamper-evident log
↓ Draft (txt)
Draft #18 · Maritime Edge · IETF IPPM · validado 2026-05-29
◆ DIL + GNSS-denied holdover · L-MAR-* · T-MAR-INHERIT · 7/7 PASS

MVPS Maritime/Tactical-Edge Profile: DIL + GNSS-Denied Holdover Coherence

draft-melegassi-ippm-mvps-maritime-edge-00 — Perfil defensivo para ambientes marítimos e de borda tática com conectividade DIL (Disconnected, Intermittent, Limited) e negação GNSS. Prova L-MAR-*, T-MAR-INHERIT e C-MAR-1 (Corollary de holdover de coerência).
Validador: 7/7 PASS · recibo: maritime_edge_receipt.json

IETF IPPM Validado · 7/7 PASS DIL + GNSS-denied Defensive profile
↓ Draft (txt)
Draft #19 · Terrestrial Mobile · IETF IPPM · validado 2026-05-29
◆ Cellular handover · L-TER-* · T-TER-INHERIT · 7/7 PASS

MVPS Terrestrial Mobile/Vehicular Profile: Cellular Handover Coherence

draft-melegassi-ippm-mvps-terrestrial-mobile-00 — Perfil defensivo para ambientes móveis terrestres e veiculares: handover celular (4G/5G), veículos, ferrovias. Irmão do perfil orbital (D-7) e marítimo (D-18). Prova L-TER-*, T-TER-INHERIT e C-TER-1.
Validador: 7/7 PASS · recibo: terrestrial_mobile_receipt.json

IETF IPPM Validado · 7/7 PASS Cellular handover Defensive profile
↓ Draft (txt)
Draft #20 · IoT/ROLL · IETF ROLL · validado 2026-05-29
◆ Cluster IoT · D² bounded · gate fix · 8/8 PASS · sanitizado S-IoT→D-20

MVPS IoT/ROLL Cluster Profile: Bounded D² + Gate-Fix (sanitised -01)

draft-melegassi-roll-mvps-iot-01 — Perfil de cluster IoT/ROLL para redes de sensores de baixo consumo. Sanitizado a partir de S-IoT: dois erros críticos corrigidos (gate mix-up T_IoT.3; "D²→∞" L_IoT.2b → D² bounded).
Validador: 8/8 PASS · recibo: iot_coherence_receipt.json

IETF ROLL Validado · 8/8 PASS IoT cluster Sanitised -01
↓ Draft (txt)
Draft #21 · OS/Host Fleet · OPSAWG · validado 2026-05-29
◆ Fleet-as-vantages · port posture · 7/7 PASS + 7/7 sub

MVPS OS/Host Fleet-Coherence: Canonical OS Monitoring and Network-Posture

draft-melegassi-opsawg-mvps-os-host-00 — Instancia o framework MVPS sobre frotas de hosts OS: cada host é uma vantagem, a coerência mede a consistência da frota. Inclui sub-perfil de postura de portas/serviços (multi-vantage coherence layer sobre scans — MVPS adiciona a camada de coerência, não a velocidade do scanner).
Validador OS: 7/7 PASS · Validador port posture: 7/7 PASS

IETF OPSAWG Validado · 7/7 PASS Fleet-as-vantages Port posture sub-profile
↓ Draft (txt)
Draft #22 · Extensions · IETF IPPM · validado 2026-05-29
◆ Updates D-1 (bundle) · core-invariant · 7/7 PASS

MVPS Extension & Capability-Negotiation Framework (Updates bundle D-1)

draft-melegassi-ippm-mvps-extensions-00 — Define o mecanismo formal de extensão e negociação de capacidades para a família MVPS. Atualiza o draft bundle (D-1) com um header de extensão padronizado, garantindo que extensões futuras sejam core-invariant (não alteram os axiomas A1..A5 nem os teoremas base).
Validador: 7/7 PASS · recibo: extension_negotiation_receipt.json

IETF IPPM Validado · 7/7 PASS Updates D-1 Core-invariant
↓ Draft (txt)
Twenty-two-draft proof closure

What is proved, what is measured, and what remains open

Pick a draft below to jump to its evidence. Every strong claim sits in one of four buckets: formal theorem, numerical receipt, real-world measurement, or declared open gap. Nothing relies on the visual metaphor.

D-19 · Vantage-MPLS

Donnet taxonomy turned into a defence toolkit — 3 lemmas + 1 theorem

<10-9
L-GEO-1 + L-MPLS-1 + T-CAM-1 + L-GEO-1.1 · BRPR/TNT revelation · ε bound by DKW at ncalib=18,500
↓ See proof
D-17 · PerfSec

Profile-of-Profiles — 3 composition theorems proved

12/12
T-JCOST-1 + T-VDOS-1 + T-RC-1 · CWT×BFD×DDoS · F=1024 → ratio≤9.89× (sub-linear)
↓ See proof
D-11 · SNAP

Atomic backup substrate — A.1–A.6 + M.1–M.4 PROVED

6 + 4
A.1–A.6 (Shannon, SHA-256, JCS, round-trip) + M.1–M.4 (MVPS Bundle / Architecture / Byzantine / PCF preservation)
↓ See proof
D-10 · CWT Trust

Security capstone — HMAC < parse cost

2.1 µs
CWT hot path < 4.2 µs JSON parse · 12/12 validator PASS · T-COAL-1 + T-SPLIT-1
↓ See proof
D-9 · PCF

The world number — planetary reactive floor

1 220×
BGP 300 s / MVPS 245.9 ms · live RIPE RIS 267 bursts confirm
↓ See proof
D-9 · live BGP

Empirical τsamplingBGP (72 h)

81 s
median burst, 65.5% inside 60–300 s band on Tier-1 prefixes
↓ See proof
D-9 · 20 cities

Geocausal floor on real city pairs

2 054×
mean speedup vs BGP-300 s · São Paulo↔Tokyo, NYC↔Singapore, …
↓ See proof
D-8 · Architecture

Invariance Theorem — A1..A5 conformance

7 / 7
D-1..D-7 all inherit v4.0 theorems via the axiom chase
↓ See proof
D-6 + D-7

Lead-time + orbital error exponent

9 / 9
SIGN-CLAIM MC configs · Stein KL chain rel. err 0.3%
↓ See proof
D-3 · Coh-BFD

The MVPS packet on the wire

44 B
V3 Echo + Coherence Magic + (φ, C1, C2, C3) + HMAC
↓ See proof
D-4 · DDoS

Volume-independent detection

~3 s
MVPS broker D² fires before volumetric alarm (≈45 s)
↓ See proof
D-6 · RIPE R8

Lead-time on real K-root data

+18 900 s
max MVPS lead in 60 paired episodes (5h15min ahead)
↓ See proof
PCAP · CHAVE DE OURO

Real MVPS packets on the wire

2 × .pcap
baseline + DDoS · open in Wireshark · 'COHE' magic at byte 74 · HMAC re-verifiable
↓ Download & verify
Popper

Falsification corner

10 / 10
explicit observation that would refute each draft
↓ See proof
D-14 · Proof Envelope

Tamper-evident binding of all theorem artifacts

11/11
T-BIND-1 + T-TRACE-1 + T-PQ-MIG-1 · 109 artifacts · Ed25519 → ML-DSA-65 PQ
↓ Draft
D-15 · Latency Recon.

L_DL reconciles D-2, D-3, D-4 detection latency

0 ms
L_DL error 0 ms · PASS
↓ Draft
D-16 · Methodology

IRTF adversarial-audit discipline M-1..M-9

11/11
M-1..M-9 invariants · whole family auditable
↓ Draft
D-17 · Log Format

Append-only tamper-evident operational log

8/8
T-LOG-* · non-repudiation · audit-grade · OPSAWG
↓ Draft
D-18 · Maritime Edge

DIL + GNSS-denied holdover profile

7/7
L-MAR-* + T-MAR-INHERIT + C-MAR-1 · ships & tactical edge
↓ Draft
D-19 · Terrestrial Mobile

Cellular handover coherence profile

7/7
L-TER-* + T-TER-INHERIT + C-TER-1 · 4G/5G handover
↓ Draft
D-20 · IoT/ROLL

IoT cluster — bounded D² + gate fix (sanitised -01)

8/8
T_IoT.1..3 + L_IoT.2b bounded · ROLL WG
↓ Draft
D-21 · OS/Host Fleet

Fleet-as-vantages + port posture sub-profile

7/7
OS fleet + port posture (7/7 + 7/7) · OPSAWG
↓ Draft
D-22 · Extensions

Extension & capability-negotiation (Updates D-1)

7/7
Core-invariant extension header · Updates bundle D-1
↓ Draft
D-9 Planetary Coherence Floor — the world number
Recomputed from evidence/planetary_floor_receipt.json by scripts/validate_planetary_floor.py. The headline ratio is 300 s / 245.883 ms = 1220.09×.
↗ Full PNG ↗ Receipt JSON
PCF world number: classical Internet versus MVPS reactive latency floor
300 sBGP convergence floor
245.9 msMVPS fiber N=1000
1220×lower reactive floor
195.9 msantipodal fiber causal RTT
145.1 msantipodal LEO causal RTT
D-9 PCF — empirical τsamplingBGP on live RIPE RIS (72 h window)
Generated by scripts/collect_bgp_convergence_modern.py against stat.ripe.net/data/bgp-updates, 5 Tier-1 prefixes (Cloudflare 1.1.1.0/24, Google 8.8.8.0/24, Microsoft 13.107.4.0/24, etc.). We group updates into "bursts" (gap > 60 s = burst end, min 5 updates) and measure each burst duration as the empirical convergence time.
↗ Full PNG ↗ Receipt JSON
Empirical BGP convergence histogram and CDF on live RIPE RIS data
267live bursts captured
81 smedian convergence
65.5%inside 60–300 s band
68.9%≥ 60 s (above PCF floor)
636 sworst observed burst

This is a live, non-historical, non-synthetic validation of the τsamplingBGP floor used by D-9 PCF. The vast majority of real Tier-1 convergence bursts in the last 72 h sit inside the 60–300 s band the PCF proof assumes, with a long tail to 636 s. This pins the worst-case input to the 1220× world-number ratio against current Internet data.

D-9 PCF — geographically resolved floor on 20 canonical city pairs
Generated by scripts/collect_peering_geocausal.py. τcausal computed from Haversine distance × 1.3 cable-detour factor at c/nfiber (n=1.467, RFC-independent physical constants). Each bar is the per-pair reactive floor of MVPS vs the 60 s BGP minimum.
↗ Full PNG ↗ Receipt JSON
MVPS reactive floor vs BGP floor across 20 real city pairs (Sao Paulo, Tokyo, London, ...)
20city pairs evaluated
410×mean speedup vs BGP-60s
2054×mean speedup vs BGP-300s
7 192 kmshortest pair
18 537 kmlongest pair

D-8 Architecture — A1..A5 conformance

PASS
All D-1 through D-7 satisfy MVPS A1 through A5 and inherit v4.0 MVPS architecture diagram: vantage lattice, bundle, broker, observer, comparator

The Invariance Theorem in D-8 is a 10-step axiom chase: any architecture satisfying MVPS-A1..A5 inherits v4.0 Theorems 1, 2, 3, 3', 4, 5, 9, plus L_DL and Stein's Lemma under A4. D-1..D-7 all pass the conformance table in the receipt. The architecture diagram above is the algebraic 5-tuple (V, Ttick, B, S, C) made visible.

D-6 Lead-time + D-7 Orbital receipts

PASS
9/9D-6 SIGN-CLAIM MC configs
7.57 sSlammer-class lead, N=30
0.3%D-7 KL additivity rel. error
L_ORB 1/2/3orbital lemmas PASS
MVPS lead-time evidence figure Lead-time benchmark matrix

D-6 remains synthetic/Monte-Carlo for worm-class magnitude; D-7 is mathematically proved but awaits path-identity exposure from a real LEO operator (H-5). Both limitations are explicit in the drafts.

D-7 Orbital — Stein additivity from the receipt
Generated by scripts/render_capstone_proof_figures.py from evidence/orbital_error_exponent_receipt.json. Left panel: empirical −log βn/n converges to Dtotal = Σ Di (Stein limit). Right panel: exact Gaussian −log βn vs the Mills/Chernoff upper bound — both show exponential decay.
↗ Full PNG ↗ Receipt JSON
Stein additivity rate converges to the KL sum across orbital vantages
D-6 closed-form lead time vs N — historical worm-class regimes
Generated by scripts/render_capstone_proof_figures.py from evidence/zeroday_lead_time_receipt.json, Table 5.2. Each bar is E[Lexp] evaluated at the doubling rate of a named historical worm/amplification campaign for N ∈ {4, 8, 16, 30, 100, 1000}.
↗ Full PNG ↗ Receipt JSON
D-6 worm-class lead time across historical regimes (Slammer, Code Red, WannaCry, Memcached, Mirai)
D-6 — predicted vs measured lead-time on real RIPE Atlas data (R8)
Generated by scripts/render_capstone_proof_figures.py from evidence/cross_validate_lead_time.json. Left: CDF of MVPS lead time per paired episode (positive = MVPS leads). Right: histogram per lead-time bucket. Real K-root + BGP data, no synthetic injection.
↗ Full PNG ↗ Receipt JSON
D-6 lead time CDF and histogram on real RIPE Atlas episodes
D-3 Coherence-BFD — detection latency benchmark
Numerical instantiation of LDL: τdetect = M·Ttick − φ + τRTT. Pre-computed against evidence/detection_latency_lemma_receipt.json. Panel (A) shows the full range including V0 baseline (60 005 ms); panel (B) zooms the operable BFD variants (55–1 005 ms) so the speedup is readable.
↗ Full PNG ↗ Capstone PNG ↗ Receipt JSON
D-3 Coherence-BFD detection latency benchmark — 2 panels: full range (log) + V1..V4 zoom (linear), V3 echo winner at 55 ms
D-3 + D-1 — the MVPS packet on the wire
Two diagrams: (A) the Coherence-BFD V3 Echo payload (D-3), 44 bytes including the 12-byte Coherence extension that carries the per-tick coherence vector (φ, C1, C2, C3) plus a truncated HMAC-SHA256. (B) the broker-side MVPS Bundle TLV (D-1) that aggregates N vantages, computes Σ and D², and signs with Ed25519. Volume is not an input to either format.
↗ Full PNG ↗ D-3 draft (txt)
MVPS packet anatomy: BFD Coherence Echo (A) and Bundle TLV (B)
44 Btotal Coh-BFD payload
12 BCoherence extension
4 + 4×NBundle ID + φ slots
Ed25519broker signature
HMAC-SHA256per-vantage authent.
D-4 DDoS — anatomy of detection (MVPS vs volumetric)
Three panels: per-vantage pps, broker-side , and the detection-time gap. D² is computed on the coherence vector (φ, C1, C2, C3) per tick — packet counts appear nowhere. Doubling the attack rate, spreading it across 10 000 sources, or hiding it under a volumetric ceiling does not change the MVPS alarm time.
↗ Full PNG ↗ D-4 draft (txt)
DDoS detection: per-vantage pps, broker D2, and the timing gap between MVPS and a volumetric alarm

The figure is a worked sample — synthetic to keep this didactic, but it replays the same math used in the live RIPE Atlas DDoS evidence block below. The volume-independent broker D² is exactly Theorem D-4 of the DDoS draft, and corresponds to the algebraic statement that FAR is controlled by Σ, not by sample size.

D-3 PCAP-level proof — real MVPS packets on the wire · CHAVE DE OURO
Two libpcap classic files generated by scripts/build_mvps_pcap.py, each containing 30 fully-formed MVPS Coherence-BFD frames (Ethernet/IPv4/UDP dst=3784 BFD + 68-byte Coherence-BFD payload). Open in Wireshark; search for the 4-byte ASCII "COHE" magic at payload offset 32; recompute the HMAC-SHA256. No simulation, no synthetic graph — the bytes are on the wire.
⬇ mvps_baseline.pcap (3 804 B) ⬇ mvps_ddos.pcap (3 804 B) ↗ MVPS_PCAP_PROOF.txt ↗ Receipt JSON
PCAP hexdump of frame 0 of mvps_baseline.pcap and mvps_ddos.pcap, with byte-range colour map
30 + 30real frames captured
110 Bper frame on the wire
"COHE"magic at byte 74 (0x4a)
UDP 3784IANA BFD control port
Ed25519HMAC re-verifiable
VERIFY YOURSELF — 60 seconds
# 1) verify file integrity sha256sum mvps_baseline.pcap # expected: 2c2b314d86843bcb4400f3d1d4299c903b86d26d573120e5fdfa00f17735475d # 2) open in Wireshark — see 30 BFD frames wireshark mvps_baseline.pcap # 3) confirm the "COHE" magic is on the wire tshark -r mvps_baseline.pcap -Y "data contains 43:4f:48:45" | wc -l # expected: 30 # 4) hexdump first frame tcpdump -X -nn -c 1 -r mvps_baseline.pcap
WHAT THE TWO CAPTURES PROVE
  • Wire format matches D-3 byte-for-byte (Wireshark dissector free).
  • The "COHE" magic word (0x43 0x4F 0x48 0x45) is the deterministic signal of MVPS-aware peers.
  • HMAC-SHA256(96) recomputes against the published key — proves the tag is authentic, not random.
  • Baseline pcap has phi ~ N(0, 5 µs), C1/C2/C3 ~ N(0, 0.02).
  • DDoS pcap has phi ramping to ~120 µs and (C1,C2,C3) growing correlated, even though the per-packet rate (50 ms inter-arrival) is unchanged — exactly the D-4 attack profile.
  • Each frame's per-packet payload SHA-256 is recorded in mvps_pcap_receipt.json so you can prove no packet was duplicated or hand-edited.

Reproduce: python scripts/build_mvps_pcap.py regenerates byte-identical files from a deterministic seed and a published HMAC key, so the SHA-256 above can be independently confirmed by anyone in under a minute.

📋 Reviewer table — every claim across the 11 drafts (formal / numerical / empirical / open) click to expand ▾
Draft Formal theorem Numerical receipt Real-world measurement Open validation gap
D-1 Bundle PROVED v4.0 core algebra, bounded C=(C1,C2,C3), D² FAR control validate_v4_against_all_attacks.py · 44/44 PASS RIPE Atlas K-root: 14,747 D² windows, 8.03% over ALARM threshold None for algebra; broader deployment diversity still useful
D-2 BE-MVPS PROVED SMW/CRDT bandwidth Pareto theorems BE-MVPS benchmark receipts and scale summaries 100 vantages × 300 s local run, 98.3% delivery, 0 auth drops 1-hour dedicated-hardware run queued
D-3 Coherence-BFD PROVED L_DL gives τ_detect = M·T_tick − φ + τ_RTT detection_latency_lemma_receipt.json; synthetic BFD harness NEW: two real .pcap files (mvps_baseline / mvps_ddos), 30 frames each, "COHE" magic + HMAC-SHA256 verifiable in Wireshark Still needs Tofino / DPDK hardware corroboration for end-to-end timing
D-4 DDoS PROVED volume-independent broker-side D² + cell Byzantine bound R6 multi-prefix BGP evidence 5 anycast DNS prefixes, baseline ratio up to 24×, alarm independent of volume Real packet-level DDoS traces still desirable
D-5 AI coherence -01 PROVED C-5.6 geometric median on compact embedding ball · T-JCOST-AI-1 (joint broker CPU, instantiation of D-17 T-JCOST-1) · T-VOLINV-AI (volume independence) · Lemma L-AI-A4 (A4 conformance, 3 conditions) · MVPS-A1..A5 CONFORMANT (subject to L-AI-A4) mvps_lm_cbf.json Ollama qwen2.5:3b, 200 LM calls, AUC D²=0.900, CBF_score=0.800 · Part D (Sec 22-25): Trust/CWT/PerfSec composition mandatory for production; without D-17 → ~10-100× under-provisioning More models and larger prompts would broaden, not alter, the proof
D-6 Coherence lead-time PROVED L_ZD.1'/2'/3' closed forms and sign reversal zeroday_lead_time_receipt.json · 9/9 SIGN-CLAIM Monte Carlo only for worm-class magnitude; RIPE R8 supports existence of positive lead Needs historical worm/DDoS trace replay for magnitude
D-7 Orbital PROVED T-1..T-7; Stein + KL chain rule orbital_error_exponent_receipt.json · L_ORB.1/2/3 PASS No production LEO path-identity measurement yet H-5 path-identity exposure from a LEO operator
D-8 Architecture PROVED Invariance Theorem, 10 mechanical substitutions planetary_floor_receipt.json axiom table: D-1..D-7 all inherit v4.0 N/A: structural conformance claim, not an empirical measurement Reviewer challenge: dispute any A1..A5 assignment
D-9 PCF PROVED R*=max{τ_causal, τ_sampling, τ_information, τ_consensus, τ_coupling} planetary_floor_receipt.json: 1220.09× world number PASS · peering_geocausal.json: 20 city pairs, mean 2054× vs BGP-300s NEW: bgp_convergence_modern.json — 267 live RIPE RIS bursts, median 81 s, 65.5% inside the 60–300 s band the proof assumes Still needs a large-operator MVPS deployment to measure τ_causal in the wild
D-10 CWT Trust PROVED T-COAL-1 (coalition resistance) + T-SPLIT-1 (split-view resistance) mvps_cwt_overhead_receipt.json: 2.1 µs CWT hot path < 4.2 µs JSON parse · validator 12/12 PASS Microbenchmark on commodity x86; under load on instrumented vantage hardware Post-quantum migration of Ed25519 epoch anchor to ML-DSA-65 (FIPS 204) catalogued as open
D-11 SNAP PROVED A.1–A.6 (Shannon, SHA-256, JCS, round-trip) + M.1–M.4 (MVPS Bundle / A1..A5 / Byzantine / PCF preservation) A.1–A.6 + M.1–M.4 PROVED · local validator 20/20 PASS · 5 reproducible test vectors in Appendix C · 0 idnits errors / 0 flaws · 0 non-ASCII characters after RFC 7997 sanitisation YANG-1.1 module ships in the draft itself; XML2RFC v3 + 81 536 B .txt artifact reproducible from draft-melegassi-dispatch-mvps-snap-backup-01.md Backup-on-the-wire benchmark against an operator-scale MVPS deployment (composes naturally with the D-9 PCF open gap)
D-17 PerfSec PROVED T-JCOST-1 (joint cost bound, closed-form) · T-VDOS-1 (insider verification-DoS sub-linear) · T-RC-1 (replay-counter coherence, forgery prob ≤ 2−128) perfsec_joint_cost_receipt.json: 5 scale points PASS · perfsec_verification_dos_receipt.json: 6 flood factors × 2 modes PASS · F=1024 ratio ≤ 9.89× (vs 1024× without rate-limit) · validator 12/12 PASS Cost constants pinned to evidence/mvps_cwt_overhead_receipt.json (Intel i7 12th gen, Python 3.12.1, 200k iterations); c_path = 8.70 µs verifiable independently Production benchmark on non-x86 hardware (ARM, RISC-V) and kernel-bypass path (DPDK); PQ cost update when ML-DSA-65 replaces Ed25519 in D-10 epoch anchor
D-10 MVPS Trust Profile (CWT) — overhead receipt
Generated by scripts/bench_cwt_overhead.py. CWT hot path (HMAC-SHA256): 2.1 µs — strictly below JSON parse baseline 4.2 µs. Ed25519 verify (alternative): 78.8 µs (37.5× slower). Receipt: evidence/mvps_cwt_overhead_receipt.json.
↗ Full PNG ↗ Receipt JSON ↓ Draft (txt)
CWT vs Ed25519 overhead benchmark
2.1 µsCWT HMAC hot path
4.2 µsJSON parse (baseline)
0.21%CPU core at 1000 vantages/1Hz
78.8 µsEd25519 verify (alt design)
37.5×CWT faster than Ed25519
12 / 12validator checks PASS
T-COAL-1: Under hypothesis H-TRUST-CWT (HMAC keys fresh per epoch, HKDF-isolated per vantage), an adversary controlling a coalition of q < N/2 independent operators cannot forge a valid MVPS bundle that passes the epoch-manifest witness check with probability > negl(λ).
T-SPLIT-1: Under H-WIT (at least one honest witness out of k), a collector cannot present divergent bundle histories to different observers without being detected by the witness cosignature cross-check within one epoch window.
Both theorems reduce by finite chain to HMAC-SHA256 unforgeability (PRF assumption) and HKDF key independence (random-oracle model), composing with MVPS v4.0 catalogue via D-8 Invariance Theorem.
D-10 CWT PCAP-level proof — MVPS Bundles with full 3-layer Trust envelope on the wire · CHAVE DE OURO
Two libpcap classic files generated by scripts/build_cwt_pcap.py, each containing 30 fully-formed MVPS Bundle frames (Ethernet/IPv4/UDP dst=45878 + 524-byte payload). Each frame carries the complete 3-layer CWT Trust Profile: Layer 1 per-vantage HMAC-SHA256 (12-byte truncated, Kv,epoch via HKDF-SHA256), Layer 2 Ed25519 signature of the operator over the SHA-256 manifest root, Layer 3 2-of-5 independent witness Sigsum-style cosignatures. Open in Wireshark; search for the 4-byte ASCII "MBND" magic at UDP payload offset 0 and "CWTL" at offset 196; recompute every HMAC and Ed25519 signature against the deterministic public keys in the receipt. The forged variant has vantage 1 tampered by one bit — a correct verifier rejects all 30 frames at exactly that vantage, proving T-COAL-1 on the wire.
⬇ mvps_cwt_baseline.pcap (15 744 B) ⬇ mvps_cwt_forged.pcap (15 744 B) ↗ Receipt JSON
30 + 30real frames captured
524 Bper frame on the wire
"MBND"D-1 Bundle magic at byte 0
"CWTL"CWT envelope magic at byte 196
UDP 45878MVPS broker subscriber port
4 vantagesper Bundle (HMAC-12 each)
Ed25519epoch + 2-of-5 witnesses
120 / 120baseline HMACs verify
30 / 30forged frames rejected at v1

Reproduce on your laptop in 90 seconds: tshark -r mvps_cwt_baseline.pcap -Y 'data contains 4d:42:4e:44' shows every Bundle TLV magic; tshark -Y 'data contains 43:57:54:4c' shows every CWT envelope. Extract any frame's 64-byte operator signature and run cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.from_public_bytes(operator_pub).verify(sig, manifest_root) with the public keys in the receipt — every signature must verify on the baseline file and the forged manifest root must differ from the signed one (split-view detection T-SPLIT-1 visible by construction).

D-11 SNAP — Simple Native Archive Protocol (atomic backup substrate)
draft-melegassi-dispatch-mvps-snap-backup-01 defines a single self-describing JSON document that encodes a complete file backup: a YANG-1.1 manifest, per-file SHA-256, JCS envelope (RFC 8785), Brotli (RFC 7932) + Base64 (RFC 4648) payload, and a deterministic envelope hash. All six theorems A.1–A.6 reduce by finite chain to existing IETF/NIST primitives; four composition theorems M.1–M.4 prove that the MVPS family inherits SNAP transport without losing its coherence properties. Local validator: 20/20 PASS; idnits: 0 errors / 0 flaws; non-ASCII characters: 0 after RFC 7997 sanitisation.
↓ Draft (txt) ↓ XML2RFC v3 ↓ YANG module Datatracker ↗
6 + 4theorems (A.1–A.6 + M.1–M.4)
20 / 20local validator PASS
0idnits errors / flaws
0non-ASCII characters
5reproducible test vectors
5operator authors + Catellix contributor
81 536 B.txt artifact (RFC-ready)
RFC 7950YANG 1.1 schema-validated
Theorems A.1–A.6 (foundational, Appendix A)
  • A.1 Compression lower bound — Shannon (1948): no SNAP encoder can compress a maximum-entropy payload below its source entropy H(X).
  • A.2 SHA-256 collision resistance — FIPS 180-4: birthday-bound collision probability on the envelope hash is 2−128.
  • A.3 Base64 + Brotli overhead near unity — expected encoded size is (4/3) · compressed_size + O(1) header; bounded for text-heavy MVPS bundles.
  • A.4 Minimum round-trip transport time — SNAP envelope size N obeys T ≥ N / B + 2 · τRTT on any reliable transport.
  • A.5 Manifest verification complexity — O(n · size) for n files, dominated by the SHA-256 streaming cost.
  • A.6 Round-trip correctness — for every well-formed SNAP envelope O, snap_decode(snap_encode(B, M)) is byte-for-byte equal to B over the YANG schema closure.
Theorems M.1–M.4 (MVPS composition, Appendix D)
  • M.1 Bundle Preservation — SNAP envelope of an MVPS Bundle preserves Theorem 1 of MVPS v4.0 and operational contract OC4 (envelope identity); inherits directly from A.6.
  • M.2 Architectural Conformance — the SNAP encoder/decoder pair satisfies MVPS axioms A1..A5 of D-8; therefore, by the Invariance Theorem, it inherits the full v4.0 theorem catalogue.
  • M.3 Byzantine-Resilient Backup — SNAP inherits the f/N geometric-median floor of MVPS Theorem 9: an adversary controlling at most f < N/2 vantages cannot bias the restored state beyond the v4.0 bound.
  • M.4 Planetary Floor for SNAP — the SNAP transport overhead does not lift the reactive-latency floor R* of D-9 PCF; in particular, τcausal saturation is preserved end-to-end.
Authoring & contributors. Multi-operator authorship by construction — SNAP is the only MVPS draft that requires multi-vendor implementability as a structural property: Rodrigo Yoshioka (e.Mix · principal author), Guilherme Labadessa (OrcaTI), Pedro Scalon (Sysbrasil Tecnologia), Diego Canton de Brito (Vero Internet), Eduardo Belotto (Zadara). Contributor: Leonardo Melegassi (Catellix), originator of SNAP and of the MVPS family (D-1..D-9 + D-11), credited in the Contributors section of the draft per RFC 7322 §4.1.1.
Conservative composition. Every primitive in SNAP is drawn from an existing IETF or NIST standard (RFC 7950, 7951, 6991, 7932, 8259, 8785, 4648, 9110, 6455, FIPS 180-4). SNAP defines only the composition and the backup-specific YANG module — no new cryptography, no new wire format primitives. The composition theorems M.1–M.4 establish that this composition does not weaken any property that the MVPS family already proved.
D-11 SNAP PCAP-level proof — JCS-canonical SNAP envelope on the wire over HTTP/1.1 · CHAVE DE OURO
Two libpcap classic files generated by scripts/build_snap_pcap.py: archive captures a POST /snap/upload with the JCS-canonical (RFC 8785) SNAP envelope as the HTTP body; restore captures the symmetric GET /snap/download/<id> for round-trip verification. Cleartext HTTP/1.1 (no TLS) so any reviewer can read every byte directly in Wireshark — no keys required. The body is the verbatim envelope: a YANG-1.1 manifest (RFC 7950) listing 3 files with their SHA-256 hashes (FIPS 180-4), Brotli-compressed (RFC 7932) and Base64-encoded (RFC 4648) payload, plus the X-SNAP-Envelope-SHA256 header that pins A.6 round-trip correctness. Decoding the payload byte-for-byte recovers the original 3-file blob; recomputing each per-file SHA-256 verifies A.5 manifest verification — both theorems proven on the wire.
⬇ mvps_snap_archive.pcap (2 944 B) ⬇ mvps_snap_restore.pcap (2 808 B) ↗ Receipt JSON
2 capturesarchive + restore round-trip
1 422 BJCS-canonical SNAP envelope
3 filesin the YANG-1.1 manifest
RFC 7932Brotli compressed payload
RFC 8785JCS canonicalisation
HTTP/1.1cleartext (TLS-equivalent at SNAP layer)
A.5 + A.6proven on wire bytes
SHA-256envelope hash pinned in header

Reproduce on your laptop in 60 seconds: tshark -r mvps_snap_archive.pcap -q -z follow,tcp,raw,0 dumps the full HTTP/1.1 stream; copy the body (between the blank line and EOF) into envelope.json; run python -c "import json,base64,brotli,hashlib; e=json.load(open('envelope.json')); print(hashlib.sha256(open('envelope.json','rb').read()).hexdigest()); blob=brotli.decompress(base64.b64decode(e['payload'])); print(hashlib.sha256(blob).hexdigest()==e['manifest']['uncompressed-blob-sha256'])" and you have just verified A.6 round-trip correctness against the byte-on-the-wire envelope. Both PCAPs round-trip the same envelope — restore yields exactly the bytes archive uploaded.

D-19 Vantage-MPLS — turning the Donnet taxonomy into a defence toolkit
draft-melegassi-ippm-mvps-vantage-mpls-00 is the first formal composition between the MVPS vantage-authentication problem and the 14-year corpus of Benoit Donnet and collaborators on MPLS tunnel revelation ([Donnet-2012], [Vanaubel-2017], [Luttringer-2020], [Dekinder-2025]). The central observation: the four-type tunnel taxonomy (Explicit / Implicit / Opaque / Invisible) that classifies the ATTACK surface is the same toolkit that, combined with the MVPS χ² coherence test, closes the DEFENCE gap. No new mathematics is introduced; everything reduces by finite chain to MVPS v4.0 + the Donnet taxonomy.
↓ Draft (txt) Datatracker ↗
3 + 1 + 1lemmas + theorem + corollary
< 10−9ε bound at ncalib=18,500
1 140 kmfalse-position credit per invisible tunnel
5.7 hopshidden per invisible tunnel [Huddleston-2025]
30 %Internet paths cross MPLS (2025)
3 caveatsT-CAM-1.A/B/C explicit
4 limits§10.1-10.4 disclosed honestly
0 / 0 / 0wire format / codepoints / IANA
Lemmas & Theorem (Sections 4–6)
  • L-GEO-1 (RTT Localization Bound) — under transparent paths (E or I tunnels, Deltampls=0), the feasible-location set is
    Fv = ∩i∈{1..M} Ball(ai, ri·cfiber/2 + σgeo). A vantage claiming pc ∉ Fv is LOCATION_INFEASIBLE.
  • L-GEO-1.1 (Anchor Geometry) — Fv excludes pc iff ∃ ak with D(pc, ak) > rk·cfiber/2 + σgeo ≥ D(pr, ak). Sufficient condition: anchor angular spread such that |D(p, ak) - D(p', ak)| > 2σgeo + Deltampls,max for any candidate pair.
  • L-MPLS-1 (MPLS Camouflage Correction) — Deltampls(v, ai) = Σt ∈ P(v,ai), type(t)∈{O,V} nh(t)·RTTmin_hop. Bounded for type-O (nh observable from LSE-TTL); unbounded for type-V without DPR/BRPR/TNT revelation. Corrected feasible set: Fvmpls = ∩i Ball(ai, (ri-Deltampls)·cfiber/2 + σgeo).
  • T-CAM-1 (MPLS-Aware Camouflage Detection) — under Q1..Q4 (N≥3, M≥3, ncalib≥18,500, TNT/AReST revelation), if pc ∉ Fvmpls then the joint Mahalanobis test on (C1, C2, C3) flags LOCATION_INFEASIBLE with probability ≥ 1-ε, where ε ≤ exp(-2·ncalib·γ²), γ = FARtarget/2 (DKW, I13 of [v4-proof]). At FARtarget=0.01, ncalib=18,500 ⇒ ε < 10-9.
  • Cor. T-CAM-1.1 (CWT Cross-Binding) — a vantage with valid CWT token AND pc ∉ Fvmpls is classified MPLS_CAMOUFLAGE_SUSPECTED: "we cannot deny the identity, but physics denies the location."
Caveats & Limitations (honest disclosure)
  • Caveat T-CAM-1.A (i.i.d. assumption) — DKW requires independent observations. An adversary correlating tunnel activation with BGP convergence or diurnal traffic can degrade i.i.d.; mitigation = partition calibration into 4 windows of 90 min ≥ 24 h apart, verify per-epoch FAR stability.
  • Caveat T-CAM-1.B (Hypothesis H3) — the χ² distribution of D² rests on Hypothesis H3 of [v4-proof] (realised FAR within ±25% of nominal), which is empirical — not formally proven for non-Gaussian C(t) distributions. Operators MUST validate H3 per deployment via the DKW-bound test in OC3.
  • Caveat T-CAM-1.C (revelation soundness) — pre-condition Q3 assumes TNT/AReST returns accurate nh(t). Under adversarial operators (Attacks C and D below) this fails; effective ε is min(DKW bound, revelation success probability).
  • §10.1 Attack-C (ICMP forging) — adversarial LSRs can fabricate ICMP time-exceeded responses with falsified source IPs/TTLs. DPR/BRPR/TNT cannot detect this without independent multi-source corroboration.
  • §10.1 Attack-D (probe suppression) — an adversary can rate-limit DPR/BRPR signature probes, leaving the defender blind. Mitigation: treat absence-of-response as "invisible tunnel suspected" rather than "no tunnel".
  • §10.2 RTT-Inflation dual — L-MPLS-1 only SUBTRACTS hidden-hop time; an adversary can INFLATE measured RTT (kernel delay, BGP prepending, deliberate distant routing) to claim a distant pc. A future Lemma L-INFL-1 is needed.
  • §10.3 PHP coverage gap — PHP converts opaque to type-V from the measurement side; DPR requires iLER co-location which the defender does not have in adversarial scenarios. Only AReST on SR-MPLS/SRv6 fully covers.
  • §10.4 Byzantine alignment — N≥3 is the GEOMETRIC minimum; for f Byzantine vantages, N≥3f+1 also required. The <10-9 bound assumes BOTH minima are satisfied.
Worked example — Newark vantage claims Miami location, caught by L-MPLS-1 + C3 Appendix A of the draft

Note A.1 (Physics constraint). Because RTTmin(v, ai) ≥ 2·D(pr, pai)/cfiber, an adversary cannot REDUCE measured RTT below the great-circle floor. The scenario below respects this floor: the adversary's true location pr is closer to the anchor than the claimed pc, so MPLS inflation of the RTT is what creates room for the false claim.

Scenario
  • True position pr = Newark, NJ
  • Claimed position pc = Miami, FL
  • Motivation: satisfy a regional SLA / geo-licensing requirement
  • D(pr, pc) ≈ 1 750 km
  • Anchor a1 = Chicago, IL
  • D(Newark, Chicago) ≈ 1 170 km ⇒ floor ≈ 11.7 ms
  • D(Miami, Chicago) ≈ 2 090 km ⇒ floor ≈ 20.9 ms
  • 1 invisible MPLS tunnel hiding 5.7 hops, RTTmin_hop = 2 ms
Without revelation — attack succeeds
  • RTT(v, a1) measured = 25 ms (physically admissible: > 11.7 ms floor for Newark AND > 20.9 ms floor for Miami)
  • True path: Newark → MPLS LSP hidden detour via Dallas → Chicago (BGP-indirectness alibi)
  • L-GEO-1 (uncorrected): Fv = Ball(Chicago, 25·cfiber/2 + σgeo) ≈ Ball(Chicago, 2 500 km)
  • Miami at 2 090 km < 2 500 km ⇒ Miami IS INSIDE Fv
  • ❌ Attack succeeds against L-GEO-1 alone
After BRPR/TNT revelation — attack caught
  • BRPR detects 1 invisible tunnel; recovers nh = 5.7 hops
  • Deltampls(v, a1) = 5.7 × 2 ms = 11.4 ms
  • Corrected bound: (25 − 11.4) × cfiber/2 + σgeoBall(Chicago, 1 360 km)
  • Miami at 2 090 km > 1 360 km ⇒ Miami IS OUTSIDE Fvmpls
  • Phase → MPLS_CAMOUFLAGE_SUSPECTED
  • MVPS χ² coherence: C3 Jaccard on touched AS paths = 0.30 ± 0.10 (vs co-located baseline 0.85 ± 0.05) ⇒ D² > qJ at FARtarget=0.01
  • ✓ Phase → CAMOUFLAGE_CONFIRMED

Conservative composition. Every primitive used here (the Donnet four-type taxonomy, DPR/BRPR/TNT revelation, AReST for SR-MPLS) is drawn from published academic work by Benoit Donnet and collaborators over 2012–2025. D-19 defines only the composition: the structural binding between Deltampls (Donnet taxonomy) and the MVPS χ² coherence test (v4.0 Theorem 2), expressed by L-MPLS-1 + T-CAM-1. Reduces by finite chain to MVPS v4.0 + [Donnet-2012] + [Vanaubel-2017] + [Luttringer-2020] + [Dekinder-2025]; no new mathematics introduced.

Authoring posture. D-19 is submitted under single authorship (Leonardo Melegassi, Catellix) as a deliberate ethical choice: the draft cites Benoit Donnet's 14-year corpus pervasively (4 references in the bibliography + a dedicated paragraph in Section 12 Acknowledgments) but does not list him as co-author of the -00 because he has not yet seen the document. An invitation to co-author the -01 revision is being sent in parallel; if Prof. Donnet accepts, the -01 will be re-submitted as draft-donnet-melegassi-ippm-mvps-vantage-mpls-01. If he declines or prefers to remain a cited reference, the -00 authorship stands and the citation chain remains the full honour.
Falsification corner — what would refute each draft
For each of the thirteen drafts we state the single empirical observation that would refute its core theorem. This is the Popperian closure of the family: nothing here is unfalsifiable. D-19 (Vantage-MPLS) is refuted by either (a) an MVPS deployment where T-CAM-1 fails to flag a verified MPLS-camouflaged vantage at FAR within the H3 nominal ±25% band after the ncalib=18,500 calibration, or (b) the empirical demonstration that BRPR/TNT revelation, even when run from multiple administratively independent probe sources, fails to recover nh(t) within the L-MPLS-1 bound for type-V tunnels on a non-adversarial operator path — either observation would invalidate the L-MPLS-1 quantification or the T-CAM-1 chi-squared chain to v4.0 Theorem 2.
↗ Full PNG
Per-draft falsification statement summary
🔒 SHA-256 pinning — every proof companion is hash-anchored click to expand ▾

Captured by evidence/planetary_floor_receipt.json. Any divergence between the rendered TXT/PDF and these hashes means tampering or an outdated mirror. Receipts are reproducible by running python scripts/validate_planetary_floor.py.

↗ Full PNG ↗ Receipt JSON
SHA-256 hashes of the 9 proof companion documents
⚠️ What is NOT being claimed (honest caveats) click to collapse ▾

What is not being claimed

  • D-9's 1220× number is a floor-ratio proof, not a live Internet A/B test. It compares the BGP convergence floor (300 s) to the MVPS fiber N=1000 floor (245.883 ms).
  • D-7 is not claiming measured Starlink / LEO operational detection yet. It is gated by H-5 path-identity exposure; without H-5 it honestly degenerates to the C1 causal axis.
  • D-6 is not claiming universal zero-day detection. It claims closed-form lead-time only for rank-low propagating signals under matched FAR, and explicitly gives the sparse-direction regime where MVPS loses to max-z.
  • D-3's 55 ms figure is not a router lab result yet. It is the L_DL prediction plus software harness evidence.
  • D-19's <10-9 probability bound is conditional on three caveats (T-CAM-1.A/B/C). The DKW bound assumes i.i.d. calibration observations; the realised FAR rests on Hypothesis H3 of v4-proof (empirical, not formally proven for non-Gaussian C); and revelation soundness fails under fully-adversarial MPLS operators (Attacks C and D). The symmetric RTT-inflation attack (§10.2) and the PHP coverage gap (§10.3) are explicitly out-of-scope for the -00 and left to a future Lemma L-INFL-1.
  • D-19 is co-authored by Benoit Donnet only IF he accepts the invitation. The -00 is single-authored (Leonardo Melegassi) by deliberate ethical choice; the Donnet corpus is honoured via 4 bibliography references and a dedicated Acknowledgments paragraph. A -01 with Prof. Donnet as co-author will only appear after explicit written consent.
Live data collection

Real-world measurements — running now

The MVPS D² algorithm is being applied to public, free APIs in real time. Below: an offline 3-day collection completed today, plus live charts that fetch data on every page load.

First real-world MVPS run — 3 days, 14 RIPE Atlas probes, K-root ping
Collected May 19–22, 2026 · 14,747 windows · No API key · Reproducible: scripts/collect_ripe_atlas.py --probes 20 --days 3
↗ Full PNG ↗ JSON (750 KB)
MVPS D² real RIPE Atlas vs synthetic, 3 days K-root ping
14,747D² windows
14live probes
9.05P95 real D²
5.20P95 synth D²
8.03%windows > ALARM
5.49 Mpeak D² (outlier)

What this proves

MVPS D² applied to real RTT data from the RIPE Atlas public measurement (msm 1001 — K-root ping) produces a distribution that is materially heavier-tailed than the synthetic Gaussian baseline assumed in the drafts. 1,184 of 14,747 windows (8.03%) crossed the ALARM threshold χ²₁,₀.₉₉ = 6.63 — exactly the regime the framework is designed to detect. This is the first datapoint that retires the "synthetic-only" caveat from the abstract of all seven drafts.

RIPE Atlas — K-root RTT

Loading
Probes
Samples

Msm 1001 (K-root v4 ping) · Last hour · api.ripe.net · No API key required

IODA — BGP reachability · top DDoS targets, auto-pick

Loading
Top country
Scanned
Max BGP drop

Worldwide scan of all 250 ISO-3166-1 alpha-2 countries · 48h BGP prefix-count drop · UCSD/CAIDA IODA API · no API key · auto-pick of country with strongest current anomaly

MVPS D² — joint signal (RIPE Atlas RTT + IODA BGP)
Mahalanobis distance computed from combined coherence vector. WATCH threshold = χ²₂,₀.₉₅ = 5.99. ALARM = χ²₂,₀.₉₉ = 9.21.
IODA — D² lead time on 10 historical country outages
Offline reproducible run of scripts/collect_ioda_outages.py against api.ioda.inetintel.cc.gatech.edu — no API key, no account. Calibrates D² on event − 6h … event − 1h, walks forward from event − 1h, flags first sample where D² > χ²₂,₀.₉₅ = 5.99. Positive lead = MVPS fires before the IODA-labelled event start.
MVPS D² lead time vs IODA outage start (10 events)
Events
With alarm
Median (min)
Event Entity Lead (min) BGP pts
Loading evidence/ioda_lead_time.json…

Generated: · Reproduce: python scripts/collect_ioda_outages.py

Honest reading: with the conservative χ²₂,₀.₉₅ threshold and the calibration window used here, the median first-alarm time is at or shortly after the IODA event-start label. To extract a clean positive lead-time signal the calibration window and the threshold need to be tuned per entity (and ideally fed darknet data, which the ucsd-nt endpoint did not return in this run).

What this proves (and what it doesn't)

The live charts above demonstrate that the MVPS D² algorithm runs in a browser against public APIs with zero infrastructure cost. The RIPE Atlas measurement 1001 (perpetual K-root ping) and the IODA BGP signal API are public, free, and require no account.

What the IODA card below the combined chart shows: a reproducible offline pass of D² on 10 country-level outages labelled by IODA itself. The bar chart, the JSON manifest and the underlying script are all linked publicly — no gated data, no synthetic numbers.

What this does not yet prove on its own: a positive lead time on every event with one fixed threshold. That requires per-entity calibration and the darknet (ucsd-nt) feed, which is being added in the next pass.

Global DDoS Observer Mesh · countries live · alarms · watches · info
Server-side parallel BGP scan of 77 countries every 60 s via api.ioda.inetintel.cc.gatech.edu /v2/signals/raw/country/{CC}?datasource=bgp · 6 h window · max-drop vs. baseline · severity: info < 1.5 % ≤ watch < 5 % ≤ alarm. Source of truth: app/mvps_realtime_api.py/api/mvps/incidents. IODA-flagged outages take precedence and override the watcher for the same country.
Initialising mesh — probing 77 countries…
scanned
responded
failed
max BGP drop
top mover
mode
last refresh
# Country Drop max Drop last Baseline µ (BGP px) Severity Source
Loading /api/mvps/incidents…

Reproduce locally: python scripts/PROVE_global_observers.py · auto-refresh 60 s · IODA-flagged outages (when present) appear with source=ioda_live and outrank watchers for the same ISO-3166 country code.

Evidence roadmap

What we need, what it costs, what's done

An honest table of every validation gap in the thirteen drafts, the data source that would close it, and its real cost. Everything marked FREE has been tested and works. (D-8 Architecture and D-9 PCF reduce by mechanical chain to v4.0 + RFCs and add no new measurement gap. D-10 CWT, D-11 SNAP, D-17 PerfSec-Coupling, and D-19 Vantage-MPLS reduce by chain to existing IETF/NIST primitives plus the Donnet MPLS taxonomy — see receipts.)

Claim to validate Draft(s) Data source Cost Status
D² reacts to real latency anomalies, not only synthetic ones D1, D3 RIPE Atlas msm 1001 (K-root v4 ping) — perpetual, public FREE ▶ Running above
D² detects real outages with measurable lead time vs ground truth (R8) D1, D3, D5 · T_LT (v5.0 unified proof) RIPE Atlas msm 1001 K-root v4 ping, 30 probes × 7 days = 75,168 raw RTT rows, 2,015 D² windows · head-to-head comparison on the SAME data: MVPS multi-vantage D² (thr χ²₃₀,₀.₉₉≈48.05) vs single-probe max|z| (thr 3.0)
MVPS detects 61 episodes vs 44 for single-vantage (17 collective events that single-probe misses). 60 paired within 6h horizon: MVPS leads in 14/60 = 23.3%, max lead +18,900 s (5h15min). Top-10 leads (s): 18900, 13200, 11400, 9000, 8700, 6600, 6000, 5100, 4500, 4200. Single-probe z-score is "trigger-happier" on transient noise (mean −230 s) — exactly the regime where T_LT.1 predicts parity. Falsifiable claim "∃ lead > 0 on real data" stands. Independent observer: RIPE Stat BGP minute-level for 8.8.8.0/24, 2,435 minute buckets. scripts/cross_validate_lead_time.py · sha256=bad4cb54f7a4ef2b…		 FREE ✓ REAL — T_LT empirically supported on RIPE Atlas (no IODA dependency)
Reference implementation handles 100 vantages at real load D3, D4 Local machine — Python broker + 100 vantage processes
295,014/300,000 pkts · 0 auth drops · 19.2 MB RAM · CPU 11.3% avg		 FREE locally ✓ Done (100v × 300s · 98.3% delivery)
τ_C SIR cascade-time prediction – event days are LOCALISED bursts on real BGP data D2 (qualitative SIR confirmation) RIPE Stat BGP updates · 5 anycast DNS prefixes (Google, Cloudflare, Quad9, OpenDNS, Level3) × 30 days
12 alarm events analysed · 100% localised in ≤ 2 days · mean burst width 1.33 days · median peak/baseline 4.4× · max 14.2× · scripts/analyse_tau_c_sir.py		 FREE ✓ SIR macroscopic prediction CONFIRMED (necessary, not sufficient)
Theorem D1 (volume-independence) – alarm fires on real BGP bursts regardless of absolute volume D5 5 anycast DNS prefixes with order-of-magnitude different baselines (82 updates/day to 1,992 updates/day)
Cloudflare baseline 1,992/day → peak 2,246/day (ratio 1.13×) → no alarm · Google baseline 82/day → peak 1,899/day (ratio 23×) → D²=6032 alarm · Quad9/OpenDNS: 3 alarm days each · scripts/collect_bgp_multi_prefix.py		 FREE ✓ Volume-independence empirically demonstrated across 4 prefixes
Wire format parses real network pcap traces D4 CAIDA Anonymized Traces 2019 (requires academic registration, 3–5 days)
Registration pending — awaiting CAIDA approval		 FREE (account req.) ○ Awaiting CAIDA access
MVPS detects LLM hallucination consensus (CBF) on real local LLM (R5) D2 · T_CBF (v5.0 unified proof) Real Ollama qwen2.5:3b (3.1B Q4_K_M) on catellix.com, collected 2026-05-22 — N=5 vantages × (10 BAU + 10 CBF) × 2 perturbations = 200 LM calls in 1038.7 s
Mann–Whitney AUC: D² = 0.900, CBF_score = 0.800, C₂ / C₃ / C₄ = 0.000 (anti-direction = perfect separator using 1 − metric). Mean C₂: BAU=1.000, CBF=0.412 (gap 0.588). Refusal rate: BAU 0.0%, CBF 14.0%. scripts/mvps_ollama_cbf_experiment.py · sha256=6fe2162b1daa7377…		 FREE (local Ollama) ✓ REAL — T_CBF empirically confirmed on 3.1B-parameter LLM
100 vantages × 1 hour at 100ms tick on dedicated hardware D3, D4 DigitalOcean 1 GB droplet ($4/mo) or Hetzner CX22 (3.5€/mo)
Local 300s run: ✓ done · Full 3600s droplet run: queued		 $4–6 one month ▶ Partial (300s local ✓)
Multi-path / multi-AS D² coherence over RIPE Atlas full topology D1, D3 RIPE Atlas msm 1001/5001/5004/5005 — K/B/C/D-root ping · 15 probes · 6h window
627 real RTT points · 1 alarm · joint D² across 4 dimensions · scripts/collect_ripe_multims.py		 FREE to read ✓ Done (627 pts · joint D² · 1 alarm)

Bottom line on cost and on what is actually proven

Progress as of 2026-05-22 — what is REAL (independently verifiable):

  • R1 · RIPE Atlas K-root ping · 14 probes · 14,747 D² windows · 8.03% over ALARM threshold χ²₁,₀.₉₉ = 6.63
  • R2 · RIPE Stat BGP updates · 8.8.8.0/24 + 1.1.1.0/24 · 30 days · 6,470 updates · D²=6032 alarm on 2026-05-21
  • R3 · Reference implementation scale test · 100 vantages × 300 s · 98.3% delivery · 0 auth drops · 19.2 MB RAM · 11.3% CPU
  • R4 · Multi-path RIPE Atlas · 627 RTT points · joint D² across 4 measurements · 1 alarm
  • R5 (REAL, server-run 2026-05-22) · Ollama qwen2.5:3b · 200 LM calls in 1038.7 s · AUC D² = 0.900, CBF_score = 0.800, C₂/C₃/C₄ = 0.000 (perfect anti-direction separator) · refusal rate BAU 0% vs CBF 14% · T_CBF empirically confirmed on a 3.1B-parameter LLM
  • R6 · BGP multi-prefix sweep · 5 anycast DNS prefixes · baseline ratio up to 24× across prefixes · Cloudflare alarms 0 days, Google alarms 3 days → first multi-prefix empirical evidence for T_DDoS volume-independence
  • R7 · τ_C SIR macroscopic re-analysis · 12 alarm events · 100% localised in ≤ 2 days · mean burst width 1.33 days · Gaussian minute-fit τ_C ∈ [11.8, 29.4] min on 3 alarm days
  • R8 (new, REAL) · Empirical T_LT on RIPE Atlas K-root ping, 7 days, 30 probes, 75,168 raw rows, 2,015 D² windows. Head-to-head MVPS multi-vantage D² vs single-probe max |z| on the SAME data. MVPS detects 61 episodes vs 44 for single-vantage; on the 60 paired episodes MVPS leads in 14/60 = 23.3% with max +5h15min. Single-vantage faster on transient noise (mean −230 s, exactly the regime where T_LT.1 predicts parity).

What is currently partial / external dependency:

  • R9 (new, REAL) — IODA API schema probe. We confirm via independent vantage (Cursor backend, US/EU) that api.ioda.inetintel.cc.gatech.edu/v2/ is reachable and schema-conformant. Four endpoints validated: /v2/datasources/ (11 sources including BGP, ping-slash24, merit-nt, GTR), /v2/datasources/bgp, /v2/entities/query?search=Brazil (returns code=BR, fqid=geo.netacuity.SA.BR), /v2/entities/query?asn=13335 (returns AS13335 CLOUDFLARENET, 1,370,880 IPs). Snapshot SHA-256 receipted (evidence/ioda_api_probe_real.json). Our AWS São Paulo server (54.94.161.208) and Brazilian residential IPs are still firewall-RST blocked at GA Tech — root-cause is the active CODA2 Palo Alto firewall HA-failover incident #580810 at Georgia Tech IT (started 2026-05-03, status: degraded). Time-series endpoints time out beyond 30 s even from unaffected vantages. This is NOT a blocker for T_LT itself: R8 (RIPE Atlas) replaces the IODA path entirely with a fully reachable real-data test. Once GA Tech IT closes the firewall incident, scripts collect_ioda_outages.py and calibrate_ioda_per_entity.py auto-elevate IODA from R9 (metadata) to R10 (bulk time-series) with no algorithmic change.
  • Coherence-BFD τ_detect = 55 ms — synthetic benchmark harness only; no real BFD-hardware corroboration yet. The 55 ms figure is what the math predicts, not what was measured on a router.
  • FMVPS → BE-MVPS · v5 theorem T_BE shows the architecture trades CPU for bandwidth (≈ 25× less bytes / tick, ~2× more CPU vs MVPS-classic). The earlier framing "sub-linear broker compute" was incorrect and has been retired.
  • τ_C quantitative fit beyond 3 events — R7 already gives τ_C ∈ [11.8, 29.4] min on 3 single-day alarms via Gaussian minute-fit. Extending to all 12 events needs minute-level retrieval from RIPE Stat per event and remains future work.

All benchmarks marked "synthetic" remain useful as constructive existence proofs and as sanity checks on the algebra, but they are not substitutes for operational measurement and are catalogued accordingly in docs/MVPS_V5_UNIFIED_PROOF.txt §5 (T_RW).

All artifacts

Downloads & links

All thirteen drafts (seven instantiations + two mathematical capstones + one security capstone co-authored with Joas A. S. Barbosa + one atomic transport substrate co-authored with five operator/vendor organisations + one performance-security composition profile + one Vantage-MPLS authentication theorem), the reference implementation, and supporting documents. Everything is public, reproducible, and self-contained.

Draft #1 — MVPS Bundle Envelope

Wire format · vector algebra · C₁/C₂/C₃ · D² · IETF IPPM

↓ Download

Draft #2 — AI Coherence Extension -01 · 2026-05-27

Part A: W₂ · CKA · C₄ · CBF · Part B: geometric median · minimax · MCD · τ_C · Part C: z(t)∈[0,1]⁶ · R_cross · IC phase · Part D [NOVO]: T-JCOST-AI-1 · T-VOLINV-AI · Lemma L-AI-A4 · MVPS-A1..A5 conformance

↓ Draft -01 (txt) ↓ Draft -00 (histórico)

Draft #3 — BE-MVPS Bandwidth-Efficient Incremental

SMW · CRDT · cells · 9 theorems · ~25× bandwidth ↓ at ~2× CPU ↑ (T_BE Pareto)

↓ Download

Draft #4 — Coherence-BFD

RFC 5880 extension · 5-state machine · 10 TLVs · 55 ms detection

↓ Download

Draft #5 — DDoS Resilience

3 theorems · volume-independent detection · 11 scenarios

↓ Download

Draft #6 — Coherence Lead-Time Profile

L_ZD.1' + L_ZD.2' + L_ZD.3 · closed-form D² vs max-|z| lead-time · MC SIGN-CLAIM 9/9 · submitted 2026-05-25

↓ Download

Draft #7 — Orbital Coherence Profile

T-1..T-7 theorems · mixed-medium C_1 + TLE-derived C_3^pred · Stein-Lemma + KL chain rule · L_ORB.1/2/3 PASS · submitted 2026-05-25

↓ Download

Draft #8 — MVPS Architecture (structural capstone)

Abstract 5-tuple (V, B, (C,H), D², Pub) · 5 axioms MVPS-A1..A5 · Invariance Theorem (10-step axiom chase) · D-1..D-7 proved conformant · BGP/BFD/DNS/TCP catalogued non-conformant · finalised 2026-05-25

↓ Download ↓ Formal proof companion

Draft #9 — Planetary Coherence Floor (the world number)

PCF Composition Theorem: R* = max{τ_causal, τ_sampling, τ_information, τ_consensus, τ_coupling} · classical Internet floor 60–300 s vs MVPS 145–196 ms · ~1220× speedup at antipodal scale · receipt evidence/planetary_floor_receipt.json · finalised 2026-05-25

↓ Download ↓ Formal proof companion

Draft #10 — MVPS Trust Profile (CWT · security capstone)

✦ Co-authored · Leonardo Melegassi & Joas A. S. Barbosa

HMAC-SHA256 per snapshot · Ed25519 epoch anchors · witness cosignatures (2-of-5 quorum) · T-COAL-1 + T-SPLIT-1 · 2.1 µs hot path < 4.2 µs JSON parse · validator 12/12 PASS · finalised 2026-05-25

↓ Download draft ↓ Proof companion

Draft #11 — SNAP: Simple Native Archive Protocol (atomic transport substrate)

✦ Co-authored · Yoshioka (e.Mix) · Labadessa (OrcaTI) · Scalon (Sysbrasil) · Brito (Vero Internet) · Belotto (Zadara) · Contributor: Melegassi (Catellix)

YANG-1.1 manifest · per-file SHA-256 · JCS envelope (RFC 8785) · Brotli + Base64 · HTTP/2 + WebSocket bindings · SNAP-Profile conformance header · 6 mathematical theorems (A.1–A.6) + 4 MVPS composition theorems (M.1–M.4) · 5 reproducible test vectors · YANG module · reference pseudocode · validator 20/20 PASS · 0 idnits errors / 0 flaws · 0 non-ASCII characters · -01 submitted to IETF DISPATCH 2026-05-26

↓ Download draft (txt) ↓ XML2RFC v3 ↓ YANG module (snap.yang)

Draft #12 — MVPS Performance-Security Coupling Profile (PerfSec)

Profile-of-Profiles binding CWT (D-10) + Coherence-BFD (D-3) + DDoS-Resilience (D-4) · T-JCOST-1 (closed-form joint broker CPU cost, attack-rate independent) · T-VDOS-1 (insider verification-DoS sub-linear: slope 0.00575, F=1024 → ≤9.89×) · T-RC-1 (joint BFD-seq × CWT-counter replay-counter coherence, forge prob ≤ 2−128) · closes 5 composition gaps · validator 12/12 PASS · finalised 2026-05-27

↓ Download draft (txt) ↓ Formal proof companion

Draft #13 — MVPS Vantage Localization under MPLS Path Camouflage (Vantage-MPLS)

First composition of the MVPS vantage-authentication problem with the Donnet-Vanaubel-Luttringer-Dekinder MPLS tunnel-revelation corpus (2012–2025) · L-GEO-1 (RTT localization bound, Fv = ∩i Ball(ai, ri·cfiber/2 + σgeo)) · L-MPLS-1 (MPLS camouflage correction, ≈ 1 140 km false position per invisible tunnel) · T-CAM-1 (MPLS-aware camouflage detection, ε < 10−9 at FAR=0.01 by DKW) · + L-GEO-1.1, Cor. T-CAM-1.1, phase MPLS_CAMOUFLAGE_SUSPECTED · single-authored, Donnet corpus honoured in Acknowledgments · informational · finalised 2026-05-28

↓ Download draft (txt) ↓ Datatracker ↗

Draft #14 — MVPS Proof Envelope + Post-Quantum Protection

Integrity capstone binding all MVPS theorem catalogs, proof documents, validator scripts and numerical receipts into a canonical (JCS/RFC 8785), Merkle-rooted (RFC 9162), signed manifest · T-BIND-1 (tamper-evidence: SHA-256 + EUF-CMA) · T-TRACE-1 (traceability: no orphan theorem_id) · T-PQ-MIG-1 (PQ migration: Ed25519 → ML-DSA-65/FIPS 204, HMAC hot path invariant) · 109 artifacts bound · validator 11/11 PASS · 2026-05-29

↓ Download draft (txt) ↓ Formal proof companion

Draft #15 — MVPS Detection-Latency Reconciliation (L_DL)

Proves and reconciles the Detection-Latency Lemma L_DL, unifying the detection profiles of D-2 (BE-MVPS incremental), D-3 (Coherence-BFD sub-second), and D-4 (DDoS volume-independent) into a single latency guarantee · validator error 0 ms · PASS · 2026-05-29

↓ Download draft (txt)

Draft #16 — MVPS Adversarial-Audit Methodology (M-1..M-9) · IRTF

IRTF Informational meta-draft formalising the 9 discipline invariants (M-1..M-9) on which the entire MVPS family is built. Each invariant is a necessary and sufficient condition for any MVPS draft to satisfy the adversarial-audit standard · validator 11/11 PASS · receipt: methodology_discipline_receipt.json · 2026-05-29

↓ Download draft (txt) ↓ Proof companion (M-1..M-9)

Draft #17 — MVPS Operational Log Format (append-only, tamper-evident) · OPSAWG

Defines the MVPS operational log format: append-only, tamper-evident, audit-grade. Proves T-LOG-* theorems guaranteeing tamper-detection and non-repudiation for coherence events · validator 8/8 PASS · receipt: logging_format_receipt.json · 2026-05-29

↓ Download draft (txt) ↓ Formal proof companion

Draft #18 — MVPS Maritime/Tactical-Edge Profile (DIL, GNSS-denied) · IPPM

Defensive profile for maritime and tactical-edge environments with DIL (Disconnected, Intermittent, Limited) connectivity and GNSS denial. Sibling of the orbital profile (D-7) · L-MAR-* + T-MAR-INHERIT + C-MAR-1 (coherence holdover corollary) · validator 7/7 PASS · receipt: maritime_edge_receipt.json · 2026-05-29

↓ Download draft (txt) ↓ Formal proof companion

Draft #19 — MVPS Terrestrial Mobile/Vehicular Profile (cellular handover) · IPPM

Defensive profile for terrestrial mobile and vehicular environments: cellular handover (4G/5G), vehicles, railways. Sibling of the orbital (D-7) and maritime (D-18) profiles · L-TER-* + T-TER-INHERIT + C-TER-1 · validator 7/7 PASS · receipt: terrestrial_mobile_receipt.json · 2026-05-29

↓ Download draft (txt) ↓ Formal proof companion

Draft #20 — MVPS IoT/ROLL Cluster Profile (bounded D², gate fix) · ROLL WG

IoT/ROLL cluster profile for low-power sensor networks. Sanitised from S-IoT: two critical errors corrected (T_IoT.3 gate mix-up; L_IoT.2b "D²→∞" → bounded D²) · validator 8/8 PASS · receipt: iot_coherence_receipt.json · 2026-05-29

↓ Download draft (txt) — -01

Draft #21 — MVPS OS/Host Fleet-Coherence + Port Posture · OPSAWG

Instantiates the MVPS framework over OS host fleets: each host is a vantage, coherence measures fleet consistency. Includes port/service posture sub-profile (MVPS adds the multi-vantage coherence layer over scans — speed is the scanner's) · OS validator 7/7 PASS · port posture validator 7/7 PASS · 2026-05-29

↓ Download draft (txt)

Draft #22 — MVPS Extension & Capability-Negotiation Framework (Updates D-1) · IPPM

Defines the formal extension and capability-negotiation mechanism for the MVPS family. Updates the bundle draft (D-1) with a standardised extension header, ensuring future extensions are core-invariant (do not alter axioms A1..A5 nor base theorems) · validator 7/7 PASS · receipt: extension_negotiation_receipt.json · 2026-05-29

↓ Download draft (txt)

Reference Implementation

Pure Python · wire encoder/decoder · vantage + broker · UDP loopback · 0 deps

↓ README

Math Companion v1.1

Three-layer mathematical evidence · 1268 lines · reproducibility receipt

↓ Download

Dataplane Profile

P4₁₆ / Tofino-2 binding sketch · per-packet D² in programmable hardware

↓ Download