Skip to content

docs: MASQUE Gateway Architecture Design#3

Draft
scotwells wants to merge 1 commit intomainfrom
docs/masque-gateway-design
Draft

docs: MASQUE Gateway Architecture Design#3
scotwells wants to merge 1 commit intomainfrom
docs/masque-gateway-design

Conversation

@scotwells
Copy link
Contributor

@scotwells scotwells commented Mar 6, 2026

Summary

This PR adds the MASQUE Gateway architecture design document, describing how external clients connect to SRv6-based Galactic VPCs.

Key Concepts

  • MASQUE as the protocol standard - IETF RFC 9484 CONNECT-IP for IP tunneling
  • Iroh for connectivity - NAT traversal, hole punching, relay infrastructure
  • SRv6 as the underlay - Internal VPC fabric routing
  • Convergence path - Iroh relays evolving to speak MASQUE protocol

Design Philosophy

Bet on the future, bridge to the present.

Rather than choosing between Iroh and MASQUE, the architecture leverages both:

  • Iroh provides connectivity (NAT traversal, hole punching, P2P)
  • MASQUE provides the protocol (IETF standard, browser support, IP tunneling)

New Resources (extending Connectors proposal)

Resource Purpose
ConnectorAttachment Binds connector to VPC (inbound)
VPCIngressPoint Gateway configuration per VPC
VPCAccessPolicy Fine-grained authorization rules

Open Questions

  1. Does Iroh need modifications to support MASQUE, or can we layer it?
  2. How do we migrate existing relays from Iroh-native to MASQUE?
  3. Gateway implementation base: quic-go vs Envoy?

🤖 Generated with Claude Code

@scotwells @claude
docs: add MASQUE gateway architecture design
e031748 
This document describes the MASQUE Gateway architecture for bridging
external clients to the SRv6-based Galactic VPC fabric.

Key concepts:
- MASQUE as the protocol standard (IETF RFC 9484 CONNECT-IP)
- Iroh for connectivity (NAT traversal, hole punching, relays)
- SRv6 as the VPC underlay
- Convergence path: Iroh relays evolving to speak MASQUE

Aligns with the Datum Connectors proposal, extending it with:
- ConnectorAttachment for VPC binding
- VPCIngressPoint for gateway configuration
- VPCAccessPolicy for authorization

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scotwells