Network
Mixnet Mode

Mixnet Mode

Mixnet mode routes traffic through 5 hops: an Entry Gateway, three layers of Mix Nodes, and an Exit Gateway. Each mixing layer adds random delays, reorders packets, and injects cover traffic. Available through NymVPN (opens in a new tab) and the Nym SDKs.

How it works

User --> Entry --> Mix L1 --> Mix L2 --> Mix L3 --> Exit --> Internet
                    |           |           |
                  delay       delay       delay

Each Mix Node strips one layer of Sphinx encryption to learn the next hop, holds the packet for a random delay, then forwards it. No node ever sees both the origin and the final destination. The client also continuously sends cover traffic - dummy packets cryptographically indistinguishable from real ones - so an observer sees a constant stream of identical packets regardless of whether any real communication is taking place.

Privacy properties

  • Unlinkability: the random delays and reordering at each Mix Node destroy the timing signal an observer would need to correlate incoming and outgoing packets, or to connect successive packets from the same user. See Packet Mixing.
  • Unobservability: because cover traffic is constant, an observer cannot determine when a user is active or what fraction of the traffic is real. See Cover Traffic.
  • Resistance to traffic analysis: uniform Sphinx packet sizes prevent content-type fingerprinting, and per-packet routing eliminates the long-lived circuits that make other anonymity networks susceptible to end-to-end correlation. See Traffic Flow.

Performance

The three mixing layers add additional latency. This is acceptable for messaging, file transfers, and most API calls, but unsuitable for real-time applications like video calling. For those, dVPN mode is more appropriate.

Updated latency measurements will be published after the Lewes Protocol release.

Further reading

The following pages cover mixnet internals in detail:

Censorship ResistanceLoopix Design