Network
Traffic Flow

Traffic Flow

Nym uses a source-routed decryption mixnet ... [i]n source routing, the sender of a message chooses the route that the message will traverse before reaching its final destination.

...

Nym uses the Sphinx packet format to encapsulate and anonymously route data payloads. Senders prepare Sphinx messages by encrypting them multiple times in reverse routing order. First, a message is encrypted for the recipient; then, for the last mix node in the path; then, for its predecessors in the path, ending with the outermost encryption, which corresponds to the mix node in the first layer. The complete Sphinx packet is finally encrypted with a key shared with the gateway, which forwards decrypted Sphinx packets to the mixnet.

Nym Whitepaper (opens in a new tab) §4

ℹ️

Please note that the following information is only about how traffic flows through the Mixnet, which is the only method that Nym Clients use, and is defined as 'anonymous' mode in the NymVPN application. DVPN 'speedy' mode is different, and you can read about that here (opens in a new tab).

The Nym mixnet re-orders encrypted, indistinguishable Sphinx packets as they travel through the network.

Traffic to send through the mixnet is broken up into uniformly-sized packets, encrypted in the Sphinx packet format according to the route the packet will take, and sent through the mixnet to be mixed among other real traffic and fake - but identical - cover traffic. At each 'hop' (i.e. as a packet is forwarded from one node in the sequence to another) a layer of decryption is removed from the Sphinx packet, revealing the address of the next hop, and another Sphinx packet. The packet is then held by the node for a variable amount of time, before being forwarded on to the next node in the route.

How traffic moves through the Mixnet is one of the core mechanisms that provide the privacy properties of the network, but is also (aside from SURBs) mostly abstracted away from developers.

Whatever is on the 'other side' of the mixnet from your client, all traffic will travel this way through the mixnet. If you are sending traffic to a service external to Nym (such as a chat application's servers) then your traffic will be sent from the recieving Nym client to an application that will proxy it 'out' of the mixnet to these servers, shielding your metadata from them. P2P (peer-to-peer) applications, unlike the majority of apps, might want to keep all of their traffic entirely 'within' the mixnet, as they don't have to necessarily make outbound network requests to application servers. They would simply have their local application code communicate with their Nym clients, and not forward traffic anywhere 'outside' of the mixnet.