Shieldeum Protocol: Net Neutrality Routing layer

A truly net-neutral Internet would refrain from censoring, shaping, or selectively manipulating traffic. The realization of such a vision requires a robust, scalable routing layer that upholds net neutrality principles. This would pave the way for unhindered global Internet access, particularly crucial for individuals in oppressive environments.

While an onion-encrypted routing network offers some solutions, its effectiveness diminishes if it can be easily censored. Moreover, barriers to participation can hamper its adoption.

Our proposal addresses these challenges by employing encapsulated traffic that mirrors ordinary data, making it indistinguishable and resistant to censorship. We also implement multiple anti-censorship strategies anchored on the principle of collateral freedom. Additionally, by defining clear roles that mitigate potential abuses and legal liabilities, we enhance the network's appeal for participation.

Furthermore, to ensure broad adoption, scalability, and sustainability of the routing layer, we advocate for a free and open competitive marketplace. This ecosystem fosters strong network effects, preserves consumer freedoms, and offers sensible economic incentives in the form of compensation for participants' services.


Net neutrality, anti-censorship measures, and privacy on the Internet have predominantly relied on centralized trusted third parties like consumer VPN providers and distributed systems such as Tor. While effective for many users, these solutions are not without flaws. They entail inherent risks associated with trust-based models, identifiable traits susceptible to filtering and blocking, and various limitations that impede widespread adoption, sustainability, and efficacy.

Recent developments underscore the urgency of addressing these challenges. A significant portion of the global population still grapples with a censored Internet, exacerbated by the repeal of net neutrality protections in the US and governmental crackdowns on personal VPN usage. Moreover, systems employing end-to-end encryption face active blocking measures.

Access to information and privacy are fundamental rights, yet organizations, institutions, ISPs, and governments employ technical measures to restrict access, manipulate traffic, and invade user privacy.

In this paper, we present a decentralized and sustainable solution for an Internet routing layer that upholds net neutrality principles. Grounded in collateral freedom, compartmentalized liability, enhanced privacy measures, and a robust economic model incentivizing network participation, our proposal aims to address these pressing concerns effectively.


Internet censorship involves three main processes: prescription, identification, and interference. Prescription dictates what content should be censored, identification determines how censorship is implemented, and interference refers to the actual blocking or impairing of communication. Censors employ various methods to identify content for censorship, which can be broadly categorized into two groups: by address and by content.

Address-based identification involves blocking or impairing communication with specific IP addresses or domain names, either individually or within certain ranges. To counter this, strategies like keeping certain addresses secret, as seen in Tor's use of bridge relay nodes, can be effective.

Content-based identification entails blocking entire protocols or specific traffic based on predefined criteria. Deep packet inspection (DPI) is a common technique where payload data, flow behavior, packet sizes, and timing are analyzed. Countermeasures include crafting traffic to appear different from the censored content and camouflaging communication to resemble allowed traffic.

Moreover, censors may utilize real-time heuristic assessment, machine learning, and active probing to refine their identification processes. For instance, active probing involves scanning addresses either proactively or on-demand, updating censorship criteria based on successful identifications.

To circumvent these processes and mitigate the technological arms race, it's essential to address both identification and prescription. By appealing to the censors' self-interests, they may opt not to block certain addresses or suspected circumvention traffic, recognizing the potential economic and social value loss associated with such actions.


Our proposed solution hinges on the principle of collateral freedom, a countermeasure rooted in the notion of collateral damage. This refers to the unintended or incidental harm caused by censoring a particular resource. Such harm is particularly detrimental to the censor if the blocked resource holds significant economic, political, or social value.

The effectiveness of the collateral freedom approach relies on three key conditions: First, the censor must opt to permit traffic to and from the resource in question. Second, the resource itself must be capable of handling circumvention traffic. Lastly, the circumvention traffic must be indistinguishable from regular traffic to evade detection.

To effectively execute this strategy, we propose a technique akin to domain fronting. However, instead of relying on traditional methods like Server Name Indication (SNI) and the Host Header, alongside existing fronting-capable web services, our approach involves the deployment of custom software on cooperative TLS terminating relays. These relays would be specifically configured to provide the necessary functionality for seamless circumvention.

Utilizing TLS encryption for encapsulated traffic and employing TLS terminating relays are integral components of our strategy. Given the widespread use of web services and HTTPS across the internet, leveraging TLS as the encryption layer is a logical choice. Furthermore, the custom software should enable encapsulated payloads that are protocol-agnostic, catering to a diverse range of use cases.

A TLS terminating relay can take various forms, including a standard web server such as Apache or Nginx, a load balancer like HAProxy or Nginx, or a service specializing in SSL termination such as Cloudflare, Akamai, or Netlify. For instance, in the case of a web server, it would continue to handle incoming traffic as usual while also incorporating functionality to manage circumvention traffic through an additional module. Once the TLS handshake for a session is negotiated and the initial layer of encryption is removed, this module would identify the session payload as circumvention traffic and process it accordingly.

A fronting bridge relay is a TLS terminating relay that collaborates in handling circumvention traffic, effectively acting as a gateway to the routing layer while serving as a traffic relay. This concept bears similarities to domain fronting and offers a conduit for accessing high-value resources, which may possess economic or social significance. To augment its effectiveness, complementary strategies such as overwhelming the censor's filtering capabilities can be employed. This entails widespread adoption and strategically selecting IP addresses in close proximity to high-value resources, rendering IP range blocking rules ineffective and necessitating specific rules for each fronting bridge relay.

However, in this single-hop scenario, several challenges arise for both users and relay providers. Users may encounter trust and privacy concerns akin to those with consumer VPNs, although these could be mitigated to some extent by chaining multiple fronting bridge relays. Meanwhile, relay providers may face legal liability issues, potentially impeding their willingness to participate.


Operating a relay provider that allows unrestricted connections to the Internet, like a Tor exit node, carries a considerable risk profile that many potential participants may hesitate to accept due to the risk of abuse and legal liability. While implementing a whitelist strategy could offer some mitigation, it does not fully address the issue and, paradoxically, introduces a form of censorship. Instead, we propose delegating this liability to a specialized role undertaken by organizations already equipped to manage such risks.

This specialized role is termed a "backing bridge relay," reflecting its pivotal position in the network hierarchy, its heightened liability, and its readiness to handle potential legal challenges, including raids, seizures, warrants, NSLs, lawsuits, IP blocking, DMCAs, and political profiling.

Although any entity could potentially offer backing bridge relay services, providers in the consumer VPN sector are likely the most suitable candidates due to their existing infrastructure for managing such liabilities. Backing bridge relays, utilizing a subset of the specifically developed software, would accept connections from fronting bridge relays, terminate the internal session, and forward the traffic to the intended destination.

Incorporating backing bridge relays into the network circuit effectively alleviates potential abuse and legal liability concerns from fronting bridge relays, thereby enhancing the prospects for broader participation. Moreover, the inclusion of these relays may potentially bolster user identity privacy by introducing an additional layer of relay.


The conventional digital privacy model aims to safeguard privacy by restricting the disclosure of information solely to the involved parties. In the user context, privacy is broadly categorized into two dimensions: identity and activity. By implementing targeted encryption alongside enhancing the separation between involved parties, a heightened level of privacy can be attained.

Onion encryption and routing. Within an onion network, messages undergo encapsulation within layers of encryption, akin to the layers of an onion. These encrypted data packets traverse through a series of network nodes known as onion routers. At each node, a layer of encryption is peeled away, revealing only the necessary information for that node to fulfill its function. This essential information typically includes the data's next destination address, ensuring that each intermediary node possesses only knowledge of the preceding origin and the subsequent destination.

While it's conceivable to link together multiple fronting and/or backing bridge relays to form a network circuit, we advocate for the introduction of a third relay variant.

Entropic relay. This relay type, dubbed for its role in heightening entropy, would receive traffic from either a fronting bridge relay or another entropic relay and forward it to another entropic relay or a backing bridge relay. By doing so, it amplifies the degree of separation between the involved parties. Similar to Tor's middle relays, entropic relays are minimally exposed to potential liability issues, which we anticipate will reduce barriers to participation, fostering greater adoption and scalability. Consequently, this would enhance privacy, anonymity, and plausible deniability across the entire network.

In scenarios where a fronting bridge relay isn't necessary for circumventing censorship, an entropic relay could potentially receive traffic directly from a client. Moreover, an alternative network protocol could be utilized between the client and an entropic relay to bolster performance.


A significant challenge faced by any distributed system is achieving widespread adoption, which is crucial for its scalability and long-term sustainability. To tackle this, we advocate for the establishment of a free and open competitive marketplace for service contracts, fostering robust network effects, safeguarding consumer freedoms, and offering sensible economic incentives while facilitating fair compensation for services rendered.

Service contract: These contracts can be initiated by any party and compete for both consumers and service providers. They offer flexibility in terms of parameters such as pricing, duration, bandwidth, and more. Once created, service providers can enroll and receive compensation based on their proof of service. Pre-paid arrangements ensure a seamless user experience and guarantee provider compensation through escrowed funds. Service contracts become active upon receiving funds, triggering the generation of a service key.

Service key: These keys are valid based on the parameters outlined in the service contract and are temporary. They are designed to enhance privacy by separating payment information from network usage, also enabling transferability and resalability. Resalability allows for the purchase of service keys using any payment method accepted by the seller, further enhancing user experience and consumer freedom. The primary function of a service key is to generate share tokens.

Share token: Share tokens play a dual role. Firstly, they enable service providers to authorize service, and secondly, they represent value if proven valid for the service provided. These tokens are cryptographically and independently generated by each client specifically for each service provider in the routing path. They are included in the appropriate encrypted onion layer of traffic being transmitted, with the frequency determined by the service contract. Service providers accumulate share tokens for later submission for validation and compensation.

By employing a proportional share-based model [R = (Kv * n/N) - Cf], akin to that used in cryptocurrency mining pools, compensation or reward (R) is divided among service providers based on the proportion of valid share tokens (n) they accumulate in relation to the total number of valid share tokens (N) submitted by all service providers for a specific service key (Kv) backed value, minus the service contract payout fee (Cf). In essence, while all shares hold equal weight, their value is determined at the closure of the settlement window as defined by the service contract and service key expiration.


We've put forward a sustainable solution to uphold net-neutrality on the Internet through a dedicated routing layer.

Our approach began with leveraging collateral freedom, an anti-censorship strategy that taps into the self-interest of censors. This method aimed to bypass censorship by utilizing fronting bridge relays to gain entry to the routing layer. However, this strategy alone falls short due to potential privacy concerns, trust issues, and legal liabilities.

To address these challenges, we proposed implementing targeted encryption alongside increasing the separation between involved parties. Additionally, we suggested compartmentalizing potential abuse and legal liability to the role of backing bridge relays, which are handled by organizations equipped to manage such issues.

Lastly, we outlined a proposal to enhance the scalability and sustainability of the routing layer. This involved establishing a free and open competitive marketplace of service contracts. By encouraging robust network effects, bolstering user privacy, and ensuring consumer freedoms, while also offering sensible economic incentives to service providers, this model facilitates fair compensation for services rendered.

Last updated