System Architecture
KairOS Red Network v10 is built on a modern, distributed architecture that combines post-quantum cryptography, zero trust principles, and Cloudflare's global edge network to deliver a secure encrypted fabric.
Architecture Overview
┌─────────────────────────────────────────────────────────────┐ │ KairOS Red Fabric │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌────────────┐ ┌───────────────────┐ ┌────────────┐ │ │ │ Endpoint │ │ Cloudflare Edge │ │ Gateway │ │ │ │ Agent │◄──┤ ├──►│ Nodes │ │ │ │ │ │ ┌────┐ ┌──┐ ┌─┐ │ │ │ │ │ │ • PQC KEX │ │ │ KV │ │D1│ │DO│ │ │ • Policy │ │ │ │ • Tunnel │ │ └────┘ └──┘ └─┘ │ │ • VNI Enf │ │ │ │ • Policy │ │ ┌───┐ ┌─────┐ │ │ • Routing │ │ │ │ • VNI │ │ │R2 │ │Queues│ │ │ • Mux │ │ │ └────────────┘ │ └───┘ └─────┘ │ └────────────┘ │ │ └───────────────────┘ │ │ │ │ │ │ ┌────────────┐ │ │ │ │ Clients │◄─────────────────────────────────┘ │ │ │ / Devices │ │ │ └────────────┘ │ └─────────────────────────────────────────────────────────────┘
Core Components
Endpoint Agent
The Endpoint Agent is a lightweight daemon deployed on devices and servers. It handles:
- Post-Quantum Key Exchange — Uses CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures
- Tunnel Establishment — Creates encrypted tunnels through the Cloudflare fabric to gateway nodes
- Local Policy Enforcement — Evaluates Rego policies before allowing traffic through VNIs
- VNI Management — Creates and manages virtual network interfaces for traffic isolation
Cloudflare Fabric
The Cloudflare Fabric provides the globally distributed control plane:
- Workers — Serverless functions for API endpoints, enrollment, and coordination
- D1 Database — Stores device enrollment, policies, and audit logs
- KV Namespaces — Caches session tokens and configuration data at the edge
- Durable Objects — Provides real-time relay and coordination for tunnel connections
- Queues — Handles async operations like audit logging and telemetry
Gateway Nodes
The Gateway Nodes are high-performance Rust services that terminate tunnels and enforce policies:
- Policy Evaluation — Runs Rego policies via OPA for every connection attempt
- VNI Enforcement — Ensures complete isolation between virtual network interfaces
- Traffic Routing — Routes traffic between endpoints, clients, and external networks
Virtual Network Interface (VNI) Isolation
VNIs are the core isolation mechanism in KairOS Red. Each VNI represents a completely isolated virtual network segment. Traffic within a VNI cannot cross into another VNI without explicit policy rules.
Key VNI properties:
- Each VNI has its own routing table and forwarding rules
- VNIs can be interconnected through policy-defined gateways
- Tenants are mapped to VNIs for complete multi-tenant isolation
- VNI membership is enforced at both endpoint and gateway levels
Zero Trust Network Access (ZTNA)
KairOS Red implements ZTNA principles at every layer of the architecture:
- Never Trust, Always Verify — Every packet is authenticated and authorized before forwarding
- Least Privilege Access — Devices and users only have access to the specific VNIs and resources they need
- Assume Breach — Session tokens are short-lived, and continuous verification ensures compromised devices are quickly isolated
- Micro-Segmentation — VNIs provide granular network segmentation down to the application level
Post-Quantum Key Exchange Flow
Endpoint Cloudflare Gateway
│ │ │
│── Enroll Request ──────► │ │
│ │── Verify Device ──────► │
│◄── Challenge ─────────── │ │
│── Signed Response ──────► │ │
│ │── Issue Cert ──────────►│
│◄── mTLS Handshake ────── │ │
│── Kyber Key Encaps ────► │── Forward KEM ────────► │
│◄── Shared Secret ─────── │◄── Shared Secret ──── │
│── Encrypted Tunnel ────► │── Encrypted Tunnel ───► │
│ │ │
│ Post-Quantum Secure Tunnel │
│◄══════════════════════════════════════════════════► │