Decentralized Identity Overlay — crypto-based device identity over broken IPv4/CGNAT networks with TIBET provenance
Project description
tibet-overlay — Decentralized Identity Overlay
Identity belongs to the device, not the network.
Cryptographic device identity over broken IPv4/CGNAT networks.
tibet-overlay creates an identity layer independent of IP addresses. Devices prove who they are via cryptographic JIS identity tokens and TIBET history, not via their IP address. This makes CGNAT, NAT traversal, and IP spoofing irrelevant for identity.
The Problem
IPv4 addresses are exhausted. Millions of devices sit behind Carrier-Grade NATs (CGNAT), sharing the same public IP. This breaks:
- Point-to-point connections — you can't reach a device directly
- Zero-trust security — who is who behind that shared IP?
- Audit trails — IP-based logs are meaningless with CGNAT
IPv6 adoption is too slow, especially in industrial environments.
The Insight
Identity ≠ IP address. Identity should be cryptographic (bound to the device), not topological (bound to the network).
Install
pip install tibet-overlay
Quick Start
from tibet_overlay import IdentityOverlay
overlay = IdentityOverlay()
# Register devices (same public IP = CGNAT)
overlay.register("sensor-01", ip="203.0.113.1", port=44321, behind_nat=True, capabilities=["mqtt"])
overlay.register("sensor-02", ip="203.0.113.1", port=44322, behind_nat=True, capabilities=["mqtt"])
# Verify identity (crypto-based, not IP-based)
proof = overlay.verify("jis:sensor-01")
print(proof.verified) # True
print(proof.trust_score) # 0.5
# Resolve endpoint by identity
route = overlay.resolve("jis:sensor-01")
print(route.endpoint) # 203.0.113.1:44321
print(route.resolved) # True
# Find by capability
mqtt_devices = overlay.find_by_capability("mqtt")
Demo
tibet-overlay demo
tibet-overlay info
How It Works
[Device A: 10.0.0.x] ---JIS ID--→ [Identity Overlay] ←--JIS ID--- [Device B: 10.0.0.y]
behind CGNAT identity = crypto behind CGNAT
IP is irrelevant not IP-based IP is irrelevant
- Device registers with JIS identity (cryptographic key pair)
- Overlay stores identity → endpoint mapping
- Resolution is by identity, not by IP
- When IP changes (DHCP, roaming, CGNAT reassignment), identity stays the same
- TIBET tracks every identity event for audit
Why Not Just Use IP?
| Problem | IP-based | tibet-overlay |
|---|---|---|
| CGNAT (shared IP) | Can't distinguish devices | Each has unique JIS identity |
| IP change (DHCP/roaming) | Identity lost | Identity persists |
| IP spoofing | Trivial | Cryptographically impossible |
| NAT traversal (VoIP/SIP) | STUN/TURN/ICE nightmare | Identity-based routing |
| Audit trail | "Which 10.0.0.x?" | "jis:sensor-01 did X at Y" |
Use Cases
- IoT behind CGNAT — millions of devices, shared IPs, each with unique identity
- VoIP NAT traversal — SIP + NAT has been broken for 25 years. JIS identity makes STUN/TURN obsolete
- Industrial networks — isolated subnets with overlapping IP ranges
- Mobile devices — IP changes constantly, identity doesn't
- Multi-cloud — same service across AWS/GCP/Azure, one identity
TIBET Provenance
Every identity event creates a TIBET token:
| Layer | Content |
|---|---|
| ERIN | What happened (registration, verification, resolution) |
| ERAAN | Dependencies (parent tokens, device chain) |
| EROMHEEN | Context (overlay node, timestamp) |
| ERACHTER | Intent (why this identity action) |
Part of the TIBET ecosystem
| Package | Purpose |
|---|---|
tibet-core |
Protocol core |
tibet-y2k38 |
Y2K38 Time Bridge |
tibet-pol |
Process Integrity Checker |
tibet-pqc |
Post-Quantum Crypto Router |
| tibet-overlay | Identity Overlay |
tibet-twin |
Digital Twin Guard |
License
MIT — Humotica AI Lab 2025-2026
Authors
- J. van de Meent — jasper@humotica.com
- R. AI (Root AI) — root_idd@humotica.nl
Credits
Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.
Stack-positie: Groep agentic · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← tibet-mux · See STACK.md · See demo/golden-path/ for the spine end-to-end.
Enterprise
For private hub hosting, SLA support, custom integrations, or compliance guidance:
| Enterprise | enterprise@humotica.com |
| Support | support@humotica.com |
| Security | security@humotica.com |
See ENTERPRISE.md for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_overlay-0.1.2.tar.gz.
File metadata
- Download URL: tibet_overlay-0.1.2.tar.gz
- Upload date:
- Size: 15.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7a13be2a79c61bfd6ed6b2c0778f9795ebffb82fd6975053de861cfe49a93230
|
|
| MD5 |
48857e48152dddac6f74249aaaf89be4
|
|
| BLAKE2b-256 |
77f96ddf35f8681d116348508f4e14cdfda6183e4379cd2282a28efe35148663
|
File details
Details for the file tibet_overlay-0.1.2-py3-none-any.whl.
File metadata
- Download URL: tibet_overlay-0.1.2-py3-none-any.whl
- Upload date:
- Size: 16.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b32b1e4169b64e4b76cae153068343640ad3451ade6196ad496695ab06acd64
|
|
| MD5 |
53b5f21b448070abf7665a7e551c1637
|
|
| BLAKE2b-256 |
987c5659533aa24250fe6062c100eace3250e088f75db928e76f7876f9df2477
|
