Technical
Specifications
A transparent breakdown of Bauxite's capabilities. We separate stable, production-ready kernel drivers from active beta systems and exploratory link research.
Current Focus
Bauxite currently focuses on:
- • Secure ROS 2 networking across WAN environments
- • Identity-based fleet connectivity
- • Deterministic traffic prioritization for robotics workloads
- • Secure software delivery to edge systems
*Note: Research areas such as SDR integration, tactical radio transports, and browser gateways are not part of the current production offering.*
Sovereign networking, security, control, and cryptographic identity. Supported in current releases and deployable today.
Preemptive flow prioritization, head-drop backpressure, and embedded microcontroller command verification.
Experimental integration with sub-GHz serial radio bridges and Software Defined Radios (SDRs) for non-IP redundancy.
I. Production-Ready & Verified
Kernel-level packet processing using eBPF XDP and TC.
Bauxite Citadel (Security Plane)
Kernel enforcement utilizing Linux Security Modules (LSM) and cgroups to secure device boundaries.
- ✓ Process execution monitoring and policy enforcement
- ✓ Kernel-level network policy enforcement
- ✓ RTPS / DDS policy boundary enforcement
Bauxite Conduit (Networking Plane)
Low-overhead eBPF packet processing executed directly within the network driver interface.
- ✓ Early packet filtering before application processing
- ✓ Traffic prioritization for control and telemetry workloads
- ✓ RTPS multicast emulation for WAN discovery
Bauxite Dispatch (Control Plane)
Centralized policy distribution and P2P STUN/ICE candidate matchmaking engine.
- ✓ mTLS gRPC coordination plane for fleet control
- ✓ ICE candidate matchmaking and TURN fallback relays
Bauxite Forge (Identity & OTA)
Cryptographic credential management with hardware bindings and signed software delivery.
- ✓ TPM 2.0 / TEE hardware security module binding
- ✓ Cryptographically signed OTA chunk verification and resume
II. Active Development & Beta
Modules undergoing active testing and validation in partner deployments.
eBPF Queue Schedulers & Flow Control
Priority lane allocation and traffic filtering to maintain responsive control signals during network saturation.
- → Preemptive lane scheduling for safety control messages
- → Head-drop backpressure to discard stale telemetry
Embedded Command Verification
Signed command verification for embedded clients. Enables security-critical command validation on downstream microcontrollers.
- → Bauxite Lite Client validation on microcontrollers
- → Downstream motor/actuator safety gate validation
III. Exploratory Research & Roadmap
Research initiatives, experimental integrations, and edge compatibility fallbacks.
Tactical Link Replication
Experimental integration with sub-GHz serial radio bridges and Software Defined Radios (SDRs) to duplicate critical control messages across non-IP channels during severe primary link degradation.
Clientless WebRTC Gateway
WebRTC WHEP gateway designed to bridge real-time telemetry from remote fleets directly into standard web browsers via enterprise SSO.
Legacy TAP/TUN Engine
A userspace routing fallback to enforce policy synchronization and session key rotations on older Linux kernels or non-Linux edge nodes (macOS/Windows).
Topologies & Data Flow
Explore Bauxite's low-latency data paths, peer connections, and verification points.
End-to-End Fleet Security
Secures telemetry and command loops between remote operators, the local Linux gateway, and physical microcontrollers.
Incoming packets are filtered using XDP before entering the normal kernel networking path. Invalid or unauthorized traffic can be dropped before socket allocation.
Authorized streams pass to the user-space WebRTC Engine. The local Bauxite Linux Agent processes metrics, signs payloads, and feeds them into the internal bus.
Signed command verification for embedded clients. Enables security-critical command validation on downstream microcontrollers.
System Security & Operations
Design decisions focused on predictability and fleet control.
FRICTIONLESS ADOPTION
Bypasses userspace proxy memory allocations. Drops cleanly into legacy ROS 2 and DDS setups with zero code changes.
PERIMETER LOCKDOWN
Outbound-only connection logic removes the public listening attack surface. Centralized cryptographic kill-switch.
OPERATIONAL CONTINUITY
XDP protocol filters drop malformed packets at the NIC driver before memory exhaustion or userspace context switches.
AUTOMATED KEY ROTATION
Automated cryptographic key rotation rotates security credentials every 60 seconds to prevent interception risks.
Declarative Policy-as-Code
Synchronize security rules, traffic classifications, and routing preferences across your fleet using standard YAML manifests distributed by Bauxite Dispatch.
The control plane compiles these specifications into optimized kernel map keys, automatically updating interface hooks at the runtime level without restarting network interfaces or active ROS nodes.
Explore Bauxite's
Technical Specs
Enable autonomous coordination in any environment with zero-trust kernel-level sovereignty.