some file

CSfC Alignment

NetBird's double VPN architecture is designed with the NSA's Commercial Solutions for Classified (CSfC) Multi-Site Connectivity capability package in mind. This page provides both a conceptual overview and a detailed requirement-by-requirement mapping.

NetBird is designed with CSfC principles in mind. This does not constitute formal CSfC certification or endorsement by the NSA. Organizations seeking formal CSfC compliance should consult their security team and follow the NSA's CSfC process.

Conceptual Alignment

The CSfC program allows classified data to traverse untrusted networks (such as the public internet) by requiring two independent layers of commercial encryption. The core principle is defense in depth — if one layer fails, the other continues to protect the data.

NetBird implements this principle directly:

Classified Data
    │
    ▼
┌───────────────────────────────────────────┐
│  Inner Layer: AES-256-GCM WireGuard       │  ← Layer 1
│  Independent key management via DSKE       │
└───────────────────────────────────────────┘
    │
    ▼
┌───────────────────────────────────────────┐
│  Outer Layer: ChaCha20-Poly1305 WireGuard │  ← Layer 2
│  Standard WireGuard DH key exchange        │
└───────────────────────────────────────────┘
    │
    ▼
Untrusted Network (Internet)

The two layers use:

  • Different encryption algorithms (AES-256-GCM vs ChaCha20-Poly1305)
  • Different key exchange mechanisms (DSKE threshold cryptography vs WireGuard Diffie-Hellman)
  • Different protocol implementations (AES WireGuard fork vs standard WireGuard)

This independence means a vulnerability in one layer does not affect the other.

Multi-Site Connectivity Requirements

The CSfC Multi-Site Connectivity capability package defines requirements for protecting data between geographically separated sites over untrusted networks. The following table maps these requirements to NetBird's implementation.

Encryption Requirements

CSfC RequirementNetBird ImplementationNotes
Two independent layers of encryptionWireGuard (ChaCha20-Poly1305) + AES WireGuard (AES-256-GCM)Each layer is a complete WireGuard implementation with its own handshake, session keys, and transport encryption
Layers must use different vendors or implementationsStandard wireguard-go (outer) + wireguard-aes-go fork (inner)Fork changes only the cipher suite — Noise handshake and protocol logic are identical but the AEAD cipher differs
CNSA-compliant algorithmsAES-256-GCM (inner layer) meets CNSA Suite requirementsChaCha20-Poly1305 (outer layer) provides defense in depth but is not itself CNSA-listed

Key Management Requirements

CSfC RequirementNetBird ImplementationNotes
Independent key management per layerWireGuard DH (outer) + DSKE threshold key exchange (inner)Completely independent key lifecycles
No single point of key compromiseDSKE splits keys across 2+ security hubs using Shamir secret sharingEven with one compromised hub, secrets cannot be reconstructed
Key rotationOuter: WireGuard rekeys every 120 seconds. Inner: DSKE rotates PSK every 120 secondsBoth layers rotate keys independently
Secure key distributionDSKE uses out-of-band PSRD provisioning + hub-mediated share distributionComplete keys never traverse the network

Architecture Requirements

CSfC RequirementNetBird ImplementationNotes
Support for multiple sitesPeer-to-peer mesh topology with centralized managementEach site has one or more peers; all peers can communicate via the double VPN
Scalable key distributionDSKE automates PSK generation for all peer pairsNo manual key distribution per peer pair
Resilience to component failureMultiple security hubs provide redundancy; WireGuard handles session recovery automaticallyIf one hub fails, others can still reconstruct secrets (with N > shares_required hubs)
Centralized policy managementManagement server distributes access policies, group memberships, and network configurationPolicies are enforced locally on each peer

Data Protection Requirements

CSfC RequirementNetBird ImplementationNotes
ConfidentialityDouble encryption — both layers provide confidentialityEven if one layer is compromised, data remains protected
IntegrityBoth WireGuard layers include AEAD authenticationEach layer independently authenticates and verifies packet integrity
Anti-replayWireGuard includes built-in anti-replay protection per sessionBoth layers maintain independent replay counters

Algorithm Details

Inner Layer (AES WireGuard)

ParameterValue
Noise protocolNoise_IKpsk2_25519_AESGCM_BLAKE2s
Handshake AEADAES-256-GCM
Transport AEADAES-256-GCM
Key exchangeCurve25519 Diffie-Hellman + DSKE PSK
HashBLAKE2s
PSK32-byte DSKE-generated secret, rotated every 120s

Outer Layer (Standard WireGuard)

ParameterValue
Noise protocolNoise_IKpsk2_25519_ChaChaPoly_BLAKE2s
Handshake AEADChaCha20-Poly1305
Transport AEADChaCha20-Poly1305
Key exchangeCurve25519 Diffie-Hellman
HashBLAKE2s

DSKE Key Generation

ParameterValue
Secret length32 bytes
Secret sharingShamir secret sharing
Minimum shares2 (configurable)
Master key derivationHKDF-SHA256 from WireGuard private key
Hub communicationREST API over WireGuard tunnel

Operational Considerations

What NetBird Provides

  • Two independent encryption layers with independent key management
  • Automated key rotation with no traffic interruption
  • Distributed trust via threshold cryptography (no single point of key compromise)
  • Centralized policy management with local enforcement
  • Peer-to-peer mesh topology for multi-site connectivity

What Organizations Must Provide

  • Formal evaluation: CSfC compliance requires a formal evaluation process with the NSA
  • Physical security: Endpoint devices must be physically secured per organization policy
  • Hub security: Security hubs should be deployed on secured, monitored infrastructure
  • PSRD distribution: Secure out-of-band transfer of PSRD files
  • Monitoring and audit: Organizations must maintain operational monitoring
  • Incident response: Procedures for responding to suspected key compromise