Internet Gateway Architecture

1. Overview

MOSA Internet Gateway serves as a secure bridge between fully offline mesh networks and the internet. It enables MOSA users to maintain secure internet access and stay connected with the world even in critical situations.

Hybrid Architecture Advantages

Security Focused

Offline-First: Full functionality without internet.
Air-Gapped Security: Can be physically isolated from the mesh network.
Zero-Trust Architecture: All connections are encrypted and verified.

Operational Flexibility

Selective Connectivity: Only specific services get internet access.
Emergency Override: Manual internet access in critical situations.
Bandwidth Management: Traffic prioritization and quota management.

2. Gateway Hardware Architecture

Gateway Roles & Types

2.1.1 Mesh Gateway (Main Gateway)

class MeshGateway {
  // Mesh network connection
  final BLEMeshInterface meshInterface;

  // Internet connection
  final InternetInterface internetInterface;

  // Security layer
  final SecurityManager securityManager;

  // Traffic management
  final TrafficManager trafficManager;

  // Emergency override
  final EmergencyOverrideManager emergencyManager;
}

2.1.2 Backup Gateway

Automatically activates when the main gateway fails.
Lower capacity, energy-efficient design.
Used only for critical traffic.

Hardware Requirements

Minimum System Requirements

Processor: Dual-core ARM Cortex-A (min 1.2GHz)
RAM: 2GB (for mesh routing)
Storage: 16GB eMMC (logs & cache)
Network: Gigabit Ethernet + Wi-Fi 6
Security: TPM 2.0 security module

3. Hybrid Mesh Strategy & Channel Selection

3.1 High-Throughput FSK Mesh & BLE

MOSA v2.0 introduces a hybrid mesh approach integrating Bluetooth Coded PHY alongside LoRa and FSK. This allows for dynamic adaptation to environmental conditions, balancing range, throughput, and power consumption.

3.2 The 10-Step Channel Selection Algorithm

To ensure optimal message delivery, MOSA employs a deterministic 10-step algorithm dropping from highest throughput to longest range:

BLE Base: Maximum throughput for close-range communication.
BLE Coded: Extended range Bluetooth connection.
FSK Strategy 1-3: High-speed RF using GFSK modulations, stepping down data rates for increased range.
LoRa Strategy 1-5: Spreading factors from SF7 to SF11, maximizing penetration and distance at the cost of bandwidth and time-on-air.

Notice: Architecture v2.0 Deprecations

Please note that Platinum and Vehicle gateway profiles have been deprecated in the current v2.0 architecture in favor of the more versatile Gateway Pro.

4. Security Protocols

4.1 Multi-Layer Security Model

Layer 1: Physical Security

class PhysicalSecurityLayer {
  final LocationSecurity locationSecurity;
  final AccessControl physicalAccess;
  final PhysicalDisconnect emergencyDisconnect;
}

Layer 2: Network Security

class NetworkSecurityLayer {
  final VPNManager vpnManager;          // Mandatory VPN Connection
  final TrafficEncryption trafficEnc;   // Traffic Encryption
  final DDoSProtection ddosProtection;  // DDoS Protection
  final IntrusionDetection ids;         // Intrusion Detection
}

4.2 Zero-Trust Implementation

Authentication mechanisms for Gateways and Traffic.

class GatewayAuthentication {
  // Certificate-based mutual authentication
  Future authenticateGateway() async {
    // 1. Verify Gateway Certificate
    final gatewayCert = await loadGatewayCertificate();

    // 2. Verify Mesh Identity
    final meshIdentity = await verifyMeshIdentity();

    // 3. Perform Mutual Auth
    return await performMutualAuth(gatewayCert, meshIdentity);
  }
}

5. Network Architecture & Routing

5.1 Gateway Network Topology

+-----------------+ +------------------+ +-----------------+ | MOSA Mesh |----| Gateway Pro |----| Internet | | Devices | | (Local) | | Services | +-----------------+ +------------------+ +-----------------+ | | | +-----------------------+-----------------------+ | +------------------+ | VPN Tunnel | | (Encrypted) | +------------------+

5.2 Multi-Gateway Operation

MOSA does not rely on a single gateway. It can connect to multiple internet gateways simultaneously via GatewayInternetService:

Parallel Broadcasting: Outgoing messages are sent to all authorized gateways simultaneously.
Aggregation: Incoming messages are aggregated from all active gateways with de-duplication.
Dynamic Routing: Unified Routing treats gateways as network nodes and selects optimal paths.

6. User Control & Audit

6.1 Manual Activation Protocol

Internet access requires explicit user consent.

class ManualActivationManager {
  Future requestInternetAccess(String reason, Duration duration) async {
    // 1. Show info to user
    final userConsent = await showInternetAccessDialog(reason, duration);
    if (!userConsent) return false;

    // 2. Security check
    if (!await performSecurityChecks()) return false;

    // 3. Enable Access
    return await activateInternetAccess(min(duration, MAX_INTERNET_DURATION));
  }
}

6.2 Zero-Knowledge Audit System

Privacy Principle: The Gateway never sees the content or the final destination (metadata) of the packets it routes.

Audit logs only record minimum info needed for anti-abuse (DDoS prevention).
Real user IDs are replaced with anonymous tokens.
Destinations are recorded as "Encrypted/Opaque".

7. Emergency & Disaster Recovery

Emergency Override Protocol

class EmergencyOverrideManager {
  Future enableEmergencyAccess(String reason, Duration duration) async {
    // 1. Assess Emergency Level
    final emergencyLevel = await assessEmergencyLevel(reason);

    // 2. Create Security Log
    await createEmergencyLog(reason, duration);

    // 3. Activate Emergency Internet
    return await activateEmergencyInternet(emergencyLevel, duration);
  }
}

Disaster Recovery

Offline Cache Handling: Critical data (emergency contacts, system updates) is pre-cached.
Failover: Automatic switch to backup gateways or satellite links if available.