Phase 1 Sprint 1.2 - Payload Security Layer
Threat Model
- Asset: telemetry payload authenticity, freshness, and ingestion availability.
- Adversary: forged sender, replay attacker, operator-level burst flood.
- Trust policy: no implicit trust in source network or caller identity alone.
Attack Vectors Considered
- Forged telemetry body with invalid signature.
- Unsigned payload submission.
- Replay of prior signed payload (same nonce/timestamp).
- Expired timestamp replay outside allowed skew window.
- Operator burst submissions intended to exhaust ingest capacity.
Mitigations Implemented
- Ed25519 payload signature verification enforced per request.
- Mandatory
X-Telemetry-Signature,X-Telemetry-Timestamp, andX-Telemetry-Nonceheaders. - Timestamp skew enforcement (default ±30 seconds).
- Nonce replay protection backed by Redis (
VV_TG_NONCE_BACKEND=redis). - Per-operator per-minute rate limiting and burst anomaly rejection via Redis.
- Fail-closed mode if Redis nonce/rate-limit backends are unavailable.
Residual Risk
- Rate limiting currently keyed by
operator_id; abusive distributed operator identities can still increase load. - Telemetry queue isolation and backpressure controls are deferred to Phase 2.
Future Improvements
- Add adaptive anomaly thresholds by operator baseline.
- Add dedicated metrics/alerts for rate-limit and replay rejection rates.
- Add multi-region nonce consistency strategy.