Trust Boundaries & Access Model

Trust View

This document defines the network reachability and security posture of the platform. It answers the question: From where can traffic originate and where can it go?

System Boundaries

The platform is divided into distinct zones with hard boundaries.

flowchart LR
  Internet((Internet)) -->|HTTPS| PublicIngress[Public Ingress]
  PolicyNote["No inbound NAT or public path to Internal Ingress"]

  subgraph Home["Home Network Boundary"]
    LAN[LAN Clients] --> PrivateDNS[Private DNS]
    VPN[VPN Clients] --> PrivateDNS
    PrivateDNS --> InternalIngress
    InternalIngress --> Services[Internal Services]
    PublicIngress --> PublicServices[Public Services]
  end

  PublicDNS[Public DNS] --> PublicIngress

Zone Definitions

The Internet (Untrusted)

Any client originating outside the home network. Only allowed to communicate with the Public Ingress via HTTPS.

The Home Network (Trusted Boundary)

A secure zone containing both LAN and VPN clients.

• LAN Clients: Physical devices connected to the home router.
• VPN Clients: Remote devices with an active, authenticated tunnel.
  • Enrollment: Only verified devices are permitted to join the network.
  • Experience: Remote devices experience connectivity identical to local network access (Split-Horizon DNS + Private IPs).
  • Security: Encrypted communication channels are maintained for all remote traffic.

Internal Platform (Protected)

Services that are never exposed to the internet. Reachability is strictly limited to clients already inside the Home Network Boundary.

Reachability Matrix

Key Security Postures

• No Inbound NAT: There are no port-forwarding rules from the internet to internal service IPs.
• Split-Horizon DNS: Service names (e.g., app.risu.tech) resolve to different IPs depending on if the client is on the Internet or the Home Network.
• Authenticated Ingress: All internal services require identity verification at the Ingress layer.