Hexon relies on a wide range of security and networking protocols that form the foundation of modern identity, access, and infrastructure security. Each subsystem references the relevant standards — including RFCs, IETF drafts, FIPS publications, and widely adopted industry specifications.
Where relevant, we document specific implementation choices. This helps make system behavior predictable during interoperability testing, security reviews, and architecture audits.
OAuth 2.0 / OpenID Connect
| RFC | Title | Usage |
|---|
| RFC 6749 | OAuth 2.0 Authorization Framework | Authorization code, client credentials, refresh token grants |
| RFC 6750 | Bearer Token Usage | Authorization: Bearer extraction across proxy, SCIM, and API |
| RFC 7009 | Token Revocation | Always returns 200 for privacy regardless of token validity |
| RFC 7517 | JSON Web Key (JWK) | JWKS endpoint, key structure for OIDC discovery |
| RFC 7518 | JSON Web Algorithms (JWA) | ECDSA coordinate encoding, exponent encoding for thumbprint |
| RFC 7519 | JSON Web Token (JWT) | ID token structure and validation |
| RFC 7523 | JWT Bearer Assertion | Machine-to-machine grant type with certificate-based authentication |
| RFC 7591 | Dynamic Client Registration | Stateless DCR — no account database required |
| RFC 7636 | PKCE | S256 method, 43–128 character code verifier |
| RFC 7638 | JWK Thumbprint | Key ID derivation for DPoP, SPIFFE, and ACME accounts |
| RFC 7662 | Token Introspection | Client-authenticated introspection endpoint |
| RFC 8176 | Authentication Method Reference | AMR values in ID tokens: pwd, otp, hwk, x509 |
| RFC 8252 | OAuth for Native Apps | Loopback redirect URIs always allowed (§7.3) |
| RFC 8414 | Authorization Server Metadata | /.well-known/openid-configuration discovery |
| RFC 8628 | Device Authorization Grant | Bastion SSH, VPN, MCP, CLI tools — BASE20 user codes |
| RFC 8693 | Token Exchange | Actor (act) claim in delegated JWT |
| RFC 8705 | mTLS Certificate-Bound Tokens | Four SAN matching methods: URI, DNS, email, Subject DN |
| RFC 9126 | Pushed Authorization Requests (PAR) | Parameters sent server-side, never exposed in browser URLs |
| RFC 9449 | DPoP | Proof-of-possession with server-issued nonce and distributed JTI replay prevention |
| RFC 9728 | OAuth Protected Resource Metadata | MCP server auto-discovery via /.well-known/oauth-protected-resource |
SAML
| RFC | Title | Usage |
|---|
| RFC 1951 | DEFLATE | Compression in SAML HTTP-Redirect binding |
SCIM
| RFC | Title | Usage |
|---|
| RFC 7643 | SCIM 2.0 Core Schema | User and group schema, attribute types |
| RFC 7644 | SCIM 2.0 Protocol | CRUD, filtering, sorting, path expressions, bulk operations |
Certificates / PKI / ACME
| RFC | Title | Usage |
|---|
| RFC 5280 | X.509 PKI | Certificate structure, CRL format, revocation reason codes, OtherName SAN |
| RFC 5019 | OCSP Lightweight Profile | GET with base64url-encoded request in URL path |
| RFC 6960 | OCSP | Certificate status: Good, Revoked, Unknown |
| RFC 7515 | JSON Web Signature (JWS) | ACME POST request signing |
| RFC 8555 | ACME | Full protocol: directory, nonce, account, order, authorize, finalize, certificate |
| RFC 8659 | CAA | Certificate Authority Authorization with domain tree walk-up |
| RFC 8738 | ACME IP Certificates | ip identifier type with http-01 and tls-alpn-01 for IP addresses |
| RFC 8739 | ACME Renewal Information (ARI) | Optimal renewal window computation |
| RFC 4648 | Base Encodings | Base64url for ACME tokens, TOTP secrets, ARI certificate IDs |
SPIFFE / Workload Identity
| Standard | Description |
|---|
| SPIFFE | Workload identity framework — SVIDs with URI SAN, AllowedPeers OID |
| RFC 7638 | JWK Thumbprint — workload authentication via pre-registered public key |
| RFC 5280 | X.509 — SVID certificate structure with spiffe:// URI SAN |
| RFC 8555 | ACME — SPIFFE profile reuses ACME protocol for SVID issuance |
IKEv2 / VPN (IPsec)
| RFC | Title | Usage |
|---|
| RFC 7296 | IKEv2 | All exchange types, payloads, DPD, rekey, COOKIE mechanism |
| RFC 5282 | AES-GCM in IKEv2/ESP | SK payload format with explicit IV, salt, AAD |
| RFC 4106 | GCM for ESP | Algorithm transform ID for AES-GCM in IPsec |
| RFC 4303 | ESP | SPI assignment, anti-replay window (256 packets) |
| RFC 4301 | IPsec Architecture | Security policy database, SA management |
| RFC 3948 | UDP Encapsulation of IPsec | NAT-T keepalive packets |
| RFC 3947 | NAT Traversal in IKEv2 | NAT detection hashes in IKE_SA_INIT |
| RFC 3526 | MODP DH Groups | DH group IDs in SA payloads |
| RFC 5903 | ECC Groups for IKE | ECDH group IDs |
| RFC 4555 | MOBIKE | IP mobility for VPN clients |
| RFC 7383 | IKEv2 Fragmentation | Large message fragmentation and reassembly |
| RFC 7427 | Signature Authentication in IKEv2 | SIGNATURE_HASH_ALGORITHMS notify |
| RFC 5685 | IKEv2 Redirect | Redirect support in IKE_SA_INIT |
| RFC 5998 | EAP-Only Authentication in IKEv2 | EAP-based VPN authentication |
| RFC 3748 | EAP | EAP codes and types |
| RFC 5281 | EAP-TTLS | Tunneled TLS authentication method |
| RFC 4868 | HMAC-SHA-2 in IPsec | PRF and integrity algorithms |
| RFC 8598 | Split DNS in IKEv2 | INTERNAL_DNS_DOMAIN configuration attribute |
QUIC / HTTP/3
| RFC | Title | Usage |
|---|
| RFC 9000 | QUIC v1 | Transport protocol — connection IDs, variable-length integers, transport parameters |
| RFC 9369 | QUIC v2 | Updated Initial salt and HKDF labels |
| RFC 9001 | QUIC-TLS | Initial packet encryption, key derivation from Destination CID |
| RFC 9114 | HTTP/3 | CONNECT for TCP proxying, 421 retry, request handling |
| RFC 9204 | QPACK | Header compression error codes |
| RFC 9218 | HTTP Extensible Priorities | Priority header with urgency and incremental for HTTP/3 |
| RFC 9221 | QUIC Datagrams | Unreliable delivery for UDP relay and real-time streams |
| RFC 9297 | HTTP Datagrams | QUIC DATAGRAM frames used by MASQUE |
| RFC 9298 | CONNECT-UDP / MASQUE | UDP proxying over HTTP/3 for browser-native access |
HTTP / Reverse Proxy
| RFC | Title | Usage |
|---|
| RFC 7230 | HTTP/1.1 Message Syntax | Header token character validation |
| RFC 7231 | HTTP/1.1 Semantics | Content-Type, Retry-After, Accept-Language, safe methods for 0-RTT |
| RFC 7540 | HTTP/2 | PRIORITY frames, SETTINGS parameters |
| RFC 9113 | HTTP/2 (revised) | SETTINGS defaults used in JA4H fingerprinting |
| RFC 9239 | text/javascript | Official MIME type registration |
| RFC 8288 | Web Linking | Link header preload/prefetch/canonical passthrough |
| RFC 8446 | TLS 1.3 | 0-RTT replay protection, HKDF-Expand-Label, PSK-DHE |
| RFC 5246 | TLS 1.2 | Record max size enforcement in fingerprint storage |
| RFC 7413 | TCP Fast Open | Latency optimization for repeat clients |
| RFC 6265 | Cookies | Case-insensitive domain rewriting for cross-subdomain SSO |
| RFC 8701 | GREASE | Filtered during TLS fingerprinting to avoid false differentiation |
| PROXY protocol | HAProxy PROXY protocol v1/v2 | Client IP preservation to backends |
Forward Proxy / MASQUE
| RFC | Title | Usage |
|---|
| RFC 9298 | CONNECT-UDP / MASQUE | UDP proxying over HTTP/3 |
| RFC 9114 | HTTP/3 CONNECT | TCP tunneling in forward proxy |
| RFC 8441 | WebSocket over HTTP/2 | Extended CONNECT enabling WebSocket tunneling over HTTP/2 |
| RFC 9484 | CONNECT-IP | Full IP tunnel (planned) |
| RFC 3986 | URI Syntax | PAC file generation |
SSH Bastion
| RFC | Title | Usage |
|---|
| RFC 4254 | SSH Connection Protocol | Channel types, session channels |
| RFC 4252 | SSH Authentication Protocol | Authentication methods |
| RFC 8628 | Device Authorization Grant | Bastion auth with QR codes for headless environments |
| asciinema v2 | Asciicast format | Session recording — served as application/x-asciicast |
Authentication Methods
| RFC / Standard | Title | Usage |
|---|
| RFC 6238 | TOTP | SHA1/SHA256/SHA512 with configurable time step |
| RFC 4226 | HOTP | Underlying algorithm for TOTP with dynamic truncation |
| WebAuthn | Web Authentication | Passkey registration and authentication — FIDO2, attestation, CBOR |
| RFC 8152 | COSE | WebAuthn public key encoding and parsing |
| RFC 3244 | Kerberos kpasswd | Password change for Kerberos-authenticated users |
| RFC 5705 | TLS Exported Keying Material | Channel-bound authentication for connector and client tunnels |
End-to-Origin Encryption (E2OE)
| RFC / Standard | Title | Usage |
|---|
| FIPS 186-4 | ECDSA / ECDH P-256 | Ephemeral key exchange between browser and server |
| RFC 5869 | HKDF-SHA256 | Channel key derivation from ECDH shared secret — salt: sessionID:channelID, info: hexon-e2oe-v1 |
| NIST SP 800-38D | AES-256-GCM | Payload encryption with per-message random nonce and AAD binding (seq + channelID) |
| WebAuthn | Web Authentication | Tier 1 channel binding — ECDH public key commitment embedded in WebAuthn challenge, hardware-attested |
| RFC 2104 | HMAC-SHA256 | Session rebind proof — persists Tier 1 across page loads without re-authentication |
| WebCrypto | Web Cryptography API | Browser-side ECDH, AES-GCM — no JS crypto libraries, native API only |
RADIUS
| RFC | Title | Usage |
|---|
| RFC 2865 | RADIUS | Core protocol, Access-Challenge, Service-Type, Reply-Message |
| RFC 2868 | RADIUS Tunnel Attributes | Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID |
| RFC 6614 | RADSEC | RADIUS over TLS (port 2083) |
DNS
| RFC | Title | Usage |
|---|
| RFC 1034 | DNS Concepts | CNAME flattening, max depth 16 |
| RFC 1035 | DNS Implementation | A, SOA, CNAME, PTR, MX, TXT — label max 63, total 253 chars |
| RFC 3596 | AAAA Records | IPv6 DNS resolution |
| RFC 2782 | SRV Records | Service discovery |
| RFC 4034 | DNSSEC | DNSKEY, DS, RRSIG, NSEC records |
| RFC 5155 | NSEC3 | Hashed denial of existence |
| RFC 6672 | DNAME Records | Domain aliasing |
| RFC 6698 | DANE / TLSA | TLS certificate pinning via DNS |
| RFC 7671 | DANE Updates | TLSA usage and validation refinements |
| RFC 7858 | DNS-over-TLS | Upstream DoT on port 853 |
| RFC 9460 | HTTPS / SVCB Records | Service binding records |
| RFC 7208 | SPF | TXT-based SPF records |
| RFC 6761 | Special-Use Domain Names | .local, .internal handling |
| RFC 8767 | Serving Stale Data | Stale DNS responses during upstream failure — compliant cache behavior |
| RFC 5358 | DNS Amplification Prevention | Rate-limited REFUSED responses to prevent reflection attacks |
| RFC 8914 | Extended DNS Errors | Policy-denied error codes |
Email / SMTP
| RFC | Title | Usage |
|---|
| RFC 5321 | SMTP | Email delivery, address max length (320 chars) |
| RFC 5322 | Internet Message Format | Email address validation |
| RFC 8255 | Multipart/Multilingual | Multi-language email notifications |
Cryptography
| Standard | Description |
|---|
| RFC 8446 | TLS 1.3 — HKDF-Expand-Label, key derivation, 0-RTT, PSK-DHE |
| RFC 7748 | X25519 / X448 — Curve25519 ECDH with low-order point rejection |
| RFC 8032 | Ed25519 — cluster identity signing, header signing, pre-key verification |
| RFC 5869 | HKDF-SHA256 — key derivation for cluster keys, signing keys, X3DH |
| RFC 9591 | FROST — threshold EdDSA for internal OIDC token signing and SSH certificate signing (Ed25519) |
| FIPS 186-4 | ECDSA — P-256/P-384/P-521 for threshold ECDSA signing and external OIDC token signing (GG18 DKG) |
| FIPS 186-5 | ECDSA key generation — bias bound verification |
| FIPS 140-2 | Compatible cipher suite selection |
| FIPS 203 | ML-KEM-768 — hybrid post-quantum key exchange with X25519 |
| X3DH | Extended Triple Diffie-Hellman — forward secrecy for hexdcall control plane |
Protection / WAF
| Standard | Description |
|---|
| OWASP CRS | Core Rule Set — paranoia levels 1–4, tag-based disabling |
| JA4 | TLS fingerprinting — rate limiting, session affinity, WAF detection |
Connector
| RFC | Title | Usage |
|---|
| RFC 5705 | TLS Exported Keying Material | Channel-bound authentication — binds tunnel to TLS session |
| RFC 9000 | QUIC | Transport layer for all connector tunnels |
| RFC 8628 | Device Authorization Grant | Connector authentication flow |
Networking
| RFC | Title | Usage |
|---|
| RFC 1918 | Private IPv4 | SSRF validation, proxy ACL |
| RFC 4193 | Unique Local IPv6 | fc00::/7 range handling |
| RFC 6598 | Carrier-Grade NAT | Default configurable pools |
| RFC 4291 | IPv6 Addressing | IPv4-in-IPv6 extraction |
| RFC 1123 | Hostname Validation | Hostname regex in firewall and SPIFFE config |
| RFC 1928 | SOCKS5 | SOCKS5 proxy support in hexonclient |
Compliance Frameworks
| Standard | Description |
|---|
| NIST SP 800-53 | Security and Privacy Controls — compliance framework mapping for audit telemetry |
| NIST SP 800-63B | Digital Identity — authentication assurance levels (AAL), password recommendations |
Hexon Specifications
| Specification | Status | Description |
|---|
| draft-hexon-edge-protocol-00 | Internet-Draft | Hexon Edge Protocol (HXEP) — lightweight binary protocol for conveying original client IP address and port across proxy boundaries. 11 bytes (IPv4) / 23 bytes (IPv6). Works with TCP, UDP, and QUIC. |
Hexon is built on open standards. We open-source selected libraries, contribute to the projects we build on, and design for interoperability from day one. When new protocols are introduced, they are documented openly and intended for future standardization.
