Published in


The Architecture of the SAFE Network

Despite our best efforts, it is not uncommon to come across comments in forums from people advising that they aren’t really sure what MaidSafe is. They normally go something like “It sounds really cool, but I don’t really know what decentralising the Internet means”. We have spent about 12 months now explaining the concept to people, giving talks, producing videos, papers and other documentation, so you might think these comments would be frustrating. But, you would be wrong. In fact, this lack of understanding is …well…understandable.

Firstly, the concept of decentralisation is difficult to get your head around if you are not familiar with Bitcoin and other decentralised/distributed networks. People still ask us: “Where are the servers really?” I suspect this comes from the fact that the client/server model is so entrenched in our thoughts and understanding of how computers should work. Another reason may be that we use potentially inadequate phrases like ‘decentralise the Internet’ to try and communicate our offering concisely. An unfortunate requirement of the buzz word and catch phrase driven attitude of modern media. A by product of so many companies and technologies all competing for a slice of our precious time.

To overcome these challenges it may be helpful to try and apply some context and look at how the Internet currently works, with a view to explaining how the SAFE Network compares. Please excuse the brevity of this explanation, given that this is a blog post discussing a huge topic this will be a Felix Baumgartner height view of the main concepts. For a more comprehensive explanation check out the following post by Rus Shuler, it’s an excellent resource.

The most fundamental layers of the Internet, as described by the OSI model, are comprised of the cables, routers, switches, servers, and connected devices that exist. At this level, data is at it’s most basic level, 1’s and 0’s. Each of these hardware devices require a unique location address (in a TCP/IP network) in order that they are able to find one another, these are called IP (Internet Protocol) addresses.

Maid OSI

You may have heard that the current system of IPv4 is currently running out of IP addresses (there are 2³²) and the Internet Engineering Task Force has been trying to transition to IPv6 for around 25 years, however, uptake has been slow. You can see this shown on the diagram as the network layer and it is here that data is transferred using the message content and the destination (IP) address, the network layer then decides how to deliver it. These messages are typically split into fragments, or data packets.

The existing Internet

It is at this point that the existing Internet and the SAFE Network diverge. The transport layer enables data of variable length to be transferred between a source and it’s destination, checking to ensure that each data packet is received at the destination and re submitting those that don’t. A helpful analogy to think about the transport layer is as a post office, classifying and sending the letters and packages to their destination. Examples of two common layer four protocols are Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

The session layer governs connections between devices; setting up, managing and terminating exchanges and dialogues between applications. The session layer responds to requests from the presentation layer, which is itself responsible for transforming data from the session layer into a format that the application layer will accept and display. This can include features such as encryption, decryption and data compression.

Finally we have the application layer, the highest level of the OSI conceptual model and the one that all Internet users will be familiar with. The application layer displays information received from lower layers to the user and it is the one that we use to interact with each application. At this level we will see protocols such as Hypertext Transfer Protocol (HTTP) being the basis for data communication on the web, as well as Simple Mail Transfer Protocol (SMTP) for email transmission.

The SAFE Network

It is not the intention to go into any great detail on the SAFE stack, that is for another post. The purpose here is to give an overview and to show how it compares and contrasts with the OSI model.

As depicted in the following diagram, the SAFE Network is an overlay network, utilising the Internet’s existing hardware and network layers. It is worth noting at this point that while we are focussing on the differences of both networks in the software layer, it is anticipated that the SAFE Network will have a significant impact within the hardware layer. With network resources being provided by the SAFE Network’s users, we will potentially experience a reduction in the number of servers deployed and a change in how they are being used.


Sitting on top of the hardware and network layers of the existing Internet infrastructure, the SAFE Network utilises the UDP transport protocol, with a Connected Reliable Udp eXchange (CRUX) sitting a layer above. The combination of these two layers, and the Routing layer above, provides the reliability and congestion control of TCP while also helping to deal with the tricky issue of NAT traversal.

Network Address Translation (NAT) is commonly used to address the problem of IPv4 address exhaustion mentioned earlier, enabling private IP addresses to exist behind one public IP address. As the NAT has no way of determining which device the incoming message is intended for, this poses a problem specifically for P2P programs, such as file sharing services like Torrents, or VOIP applications like Skype. The use of CRUX, UDP and Routing enables the SAFE Network to traverse all NAT routers.

Sitting above UDP and CRUX, the Routing layer is a Distributed Hash Table (DHT), based on Kademlia, and governs the routing between nodes on the network. Each node locally stores information about other nodes that it is connected to. Information exchange in routing typically involves data traversing a number of intermediate nodes prior to reaching the destination. This communication is provided by CRUX and an acknowledgement/retransmission mechanism is also provided to ensure reliable message delivery.

Passport and Vaults complete the network libraries with everything above taking place within the users computer/device. Passport facilities the provision of key types that validate the user, enabling them to perform various tasks, such as transferring ownership of a safecoin or accessing a file. These keys require no central authority to validate them. The vaults reside on the machines of the network’s farmers. These vaults perform multiple functions including; managing data, storing data, looking after clients, managing other network nodes and the well being of the entire network.

The Application programming interface (API) sits on top of the Encryption layer and provides a way for SAFE clients (applications) to connect to the underlying network. Theses APIs (there are two of them) will be used by application developers on the network to enable their applications to utilise the networks features. The REST API enables simple commands to be made, such as Put, Get and Delete, while the POSIX like NFS API provides much more nuanced access, enabling more advanced functionality. Drive is a cross platform virtual drive, utilised by both API’s, that presents the network as a native drive on the users computer.

So, hopefully this post has helped explain what the SAFE Network is and how it compares to the Internet as it stands today. SAFE has the potential to impact the physical layers of the existing Internet, through a reduced number of servers, as well as many of the software layers that transfer our data around the network. We have said in the past that we will replace the parts of the Internet and we think this will happen in time, but possibly complimenting the existing Internet is a better way to think about SAFE in the nearer term.

This undertaking has been a huge task for all involved and has not been taken on lightly, or just to be able to do things differently. The overarching drive behind the SAFE Project has always been to provide privacy, security and freedom to all users of the Internet and to offer these benefits within the existing Internet infrastructure was believed to be an impossible task. In our view a significant restructure was required.

The Internet would also benefit from decentralisation elsewhere. Less reliance on Internet Service Providers through Mesh Networking technologies would be of huge advantage, removing a further central point of control and ensuring that all data is treated with the same equal importance. The ability to openly share and collaborate on information will be a key driver for the advancement of the human race, something that is too important to be controlled by companies or governments.




Stories from around the SAFE Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Building the SAFE Network. The world’s first autonomous data network. Privacy, security, freedom. Join us at

More from Medium

Tech Review: Galaxy S9

Enabling the IDM API Explorer with ForgeOps v7.x

CS371p Spring 2022: Max Thomas

The Competency Framework: A Guide For Managers And Staff — Privacy Ninja