Glossary
Terms and acronyms used throughout the IronIP docs.
IronIP-specific terms
| Term | Meaning |
|---|
| BCA | Bitcoin-Certified Address. The technical construction from the Ducroux paper. IronIP is the product; BCA is the mechanism. |
| IronIP | The product name for this implementation and portable showcase. "IronIP" = "Iron-clad IPv6 identity." |
| Hash1 | The SHA-256 output that produces the interface identifier. Hash1 = SHA-256(modifier || block_header || subnet_prefix || collision_count || transaction) |
| modifier | A 16-byte random value. 32 modifiers per registration, enabling 32 unlinkable addresses. |
| BCA Parameters | The ~1.2KB set of 8 fields needed to verify a BCA address offline. |
| interface identifier | The last 64 bits of an IPv6 address. In BCA, this is the leftmost 64 bits of Hash1. |
| subnet prefix | The first 64 bits of an IPv6 address — the /64 network prefix. |
| collision count | A value 0, 1, or 2 used to retry Hash1 if a rare collision occurs. |
| sec | The security parameter from the paper. sec = 2 on BSV gives 89-bit security (requires 64 leading zero bits in the block header's double-SHA-256). |
| anchor pool | Pre-confirmed BCA anchors maintained by a scheduled refresher. Lets demos run strict-mode verification while keeping instant UX. |
| adapter | A thin shim that plugs IronIP into a specific ingress layer (API Gateway, ALB, NGINX, etc.). All adapters call the same shared verifier. |
IPv6 terms
| Term | Meaning |
|---|
| CGA | Cryptographically Generated Address. IPv6 address with interface identifier derived from a public key hash. RFC 3972. The existing standard IronIP replaces. |
| SEND | Secure Neighbor Discovery. RFC 3971. Protocol that uses CGA for neighbor authentication. Rarely deployed because CGA is too slow. |
| SAVI | Source Address Validation Improvements. IETF working group focused on dropping packets with spoofed source addresses. |
| BCP 38 | Ingress filtering best practice: drop packets whose source addresses don't belong to the expected subnet. Often called "anti-spoofing." |
| link-local | IPv6 addresses in fe80::/10, valid only on a single physical link. Used for neighbor discovery and local peer communication. |
| privacy extensions | RFC 4941. Mechanism for cycling IPv6 addresses so observers can't track a device over time. IronIP does this naturally via the 32 modifiers. |
| ENI | Elastic Network Interface. AWS term for a virtual NIC attached to an EC2 instance. |
Bitcoin terms
| Term | Meaning |
|---|
| OP_RETURN | Bitcoin script instruction that stores arbitrary data in a transaction. IronIP stores SHA-256(pubkey) || modifier_merkle_root (64 bytes). |
| Merkle proof | Compact proof (~288 bytes) that a piece of data is part of a larger set. IronIP uses two Merkle proofs per verification: transaction-in-block, and modifier-in-transaction. |
| block header | 80-byte summary of a Bitcoin block. Contains the Merkle root of all transactions plus a nonce. The proof-of-work is a property of this header's hash. |
| proof-of-work | Computational cost deliberately imposed on block producers. IronIP borrows this work rather than having devices compute their own. |
| WIF | Wallet Import Format. Encoded private key for a Bitcoin wallet. IronIP's anchor wallet WIF is stored encrypted in AWS SSM. |
| ARC | A BSV transaction broadcast protocol. Used by the IronIP wallet to submit anchor transactions. |
| WhatsOnChain (WoC) | A BSV blockchain explorer and API. IronIP uses it to fetch block headers and Merkle proofs after anchor confirmation. |
| TSC Merkle proof | Technical Standards Committee format for Bitcoin Merkle proofs. The format IronIP consumes from WhatsOnChain. |
| PushDrop | A BSV UTXO construction carrying arbitrary data, spendable by a specific keyholder. IronIP's planned revocation mechanism uses PushDrop tokens that become "revoked" when spent. |
| BRC-52 | BSV's Identity Certificates standard. Signed attestations tied to a wallet. Deferred from IronIP's current scope; see roadmap. |
| BRC-100 | BSV's wallet interface standard. Relevant for future wallet-participating device scenarios. |
Adapter / ingress terms
| Term | Meaning |
|---|
| Lambda@Edge | AWS service that runs Lambda functions at CloudFront edge locations. IronIP uses it for sub-millisecond edge verification with zero regional Lambda or DDB lookup. |
| Custom Authorizer | AWS IoT Core feature that lets a Lambda function decide whether to authenticate a connecting device. IronIP's bca-authorizer runs the 8-step verification. |
| auth_request | NGINX module that makes subrequests to an authorization service before allowing access to protected content. IronIP uses it for the NGINX adapter. |
| ext_authz | Envoy proxy's External Authorization filter. Calls a gRPC authorization service per request. IronIP's Envoy adapter implements this. |
| SPIFFE | Secure Production Identity Framework For Everyone. Cloud-native workload identity standard. IronIP can mint SPIFFE SVIDs rooted in BCA. |
| SVID | SPIFFE Verifiable Identity Document. Typically a JWT or X.509 certificate. |
| strongSwan | Open-source IPsec implementation. IronIP uses its IKEv2 pluggable auth to anchor tunnel identity in BCA. |
See also