Sovereign Network Stack — Final Scoring, Ranking, Analysis

A collapse-aware, capture-aware evaluation of freedom-verified networking hardware and core network software, scored with a weighted composite model and ranked within importance classes.

Output: HTML/CSS single page Scores: composite 0–100 Structure: Class A / B / C (importance) Links: embedded inline, per item

1) Final Framework

A single global rank across hardware, operating systems, daemons, and diagnostics produces category errors. The final model therefore uses importance classes and scores items only against peers inside those classes.

1.1 Importance classes

Class A — Foundational primitives

Host hardware/firmware, router OS, firewall, DNS, NTP, Wi-Fi control plane, routing/mesh.

Class B — Visibility & defense

Capture libraries, sniffers, IDS/NSM, diagnostics, wireless analysis and audit tooling.

Class C — Heavy / interface / centralizing tools

Powerful but gravity-heavy: enterprise routing suites, complex DHCP, cloud-native monitoring ecosystems.

1.2 Criteria and weights (composite Sovereign Score)

Sovereign Score (0–100) is a weighted composite of six criteria: 0.25·F + 0.25·SD + 0.20·AS + 0.15·G + 0.10·E + 0.05·T.

Criteria definitions (F / SD / AS / G / E / T)

F — Freedom & Transparency (25%): license clarity, source availability, firmware freedom, FSF RYF status where applicable.
SD — Sovereign Deployability (25%): fully local/offline viability; no required accounts/cloud; works in constrained and hostile network conditions.
AS — Attack Surface & Simplicity (20%): complexity and exposure; kernel-space blast radius vs userspace; “do-everything” multipurpose daemons penalized.
G — Governance & Capture Risk (15%): steering structure; susceptibility to corporate/state pull; foundation/consortium gravity; bus-factor hazards.
E — Ecosystem & Longevity (10%): packaging availability, maintenance continuity, supply-chain viability (hardware), realistic long-horizon survivability.
T — Telos Alignment (5%): native tendency toward decentralized, non-phone-home topologies; penalties for architectures that naturally centralize or invite surveillance patterns.

Operational interpretation: what the composite score is (and is not)

Scores measure intrinsic posture (freedom, deployability, capture resistance) under a hostile environment assumption.
Scores do not replace disciplined configuration: several tools are safe or dangerous based on deployment topology rather than code alone.
Class boundaries matter more than small point differences inside a class.

2) Class A — Foundational primitives

These components define the existence and survivability of the stack: freedom-verified hardware/firmware, router OS, firewall, DNS, NTP, Wi-Fi control plane, and routing/mesh primitives.

2.1 Freedom-verified network hardware (RYF-grade)

Item	Sovereign Score	Role	Links
ThinkPenguin TPE-R1400 (FSF RYF) Free Software Gigabit Mini VPN Router RYF router vendor supply-chain	92	RYF-certified router platform with LibreCMC/u-boot freedom path; high-throughput miniature router/VPN appliance.	RYF product FSF announcement Vendor page
ThinkPenguin TPE-R1300 (FSF RYF) Wireless-N Mini Router (LibreCMC) RYF router 802.11n era	91	RYF-certified mini-router; strong freedom posture; long-horizon viability tempered by older Wi-Fi class constraints.	RYF product RYF announcement Vendor page
ThinkPenguin TPE-N150USB (FSF RYF) Wireless-N USB adapter (AR9271-class) RYF Wi-Fi free firmware path	94	Canonical freedom Wi-Fi USB adapter; pairs cleanly with open ath9k_htc firmware path.	RYF product FSF announcement Vendor page
ThinkPenguin TPE-N150USBL (FSF RYF) Wireless-N USB adapter (long-range) RYF Wi-Fi 2.4 GHz bias	93	Long-range variant; same freedom firmware posture as AR9271-class adapters.	RYF product RYF announcement Vendor notes
ThinkPenguin TPE-N300PCIED2 (FSF RYF) Wireless-N dual-band PCIe card RYF Wi-Fi dual-band	93	Internal dual-band Wi-Fi card; freedom posture strong; viability improved where 5 GHz is required.	RYF product FSF announcement Vendor page
ThinkPenguin TPE-NHMPCIED2 (FSF RYF) Half-height dual-band PCIe Wi-Fi card RYF Wi-Fi form-factor specific	93	Compact dual-band internal adapter; hardware freedom posture strong; ecosystem depends on niche availability.	RYF product FSF announcement Vendor catalog
ThinkPenguin TPE-NMPCIE (FSF RYF) Mini PCIe Wi-Fi card RYF Wi-Fi 802.11n era	93	Internal mini-PCIe Wi-Fi option for freedom-limited platforms; strong F/SD; viability limited by older PHY.	RYF product FSF announcement Vendor page
Technoethical TET-N150 (mini USB) AR9271-class “mini” Wi-Fi USB adapter RYF line vendor fragility	93	Freedom Wi-Fi USB path comparable to AR9271-class adapters; ecosystem survivability driven by small-vendor continuity.	FSF certification RYF source bundle Vendor page
Technoethical TET-N150HGA (USB) High-gain antenna Wi-Fi USB adapter RYF product page 2.4 GHz bias	93	Long-range freedom Wi-Fi; strong F/SD; long-horizon pressure from spectrum congestion.	RYF product RYF batch cert Vendor page
Technoethical TET-N300 (USB) Wi-Fi USB adapter (ath9k_htc + free firmware path) free firmware vendor fragility	93	Freedom Wi-Fi USB adapter with explicit free-firmware emphasis; ecosystem viability dominated by vendor continuity.	FSF batch cert RYF source bundle Vendor page
Technoethical TET-N300HGA (USB) High-gain antennas Wi-Fi USB adapter free firmware 2.4 GHz bias	93	Range-optimized freedom Wi-Fi USB adapter; freedom posture strong; viability pressure from crowded RF bands.	RYF source bundle RYF batch cert Vendor page
Technoethical TET-N300DB (mini-PCIe) Dual-band mPCIe card (AR9382-class) dual-band vendor fragility	92	Internal dual-band freedom Wi-Fi; strong for devices requiring 5 GHz; availability risks dominate.	RYF source bundle FSF batch cert Vendor page
Technoethical TET-N450DB (mini-PCIe) Dual-band mPCIe card (higher throughput class) RYF product page vendor fragility	92	Internal freedom Wi-Fi card with strong freedom posture; long-horizon supply and replacement risk remains high.	RYF product RYF source bundle Vendor page
Libiquity Wi-Fri ND2H (FSF RYF) Dual-band 802.11a/b/g/n Wi-Fi card RYF Wi-Fi dual-band	93	Freedom Wi-Fi card option with better viability in 5 GHz environments; still bounded by “n” generation constraints.	RYF product FSF announcement Vendor shop

Hardware notes: why the top band clusters at 91–94

RYF certification strongly boosts F and typically SD for these devices via free driver/firmware paths and auditable source bundles.
Two dominant penalties remain: (a) long-horizon RF viability (802.11n era constraints) and (b) small-vendor supply-chain fragility.
Dual-band internal cards (e.g., TPE-N300PCIED2, Wi-Fri ND2H, Technoethical dual-band mPCIe) reduce “2.4 GHz collapse pressure” and score accordingly.

2.2 Freedom-grade host platform

Item	Sovereign Score	Role	Links
Raptor Computing Systems Talos II (FSF RYF) Owner-controlled POWER9 mainboard RYF mainboard cost / availability	92	Best-in-class freedom host platform for routing/firewall appliances where auditable firmware and owner-control are non-negotiable.	RYF product FSF announcement Vendor page
Raptor Computing Systems Talos II Lite (FSF RYF) Reduced-cost owner-controlled mainboard RYF mainboard backorder risk	92	Lower-cost path into the same owner-control domain; still a high-friction procurement profile in many regions.	RYF product RYF announcement Vendor page

2.3 Free Wi-Fi firmware path (AR9271-class)

Item	Sovereign Score	Role	Links
open-ath9k-htc-firmware (ClearBSD) Qualcomm Atheros AR7010/AR9271 free firmware path free firmware supply-chain clarity	93	Firmware freedom root for AR9271-class devices; allows truly blob-free Wi-Fi in Linux-libre contexts.	FSF Directory Upstream repo Debian packaging mirror

2.4 Router OS / firewall / Wi-Fi control plane

Item	Sovereign Score	Role	Links
LibreCMC (FSF-endorsed) Fully free embedded GNU/Linux distribution FSF-endorsed bus factor	92	Router OS where firmware freedom is mandatory; patch velocity and device support bounded by freedom constraints.	Project site FSF endorsement Ships on RYF routers
nftables Netfilter’s modern packet filtering framework kernel-native widely deployed	94	Firewall spine for sovereign Linux hosts; strong maturity and ecosystem; no cloud coupling.	netfilter.org nftables wiki Docs hub
hostapd Access point daemon (AP control plane) mature broad driver support	92	Canonical AP daemon; large ecosystem; strong alignment with blob-free Wi-Fi paths where available.	Project hub hostapd overview
wpa_supplicant Wi-Fi client supplicant mature feature surface	91	Canonical client-side Wi-Fi control; long maturity; broad compatibility; complexity acknowledged.	Project hub wpa_supplicant page Kernel docs
iwd iNet Wireless Daemon (Intel-authored) Intel-led governance risk	86	Technically lean Wi-Fi daemon; deliberately not the default due to governance and ecosystem steering concerns.	ArchWiki Kernel oldwiki Kernel tags

2.5 Core services (DNS / DHCP / NTP)

Item	Sovereign Score	Role	Links
Unbound Validating recursive caching DNS resolver core primitive lean + modern	96	Primary DNS spine: recursive + validating; maximizes local resolution sovereignty without upstream dependency.	Docs Project info Repo
chrony NTP client/server implementation local time spine external time authority risk	93	Time synchronization primitive; supports reference clocks (e.g., GPS) for local authority deployments.	Project site FAQ
Knot Resolver Caching validating resolver with modular architecture modular attack-surface discipline	92	Alternative to Unbound; strong module discipline and modern resolver posture.	Project site Docs Repo
dnsmasq Small-network DNS/DHCP/RA/TFTP utility multipurpose daemon historical high-impact vulns	88	Best treated as DHCP helper or small forwarder behind a real recursive resolver; not a sovereignty DNS spine.	Docs Man page Upstream index
Kea DHCP Modern open-source DHCPv4/v6 server complexity ISP/enterprise gravity	86	DHCP at scale; higher operational weight and larger integration surface than dnsmasq; useful in segmented sovereign networks.	ISC overview Admin manual ISC knowledgebase

2.6 Routing & mesh primitives

Item	Sovereign Score	Role	Links
babeld Babel routing daemon (L3 mesh) userspace mesh-default	93	Default sovereign mesh routing primitive: low friction, flexible, and avoids kernel-space blast radius.	Repo Man page
batman-adv B.A.T.M.A.N. Advanced (L2 mesh in kernel) kernel-space blast-radius	91	High-performance L2 mesh; treated as optional rather than default due to kernel-space compromise risk.	Kernel docs open-mesh wiki OpenWrt guide

Routing boundary: why FRR/BIRD are not in Class A

Full Internet routing suites are powerful but carry high complexity and a strong ecosystem pull toward centralized ISP/cloud architectures.
They function as interfaces to legacy or large-scale routing realities, not as core sovereign mesh primitives.
They are therefore scored and ranked in Class C.

3) Class B — Visibility & defense

These tools provide eyes, telemetry, and defensive capability. Their scores are high because they remain local-first and highly auditable; risk is primarily operational (misuse, exposure, permissions) rather than inherent phone-home behavior.

3.1 Packet capture & NSM / IDS

Item	Sovereign Score	Role	Links
libpcap Portable packet capture library primitive small + durable	95	Core capture substrate for many tools; minimal external dependencies; strong long-horizon survivability.	Repo
tcpdump CLI packet sniffer primitive abuse if compromised	95	Canonical sniffer; highest leverage visibility tool; operational discipline required for permissions and storage handling.	Repo
Zeek Network Security Monitoring (NSM) platform flexible analysis surveillance-capable	91	High-fidelity logging and protocol analysis; powerful for sovereign introspection; can also be used to centralize surveillance if deployed as a chokepoint.	Project site Docs
Suricata IDS/IPS/NSM engine (OISF) chokepoint gravity high complexity	89	High performance detection engine; defensive value is high; topology often becomes centralized inspection infrastructure.	Project site OISF Docs

3.2 Diagnostics & measurement

Item	Sovereign Score	Role	Links
mtr My traceroute (path + latency + loss) lean field-proven	94	Core path diagnostics; essential for verifying routing and identifying loss domains.	Project site Repo
iperf3 Bandwidth/throughput measurement tool simple portable	94	Essential for tuning links and validating performance; independent of cloud services.	Official docs Repo
vnStat Kernel-counter-based traffic accounting non-sniffing low resource	93	Long-horizon traffic accounting without packet capture; valuable for visibility without surveillance posture.	Project site Repo

3.3 Wireless analysis & audit

Item	Sovereign Score	Role	Links
Aircrack-ng Wi-Fi security auditing suite audit leverage dual-use	93	Offensive/defensive auditing capability for local Wi-Fi posture verification and adversary simulation.	Project site Repo
Kismet Sniffer, WIDS, wardriving (Wi-Fi/Bluetooth/RF) RF radar dual-use	92	Passive situational awareness and WIDS; expands visibility into RF terrain and anomalous devices.	Project site Docs Downloads

Class B caution: operational misuse dominates risk

Capture tooling can become an attacker’s instrument if host access is lost; permissions and storage discipline are mandatory.
NSM/IDS platforms can be deployed as sovereign introspection or become centralized surveillance infrastructure; topology is decisive.

4) Class C — Heavy / interface / centralizing tools

These tools are fully free and technically excellent, but naturally attract centralized architectures, complex control planes, and integration ecosystems aligned with ISP/cloud/enterprise norms.

4.1 Heavy routing suites (edge/interface role)

Item	Sovereign Score	Role	Links
BIRD Internet routing daemon (BGP/OSPF etc.) complex legacy/IXP gravity	87	Edge connectivity tool for peering/IXP realities; not a core mesh primitive; architecture pull is centralized by default.	Project site Docs hub
FRRouting (FRR) Full Internet routing protocol suite very large ISP/cloud gravity	86	Edge interface suite for BGP/OSPF/IS-IS etc.; high complexity and ecosystem pull; retained for necessity cases.	Project site Docs Repo

4.2 Monitoring core (no “must phone home”)

Item	Sovereign Score	Role	Links
Prometheus Monitoring system & time-series database cloud-native gravity exporter metadata risk	84	Local-only metrics spine when disciplined; ecosystem strongly oriented toward hosted observability and remote-write pipelines.	Project site Security model remote_write CNCF page

Prometheus constraint: local-only posture is the dividing line

Prometheus can be fully local, but remote-write pipelines normalize exporting telemetry into third-party storage ecosystems.
Exporter endpoints expose rich metadata; exposure outside a trusted admin network is a recon gift.

5) Cross-stack summary

Class A defines the sovereign spine, Class B provides visibility and teeth, and Class C supplies high-power interfaces that must be constrained to avoid architecture drift.

5.1 Class A — canonical spine

Canonical spine (Class A) — minimal set that makes the stack exist:

Host / firmware freedom: Talos II / Talos II Lite where feasible; otherwise RYF-grade routers and freedom-audited host hardware.
Freedom Wi-Fi path: AR9271-class adapters (e.g., TPE-N150USB) + open-ath9k-htc-firmware.
Router OS: LibreCMC (FSF-endorsed).
Firewall: nftables.
Wi-Fi control plane: hostapd (AP) + wpa_supplicant (client); iwd reserved.
DNS: Unbound (primary) with Knot Resolver as an alternative.
Time: chrony.
Mesh routing: babeld default; batman-adv optional.

5.2 Class B — eyes and teeth

Packet capture primitives

libpcap, tcpdump

Diagnostics & measurement

mtr, iperf3, vnStat

NSM / IDS

Zeek, Suricata

Wireless audit & situational awareness

Aircrack-ng, Kismet

5.3 Class C — bridges and risk-zones

Class C retained components (interface role, constrained deployment)

Routing suites: BIRD, FRRouting — used when full routing protocols/peering are required; otherwise kept out of the core mesh.
Monitoring: Prometheus — local-only posture is mandatory; remote-write pipelines are a primary drift vector.
DHCP at scale: Kea — accepted for segmented deployments; complexity and ecosystem gravity are explicit costs.