The OOBI (Out-Of-Band Introduction) specification explicitly addresses this: "IP infrastructure is not trusted by KERI. An OOBI by itself is considered insecure and serves only to jump-start discovery, not to establish trust." This design philosophy allows KERI to leverage existing IP infrastructure for convenience while maintaining security through end-verifiable cryptographic proofs.

Service Endpoint Discovery

IP addresses enable the location of KERI infrastructure components:

Witness Endpoints: IP addresses (often with port numbers) where witnesses can be reached to provide key event receipts. Network traces from KERIpy demonstrations show witness communication at addresses like 127.0.0.1:5621 and 127.0.0.1:52117 for local testing, or public IPs for production deployments.

Watcher Endpoints: Network locations where validators monitoring key event logs operate. Watchers run in "promiscuous mode" using the same code as witnesses but without being designated by controllers.

Controller Endpoints: Where AID controllers expose their services, including KERIA cloud agents that provide HTTP endpoints for command and control operations.

Registrar and Backer Endpoints: For transaction event log (TEL) infrastructure supporting verifiable credential registries.

OOBI Integration and URL Structure

Out-of-Band Introduction (OOBI) URLs combine IP addresses (or domain names) with AIDs for bootstrap discovery. The basic structure:

http://8.8.5.6:8080/oobi/EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM

This URL contains:

• Protocol: http:// (or https://)
• Host component: IP address 8.8.5.6 or domain name
• Port: 8080 (optional, defaults to 80/443)
• Path: /oobi/ indicating OOBI endpoint
• AID: EaU6JR2nmwyZ-i0d8JZAoTNZH3ULvYAfSVPzhzS6b5CM

The IP address provides the network location, but the OOBI itself is not cryptographically trusted. All authentication occurs through KERI's BADA (Best Available Data Acceptance) mechanisms after initial discovery. As the specification emphasizes, "discovery via URI, trust via KERI."

OOBI can reference:

• Witness locations: Mapping AIDs to witness IP addresses
• Watcher locations: For duplicity detection services
• Watchtower locations: For KEL monitoring
• Controller locations: For direct peer-to-peer communication

Keridemlia: Distributed IP Address Resolution

Keridemlia provides a distributed hash table (DHT) mapping between AIDs and witness IP addresses, offering DNS-like functionality specifically for KERI without relying on traditional DNS infrastructure. The glossary defines Keridemlia as performing:

1. Mapping between identifier and controller AID stored in the KEL
2. Mapping controller AID to current witness AID
3. Mapping witness AID to IP address

This three-level resolution system enables decentralized discovery of witness network locations. The DHT architecture (based on Kademlia) provides:

• Scalability: Nodes can be added/removed with minimal redistribution work
• Efficient retrieval: Any participating node can look up witness locations
• Decentralized operation: No central registry of witness IP addresses

Keridemlia addresses the "vacuous discovery" problem—how to find IP resources for completely decentralized AIDs that have no inherent connection to internet addressing.

IP Addressing in vLEI Infrastructure

GLEIF Authorized Representative (GAR) Setup

The GAR documentation provides extensive detail on IP address usage in vLEI credential issuance infrastructure. GARs must:

Configure Docker networking: The GAR software runs in Docker containers that expose KERI services on specific IP addresses and ports. The documentation references localhost (127.0.0.1) for development and testing.

Establish network connectivity: To GLEIF witness network and other participants. The documentation specifies that all participants "Maintain network connectivity to GLEIF witness network and other participants."

Conduct identity assurance over video: NIST-800-63-3 IAL-2 compliance requires live video sessions between GARs, which inherently depend on IP connectivity for video calling infrastructure.

QVI (Qualified vLEI Issuer) Infrastructure

QVI setup documentation details similar IP addressing requirements:

Group multisig coordination: Creating QVI group multisig AIDs requires real-time coordination between multiple participants over IP networks. The process includes:

1. Joining video calls for identity verification
2. Exchanging OOBIs over the video call
3. Receiving OOBIs from other participants
4. Coordinating multisig event creation
5. Witness pool configuration with IP endpoints

Witness pool configuration: QVIs must configure witness pools with specific IP addresses where witnesses can be reached for key event witnessing services.

Delegated identifier creation: QVI AIDs are delegated from GLEIF External AID or GLEIF Internal AID, requiring network communication with GLEIF infrastructure at specific IP endpoints.

Production vs. Testing Environments

Localhost/127.0.0.1 for testing: KERIpy demonstrations and development environments extensively use 127.0.0.1 (localhost) for testing. Network traces show:

• 127.0.0.1:5621 for local witness testing
• 127.0.0.1:52117 for peer-to-peer event exchange
• Multiple Docker containers communicating via localhost

Public IPs for production witnesses: Production deployments require publicly accessible IP addresses where witnesses expose TCP endpoints for:

• Receiving key events from controllers
• Providing receipts to validators
• Participating in witness agreement algorithms (KAWA)

Well-known witnesses: The documentation references "well-known witnesses" created with predictable identifiers for testing purposes, which have associated test IP addresses.

IP Addresses in KERI Protocol Operations

Network Protocol Traces

The KERIpy demo vectors provide raw network traces showing IP-level communication:

Event exchange at 127.0.0.1:5621:

Tx (Transmit) and Rx (Receive) messages
Inception events (icp) establishing AIDs
Rotation events (rot) changing key state
Interaction events (ixn) anchoring data
Validation receipts (vrc) from witnesses

Event exchange at 127.0.0.1:52117: Similar bidirectional communication showing complete KEL construction through peer-to-peer message exchange over TCP.

These traces demonstrate that while KERI messages are cryptographically self-verifying (CESR-encoded with signatures), they are transmitted over traditional TCP/IP networking infrastructure.

TCP Endpoint Specification

The glossary defines TCP endpoint as a service endpoint using the Transmission Control Protocol with IP addresses. KERI infrastructure heavily relies on TCP for:

Reliable message delivery: TCP provides ordered, error-checked delivery of KERI event streams

Connection-oriented communication: Between controllers, witnesses, and watchers

Streaming protocols: CESR streams transmitted over TCP connections

The specification notes that KERI can operate over TCP, UDP, or HTTP, but TCP is most common for witness/watcher infrastructure.

KERIA Cloud Agent Architecture

KERIA (KERI Agent in the cloud) exposes three separate HTTP endpoints on three separate network interfaces:

1. Boot Interface: One endpoint for Agent Worker initialization
2. Admin Interface: REST API for command and control from Signify clients
3. KERI Protocol Interface: CESR over HTTP endpoint for protocol interactions

Each interface has distinct IP address/port configurations, enabling:

• Security isolation: Separating administrative and protocol traffic
• Load balancing: Distributing traffic across multiple network interfaces
• Access control: Different IP-based access rules for different interfaces

The SKWA (Simple KERI for Web Auth) and SKRAP (Signify KERIA Request Authentication Protocol) specifications detail how clients connect to KERIA agents via HTTP endpoints at specific IP addresses, with KRAM (KERI Request Authentication Method) providing replay attack protection.

Security Considerations

IP-Layer Attacks vs. KERI Defense

KERI's security model explicitly accounts for IP-layer vulnerabilities:

DNS hijacking: Attackers compromise DNS to redirect traffic to malicious IPs. KERI defends by treating DNS resolution as untrusted—even if DNS is compromised, cryptographic verification fails for invalid KELs.

BGP hijacking: Border Gateway Protocol attacks can redirect IP traffic. KERI's end-to-end verification means even if traffic is intercepted and modified, signature verification will fail.

Man-in-the-middle: Attackers intercept IP traffic to read or modify messages. KERI messages are:

• Cryptographically signed (authenticity)
• Can be encrypted (confidentiality via SPAC protocol)
• Self-verifying regardless of transport path

IP spoofing: Attackers forge source IP addresses. KERI doesn't trust source IPs for authentication—only cryptographic signatures matter.

The SPAC (Secure Privacy, Authenticity, and Confidentiality) protocol specification addresses confidentiality at the message level, independent of IP-layer encryption. This "defense in depth" approach means KERI security doesn't depend on TLS/SSL or other IP-layer security mechanisms, though they provide additional protection.

Privacy and Correlation Risks

IP addresses present privacy challenges that KERI explicitly addresses:

IP-based correlation: Observers can correlate activities by IP address even when using different AIDs. The SPAC protocol and sustainable privacy framework address this through:

• Ephemeral identifiers: One-time-use AIDs for reducing correlation
• Non-correlatable identifiers: AIDs designed to prevent linkage
• Privacy-preserving disclosure: Graduated disclosure mechanisms in ACDCs

Metadata leakage: IP addresses are "non-content metadata" that can reveal:

• Geolocation
• Network provider
• Organization affiliation
• Activity patterns

The PAC theorem (Privacy, Authenticity, Confidentiality trilemma) recognizes that achieving all three properties simultaneously at the highest level is impossible. KERI prioritizes:

1. Authenticity first: Cryptographic proof of attribution
2. Confidentiality second: Message encryption
3. Privacy third: Highest possible without compromising the other two

IP address anonymization: While not directly part of KERI protocol, implementations can use:

• Tor: Route KERI messages through anonymization networks
• VPNs: Hide true IP addresses from observers
• Proxy services: Intermediate servers that relay KERI messages

KERI's security properties remain intact regardless of these transport-layer anonymization techniques.

The "Host" Abstraction

The glossary defines host as the part of a URL identifying the server location, which can be:

• Domain name: Human-readable address (e.g., example.com)
• IP address: Numeric network address (e.g., 192.168.1.1)

KERI treats both as equivalent for discovery purposes—both are untrusted bootstrapping mechanisms. The choice between domain names and IP addresses involves trade-offs:

Domain names:

• Advantage: Human-memorable, can change underlying IP without URL changes
• Disadvantage: Depend on DNS infrastructure (potential attack vector)
• Use case: Production services requiring stable, memorable endpoints

IP addresses:

• Advantage: Direct addressing without DNS dependency
• Disadvantage: Not human-memorable, require URL updates if IP changes
• Use case: Testing, direct peer-to-peer connections, DNS-avoidance scenarios

Operational Deployment Patterns

Docker Container Networking

Multiple sources discuss Docker containerization for KERI infrastructure:

Container IP allocation: Docker assigns IP addresses to containers:

• Bridge networking: Containers get private IP addresses (e.g., 172.17.0.2)
• Host networking: Containers share host IP address
• Custom networks: User-defined IP address ranges

Port mapping: Container ports mapped to host IP addresses:

docker run -p 127.0.0.1:8080:8080 gleif/keri

This maps container port 8080 to host localhost:8080.

Volume mounting: The GAR documentation specifies mounting $HOME/.gar directory for persistent storage, which includes networking configuration.

Multi-container coordination: KERI deployments often involve:

• Witness containers: Multiple witnesses at different IPs
• Watcher containers: Monitoring services
• Agent containers: KERIA cloud agents
• Controller containers: Application logic

Proper IP address management across containers is critical for these components to discover and communicate with each other.

Witness Pool Configuration

Witness pools require careful IP address planning:

Geographic distribution: Witnesses should be at diverse IP addresses/networks for:

• Fault tolerance: Network partition resilience
• Attack resistance: Harder to compromise geographically distributed IPs
• Latency optimization: Regional witnesses reduce round-trip times

Threshold configuration: The TOAD (Threshold of Accountable Duplicity) parameter determines how many witnesses must confirm events. With N witnesses at different IPs, controllers set M >= N - F where F is the tolerated fault count.

Dynamic witness lists: Controllers can rotate witness pools, requiring:

• OOBI updates: New witness IP addresses in OOBIs
• Configuration events: Rotation events that change witness lists
• Graceful transitions: Old witnesses remain accessible during rotation

Group Multisig Formation

Creating group multisig AIDs involves extensive IP-based coordination:

Six-stage GAR process:

1. Video call: All participants connect via IP-based video conferencing
2. OOBI exchange: Participants share OOBIs containing IP addresses over video
3. OOBI resolution: Each participant resolves others' IP endpoints
4. Identity verification: NIST IAL-2 verification over video (IP-dependent)
5. Multisig configuration: Real-time coordination over IP networks
6. Witness coordination: Agreement on witness pool IPs

Seven-stage QVI rotation: Similar IP-based coordination when modifying QVI group membership, with additional:

• External GAR approval: Communication with GLEIF GAR IPs
• Delegation confirmation: Network communication with delegating AID's infrastructure

These processes demonstrate that while KERI's security doesn't depend on IP infrastructure, practical operations heavily utilize IP networking for coordination.

IP Addresses in Identity Assurance

The vLEI ecosystem's identity assurance processes have specific IP address requirements:

Video call requirements: GLEIF's NIST-800-63-3 IAL-2 compliance mandates:

• Live video sessions: Between GARs for identity verification
• Real-time interaction: Confirming participant presence
• Document verification: Displaying government IDs to camera

These video calls inherently require IP connectivity. The GAR documentation emphasizes that all participants must "Maintain network connectivity to GLEIF witness network and other participants."

Two-factor authentication: Often involves:

• SMS codes: Delivered to phone numbers associated with IP addresses
• Authenticator apps: Synchronized via IP networks
• Hardware tokens: May use IP for registration/updates

Credential issuance flows: When a QVI issues a vLEI credential:

1. Solicitation: Legal Entity representative requests credential
2. Verification: QVI verifies Legal Entity information (may involve IP-based API calls)
3. Issuance: Credential signed and delivered via IP networks
4. Registry update: TEL updated on backing infrastructure at specific IPs

Advanced Topics

Anycast Addressing

The glossary includes anycast address as a network addressing concept where multiple servers share the same IP address. This is relevant for:

Witness redundancy: Multiple witness instances at the same anycast IP for:

• Load balancing: Distributing incoming controller requests
• Failover: Automatic rerouting if one instance fails
• Geographic optimization: Routing to nearest witness instance

Watcher services: Similar anycast patterns for:

• High availability: Continuous KEL monitoring
• Scalability: Handling many simultaneous queries

IPv4 vs. IPv6 Considerations

IPv4 exhaustion: Limited 32-bit address space creates challenges:

• NAT requirements: Many KERI nodes behind NAT devices
• Public IP scarcity: Difficulty obtaining unique public IPs for witnesses
• Port forwarding complexity: Exposing services through NAT

IPv6 advantages: 128-bit addresses provide:

• Abundant address space: Every KERI node can have unique global IP
• Simplified networking: No NAT required
• Better peer-to-peer: Direct addressability

Dual-stack operation: KERI implementations should support both:

• IPv4 fallback: For legacy network compatibility
• IPv6 preference: When available
• Protocol negotiation: Detecting best available protocol

Zero-Trust Architecture

KERI implements zero-trust principles where IP addresses play a specific role:

Never trust, always verify: IP addresses provide:

• Initial contact point: Where to send verification requests
• No implicit trust: Source IP doesn't grant authentication

Microsegmentation: KERIA's three-interface design enables:

• Admin network: Restricted IP ranges for management
• Protocol network: Public IPs for KERI communication
• Boot network: Isolated IP space for initialization

Continuous verification: Every KERI message verified regardless of:

• Source IP: Could be spoofed
• Previous interactions: No session state based on IP
• Network location: Perimeter security not relied upon

Conclusion

IP addresses in the KERI ecosystem occupy a carefully delineated role: essential for network discovery and communication, but explicitly excluded from the security model. This architectural decision enables KERI to leverage ubiquitous IP infrastructure while maintaining cryptographic security properties that don't depend on IP-layer trust.

Key principles:

1. Separation of concerns: Discovery uses IPs, authentication uses cryptography
2. Untrusted discovery: OOBIs with IP addresses are bootstrap mechanisms only
3. End-to-end verification: Security independent of IP routing
4. Operational necessity: Practical KERI deployments require careful IP address planning
5. Privacy considerations: IP addresses present correlation risks managed through protocol design

For KERI implementers and infrastructure operators, understanding IP address roles is critical for:

• Witness deployment: Configuring accessible, reliable IP endpoints
• Network architecture: Designing witness pools with geographic IP distribution
• Security analysis: Distinguishing IP-layer from application-layer threats
• Privacy enhancement: Implementing IP anonymization where required
• Operational procedures: Managing group multisig coordination and identity assurance over IP networks

The vLEI ecosystem's extensive use of IP-based infrastructure for GAR setup, QVI operations, and credential issuance demonstrates that while KERI's security doesn't depend on IPs, real-world operations utilize them extensively. This pragmatic approach—leveraging existing infrastructure while building cryptographic security on top—exemplifies KERI's philosophy of "minimally sufficient means" for creating a trust spanning layer for the internet.