Figure A2 — Home Base Tunnel
The single outbound network gateway at address 0xFF000000. All CTMM network connectivity flows through this one tunnel. The IDE provisions the tunnel with optional programmer-defined backup addresses (Word 2/3). No software can bypass, redirect, or create additional outbound paths.
CTMM
Local machine
Abstraction A
holds Outform GT (F-bit set)
Abstraction B
holds Outform GT (F-bit set)
Abstraction C
local only (no F-bit)
Home Base Tunnel
0xFF000000
Abstract GT
single outbound gateway
ALL traffic
IDE
Provisioning authority
W0: 0xFF000000 (primary)
W2: backup IDE addr 1
W3: backup IDE addr 2
REMOTE NETWORK
Remote Namespace 1
accessed via Outform GT from A
Remote Namespace 2
accessed via Outform GT from B
Remote services are
structurally scoped by
GT provisioning
No bypass path exists
SECURITY PROPERTIES
✗ No second outbound path
— ALL network traffic goes through 0xFF000000. Software cannot create alternative routes.
✗ No address forgery
— Abstract GT addresses are hardware-routed. Software cannot redirect tunnel traffic.
TUNNEL WORD FORMAT
Word 0 (primary): 0xFF000000 — hardwired sentinel, always the Home Base IDE
Word 1 (seals): version(7) | seal(25) — MAC integrity check
Word 2 (backup 1): programmer-defined IDE address
Word 3 (backup 2): programmer-defined IDE address
Backup addresses allow fault-tolerant IDE connectivity. Primary always routes to 0xFF000000.