Pure-OCaml CCSDS Stack Borealis Goes Live in Low Earth Orbit

Parsimoni’s Borealis daemon, a pure-OCaml implementation of the CCSDS protocol family, booted in low Earth orbit on 23 April 2026 aboard DPhi Space’s ClusterGate-2 hosted payload. The stack handles every layer from radio framing through Bundle Protocol v7, with BPSec wrapping each bundle in encryption and authentication extension blocks. Because the satellite has no external network link—commands and telemetry flow as opaque files through DPhi’s filesystem-based uplink/downlink—Borealis treats the host pipeline as a delay-tolerant network, leaving nothing in the routing path able to read, forge, or substitute payloads.

The choice of a memory-safe ML language is a direct response to multi-tenant risk on shared spacecraft buses. Container isolation on a shared Linux kernel has been broken repeatedly (Dirty Pipe, Dirty Frag, Fragnesia, the April “Copy Fail” LPE), and in-orbit kernel patching is impractical, so the cryptographic envelope around each bundle becomes the durable trust boundary. Borealis also implements OTAR rekeying for ML-DSA-65 post-quantum signing keys, which Parsimoni claims will be the first public in-orbit demonstration of post-quantum over-the-air rekey—aligning with NASA-STD-1006A’s treatment of PQ command authentication as mandatory for 10–15 year missions.

Limitations are stated plainly: the master key is installed pre-launch and cannot be rotated, since the payload module lacks a TPM or secure element (radiation-tolerant secure hardware remains unsolved). Looking forward, the team plans to migrate hot-path CCSDS dispatch onto Jane Street’s OxCaml branch, using its locality and uniqueness modes to keep packet routing stack-allocated, GC-free, and statically race-free—work seeded in the EU ORCHIDE Horizon Europe project that spawned Parsimoni out of Tarides.