Open source • Python • AIS NMEA 0183

AISMixer — AIS NMEA 0183 stream processor and routing engine

Normalize · Deduplicate · Tag · Route · Forward

AISMixer processes AIS NMEA 0183 streams with UDP and UDPSEC ingress, multipart assembly, TAG handling, deduplication, logical routing, and targeted UDP forwarding.

Implemented today

  • UDP IPv4/IPv6 and authenticated UDPSEC ingress.
  • !AIVDM / !AIVDO extraction and multipart assembly.
  • NMEA TAG s/c/g handling.
  • Legacy broadcast mode and logical routing mode.
  • Opt-in local runtime control with aismixerctl.

Current capabilities

Ingress and parsing

Accepts plain UDP and authenticated encrypted UDPSEC through nmea_sproxy. Extracts AIVDM/AIVDO sentences from realistic receiver input.

Multipart and TAG handling

Assembles multipart messages with NMEA fragment fields and ingress assembler identity. TAG s/c/g metadata is handled separately from routing identity.

Deduplication and forwarding

Legacy mode keeps global deduplication and broadcast forwarding. Routing mode applies target-scoped deduplication and forwards to named UDP egress targets.

Logical routing

Uses internal source_id and target_id identities, named UDP targets, and logical zones with include, union, intersection, and difference.

Runtime control

Supports immutable routing snapshots, process-local generations, routing.status, routing.replace, routing.disable, a versioned JSON protocol, POSIX Unix-domain NDJSON transport, and aismixerctl.

UDPSEC station transport

UDPSEC authenticates stations and the server with ECDSA and protects session traffic with AES-GCM. It is AISMixer's project transport, not an external standard.

Data-plane architecture

transport ingress IngressEvent snapshot capture source_id match NMEA + ingress TAG multipart assembly deduplication outbound TAG UDP egress

The data plane captures one immutable routing snapshot per IngressEvent and matches source_id once for that event. A concurrent control update affects subsequent events, not the event already being processed.

Legacy mode uses global deduplication and broadcast forwarding. Routing mode uses target-scoped deduplication and named UDP targets.

Routing model

Source identity

source_id is an internal routing identity. It is distinct from the emitted NMEA TAG s value.

Logical zones

Logical zones are sets of source IDs. They are not geographic regions, MMSI filters, vessel filters, or payload-aware rules.

Targets

Named UDP forwarders create target_id values. UDP is the only implemented egress adapter today.

routing:
  zones:
    trusted:
      include:
        - udp:roof
        - udpsec:boat_ais
  routes:
    - name: trusted_to_public
      from_zone: trusted
      to: [udp:aishub]

Control plane

The runtime control plane is implemented but opt-in. Enabling control.unix starts a POSIX Unix-domain NDJSON socket for local control requests.

  • routing.status, routing.replace, and routing.disable are implemented.
  • expected_generation protects against stale updates.
  • Routing state and generations are process-local and non-persistent.
  • Filesystem permissions on the socket are the authorization boundary.
  • There are no application-level control tokens.

UDPSEC and nmea_sproxy

Station-to-mixer transport

nmea_sproxy maps one local UDP input to one secure AISMixer input. UDPSEC provides authenticated encrypted transport between that station and AISMixer.

Authentication and liveness

ECDSA is used for station/server authentication, AES-GCM protects session traffic, and encrypted ping/pong helps maintain liveness and NAT/CGNAT mappings.

Boundaries

UDP remains lossy. Transport authenticity does not prove the semantic truth of AIS payloads.

Read the nmea_sproxy guide and the UDPSEC Wiki page.

Maritime security positioning

AISMixer can supply normalized, source-aware AIS streams to maritime security and maritime-domain-awareness data pipelines. Spoof and anomaly detection is a priority planned research capability, but AISMixer does not currently produce an operational maritime picture or perform spoof detection.

Limitations and roadmap

Current limits

  • UDP-only egress.
  • Process-local, non-persistent runtime routing.
  • POSIX-only Unix control transport.
  • No multiprocessing coordinator or IPC.
  • No automatic config reload.
  • No geographic or payload-aware filtering.
  • No spoof detection, long-term storage, or analytics.

Priority themes

  • Installer and systemd control-socket hardening.
  • Globally installed aismixerctl.
  • Coordinator plus ingress and egress workers.
  • Routing-state operations and observability.
  • Maritime security and feed-quality research.

See the project roadmap for the maintained development track.

Project documentation