CDXE

– Cyber Defence Exercise Environment –

CDXE is an all-in-one internet-like environment carefully designed to meet the requirements of smaller scale Cyber Defence Exercises(CDX). Focus is on easy environment setups, live environment modifications, and low resource usage.

Preparing a CDX takes a lot of time and resources, especially if you want to make a realistic exercise environment. The goal of CDXE is to make it a lot easier for you to setup and configure the internet part of your exercise environment. This includes internet routers, routing, root name servers, and much more. CDXE is deployed as a single statically compiled binary. You can either connect your local environment(s) statically or peer with CDXE using BGP. Both IPv4 and IPv6 are supported.

Features

Easy configuration

Below is a simple example of two organizations, each with one ASN and one router. These two routers are then peered. An illustration of the routers and the peering are shown on the map.

Organizations can have more than one ASN as well as allocate more IP addresses, domain names, and routers. If more than one router is operating within the same ASN, then CDXE automatically configures intra AS routing.

name Example CDX              # Exercise name
port 2870                     # UDP Port used for accessing the network via wireguard
wg (hidden)                   # Servers private key for wireguard

organization kryptogram       # an organization
  name Kryptogram AB          # organization name
  asn 64496                   # allocate an ASN to the organization
    ip 192.0.2.0/24           # allocate IP networks to organization and ASN
      rdns 192.0.2.53         # IP block's RDNS
      rdns 2001:db8:fbf0::53  # IP block's RDNS
    end
    ip 2001:db8:fbf0::/48     # allocate IP networks to organization and ASN
      rdns 192.0.2.53         # IP block's RDNS
      rdns 2001:db8:fbf0::53  # IP block's RDNS
    end
  end
  router mmx                  # a router
    asn 64496                 # operating ASN 64496
    geo 55.60641 13.00048     # virtual geo location of router
    ipv4 192.0.2.1            # router IPv4 address
    ipv6 2001:db8:fbf0::1     # router IPv6 address
    endpoint client           # a client connected to router
      ip 192.0.2.2/32         # client's IP addresses
      ip 2001:db8:fbf0::2/128 # client's IP addresses
      wg weMP0gb4JeW...       # client's public wireguard key
    end
  end
  domain kryptogram.se        # allocate a domain name to the organization
    ns 192.0.2.53             # with name servers
    ns 2001:db8:fbf0::53      # with name servers
  end
end

organization acme             # another organization
  name Acme Inc               # organization name
  asn 64511                   # allocate an ASN to the organization
    ip 198.51.100.0/24        # allocate IP networks to organization and ASN
    end
    ip 2001:db8:fbff::/48     # allocate IP networks to organization and ASN
    end
  end
  router office               # a router
    asn 64511                 # operating ASN 64511
    geo 55.70285 13.19286     # virtual geo location of router
  end                         # router's IP addresses are automatically allocated
end

// peer the two defined ASNs between the two existing routers
peer kryptogram.mmx acme.office

Live modifications

The exercise environment can be changed live while running. Components such as routers, ASN:s and peerings can be added and removed on the fly. Enabling you to simulate network failures, partitions, and much more.

Roadmap and release plan

First public release

The first public release of the project is planned for beginning 2026. License is yet to be decided, but we are aiming for an open source license.

Configuration file format

: Resource allocations(ASN, IPv4, IPv6, Domain names, …)
: Peering

CDXE Core Network

: Routers
: Peering
: Dynamic routing(logically BGP-compatible)

Live reconfiguration of the CDXE network

Access to the CDXE network via wireguard-tunnels

Enable external ASN:s to peer with CDXE internal ASN:s over BGP

Backend for WASM services

Root-DNS servers(WASM service)

Recursive DNS servers(WASM service)

NTP servers(WASM service)

Improve configuration shell

User documentation

…

Later

: Network packet-loss, delays, rate-limiting, and filters
: PCAP captures
: Mirror of package repositories(WASM service)
: WHOIS/RDAP(WASM service)
: Improve configuration experience based on feedback
: Virtual devices with varying fingerprints
: Background traffic generation
: Realistically looking example configuration
: Tool to help generate configuration for realistic internet structures of different sizes and focusing on different geographic regions
: Performance optimization
: And more…

Presentations

“Making the internet your playground!”, Open Infra Forum, 2025–11–06, Stockholm, Sweden.
“Making the internet your playground!”, OpenInfra User Group India, 2025–11–12, Hybrid/India.
“Making the internet your playground!”, 2600 Malmö, 2025–12–05, Malmö, Sweden.

Acknowledgments

Map tiles by Stamen Design, under CC BY 3.0. Data by OpenStreetMap, under CC BY SA.