--- /dev/null
+@node UsecaseF2F
+@section Private, isolated MitM/Sybil-resistant networks
+
+All Internet connections can be eavesdropped and forged. You
+@strong{have to} to use encryption and authentication for securing them.
+But it is very hard to secure metadata, that leaks during each online
+session. When you start your shiny new software server be sure that
+there could be huge quantity of bogus peers trying to perform
+@url{https://en.wikipedia.org/wiki/Sybil_attack, Sybil attack}. Opennet
+peer-to-peer networking is dangerous thing to do.
+
+The most popular cryptographic protocol in Internet is
+@url{https://en.wikipedia.org/wiki/Transport_Layer_Security, TLS} that
+is very hard to implement correctly and hard to configure for mutual
+participants authentication. Not all TLS configurations and related
+protocols provide @url{https://en.wikipedia.org/wiki/Forward_secrecy,
+forward secrecy} property -- all previously intercepted packets could be
+read if private keys are compromised.
+
+Friend-to-friend networks, darknets can mitigate risks related to fake
+and forged nodes. However they are harder to support and require more
+time to be done right.
+
+NNCP's @ref{nncp-daemon, TCP daemon} uses
+@url{http://noiseprotocol.org/, Noise-IK} protocol to mutually
+authenticate peers and provide effective (both participants send payload
+in the very first packet) secure transport with forward secrecy
+property.
+
+@example
+$ nncp-daemon -bind "[::]":5400
+@end example
+
+will start TCP daemon listening on all interfaces for incoming
+connections.
+
+@example
+$ nncp-call bob
+@end example
+
+will try to connect to @emph{bob}'s node known TCP addresses (taken from
+configuration file) and send all related outbound packets and retrieve
+those the Bob has. All interrupted transfers will be automatically
+resumed.
+
+Ability to do @ref{MCD, multicast nodes discovery} of participant in
+IPv6 networks allows complete ignorance of network addresses specifying.