Skip to content

Networking Layer

LoomCache handles inter-node communication and client-server traffic through a TCP layer that pairs blocking java.net sockets with one virtual thread per accepted connection. This page covers the binary wire protocol, thread-pool isolation, backpressure, and transport security.

Rather than communicating over HTTP or REST JSON, LoomCache uses a custom versioned binary protocol.

Wire Protocol Pipelining

Compact binary (Kryo) serialization with batched pipelining over persistent TCP connections.

CLIENT
OP
BIN
OP
BIN
OP
BIN
OP
BIN
SERVER
  1. Framing: Every packet carries a versioned binary frame that declares the payload size and format, so the receiver never scans ahead to find message boundaries.
  2. Kryo 5.6.2 Serialization: Map entries and keys are serialized with Kryo’s binary format, using object pooling to minimize GC pressure.
  3. Pipelining: Multiple commands can be in flight on the same connection with Pipelining.withDepth(int), which reduces round-trip latency. Multi-operation LoomBatch requests are a separate protocol feature capped by the configured batchMaxOperations limit.

The protocol groups messages into the following categories:

CategoryExamples
Data operationsMap, queue, set, and topic commands
Raft consensusAppendEntries, voting, pre-vote, snapshot install, and leadership-transfer messages
Cluster managementJoin/leave, health probes, routing-table refresh, and controlled partition-migration commands
Consistency subsystemAtomic long reads/CAS, lock acquire, and semaphore acquire (Java client lock/semaphore calls carry a managed CP session; sessionless production requests fail closed)
Client controlAuthentication, near-cache subscription, batch execution, and SQL query requests
WAN / executorWAN replication control/data messages and executor dispatch (production route is enabled but deny-all by default until task classes are explicitly allowlisted)
ResponsesSuccess, typed errors, redirects, server-busy backpressure, and sequence-loss notifications

LoomCache isolates networking work in three ways:

  • TCP listener — One virtual thread per connection. It blocks freely on I/O; the JVM unmounts the carrier thread automatically.
  • Command execution pool — A dedicated pool for state-machine operations. It prevents slow clients from backing up consensus.
  • Backpressure control — Watermark-based flow control over each peer’s outbound send queue. When a peer’s queue depth crosses the high watermark, further send-slot reservations for that peer are refused (no slot is granted) rather than messages being silently dropped.

Each connection is tracked with the negotiated TLS identity (derived from the certificate CN), the resolved permission set, and per-connection request counters. The TCP listener rejects connections that exceed the bounded per-client-IP limit with a too-many-connections error.

LoomCache implements watermark-based backpressure over each peer’s outbound send queue:

Peer queue depthBehavior
At or below low watermarkBackpressure clears; send slots granted normally
Between watermarksSends continue; queue depth tracked per peer
At or above high watermarkPeer flagged inBackpressure; new send-slot reservations refused until the queue drains back to the low watermark

This prevents a slow or overwhelmed peer from monopolizing outbound capacity and starving Raft replication. Admission-time backpressure is raised separately by server-side idempotency handling and by the client request path.

Production deployments should authenticate and encrypt internal traffic. LoomCache supports Mutual TLS (mTLS) for inter-node communication. Each node validates the identity of its peers before participating in Raft elections or accepting writes.

  • TLSv1.3 and TLSv1.2 in the default protocol list; production deployments may pin TLSv1.3 only after every client and node runtime has been validated for it
  • PKCS12 keystores for identity and trust
  • Per-connection TLS handshake through the configured socket provider
  • Client connections support optional mTLS outside production; production startup requires client mTLS (requireClientAuth=true)

For keystore setup and production TLS requirements, see Security & mTLS.

LoomCache is an independent open-source project. It is not affiliated with, endorsed by, or sponsored by Hazelcast, Inc. or by any other company whose products are named in this documentation. “Hazelcast” is a trademark of Hazelcast, Inc.; references to it are nominative and describe only migration and comparison. All other product and company names are trademarks of their respective owners and are used for identification purposes only.