Re: ipsec as an address family

On Thu, 16 Jan 2025 10:54:50 -0300
"Soni \"It/Its\" L." <fakedme+freebsd@gmail.com> wrote:

> we would like to propose an experiment where we treat ipsec as an 
> address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead.
> 
> traditionally, ipsec is something the sysadmin configures between 
> systems. well, nowadays we use wg because the configuration flow is 
> basically the same. so ipsec as a vpn is conceptually very outdated.
> 
> this experiment basically involves adding ipsec as a first-class address 
> family, including AF_IPSEC and sockaddr_ipsec. also, there's not much 
> point trying to support ipv4 since ipsec (in)famously doesn't work over 
> ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's 
> enough interest).
> 
> the purpose of the experiment would be to see if such thing is at all 
> viable, and whether or not it has the consequence of protecting an 
> application endpoint against traditional forms of network scanning. (in 
> particular, our hope is that someone at an internet exchange would be 
> able to see the routing address (IPv6), but not the keys necessary to 
> actually initiate a connection to the service. this should raise the 
> cost of attacks that rely on such simple scanning techniques.)
> 
> we have also briefly discussed the experiment on the ipsec IETF mailing 
> list.
> 
> would anyone be interested in such an experiment?

Could you provide technical overview, both from API and packet format side, at
least briefly?

-- 
WBR, @nuclight