Re: ipsec as an address family

In reply to: Vadim Goncharov : "Re: ipsec as an address family"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Soni \"It/Its\" L. <fakedme+freebsd_at_gmail.com>
Date: Thu, 16 Jan 2025 20:31:01 UTC

On 2025-01-16 16:57, Vadim Goncharov wrote:
> Could you provide technical overview, both from API and packet format side, at
> least briefly?
>

packet format is just regular ipsec, there are no protocol changes required!

API... we're currently thinking the sockaddr_ipsec struct would take a 
key (appropriate for the task, e.g. public key for connect, private key 
for bind). we're however not so certain about the private key part, but 
at least for connecting, it makes sense to just take the public key of 
the target. ideally we would also be able to request just 
authentication, just encryption, or both, tho we're not entirely sure 
how the API should look (authentication-only is the most useful to us, 
as we're just trying to prevent port scanning and most modern protocols 
(TLS, SSH, minecraft server protocol, etc) provide their own encryption 
anyway).

it's not unusual to have an asymmetry between connect and bind, as an 
example, port 0 is reserved for connect but lets the OS pick a port for 
bind.