From nobody Thu Jan 16 13:54:50 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YYkrs1PzGz5kTRD
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Thu, 16 Jan 2025 13:55:09 +0000 (UTC)
	(envelope-from fakedme+freebsd@gmail.com)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YYkrr258jz48QW
	for <freebsd-net@freebsd.org>; Thu, 16 Jan 2025 13:55:08 +0000 (UTC)
	(envelope-from fakedme+freebsd@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=Dg0JNNm3;
	spf=pass (mx1.freebsd.org: domain of fakedme+freebsd@gmail.com designates 2607:f8b0:4864:20::22d as permitted sender) smtp.mailfrom=fakedme+freebsd@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-oi1-x22d.google.com with SMTP id 5614622812f47-3ebbec36900so560514b6e.1
        for <freebsd-net@freebsd.org>; Thu, 16 Jan 2025 05:55:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1737035707; x=1737640507; darn=freebsd.org;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:sender:from:to:cc:subject
         :date:message-id:reply-to;
        bh=9O9QJbnsA0xUOQ/qgnZXbsK3SargBMWzkOZ+uZyl4Z4=;
        b=Dg0JNNm3/HFjU+oAKgXgRb5l5Eak/GEnizKxaPSwsXSw5uSu2F0Aw1wAib209Xzgkv
         5JSRK3Wv5DFarbRFt2BN903FHfvGfpnhqpUpsJBjGkvBo7X1SBNBbZ54EOlRWdwe1aLD
         mSS9xCKERMQvjn36RwgVmAB5sw1R9EeBX3BodGhhQn/N0K5YIjuzeJe/iavDjmLz8EQX
         iw/REmCY+NNKzeSbg/l8n1gTP5NTjz8Q1NFtT6l4M85VmifZGkE3V7TV80fzxyYjONxN
         ZO+nYxi0NU2IKtHHs6GvHfPn0r4LrmYR/G4djmIm4mu10n3R21ExfVpi3c7720UCt6g9
         3aJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1737035707; x=1737640507;
        h=content-transfer-encoding:subject:from:to:content-language
         :user-agent:mime-version:date:message-id:sender:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=9O9QJbnsA0xUOQ/qgnZXbsK3SargBMWzkOZ+uZyl4Z4=;
        b=Zlv52wRyPusbFQC6/0+44X3iPv2fR1TF6rnupK5ULTeqKRu8GhGunux1okXBdEBPaM
         Mt1j4/jmIE6bCL989EpdUbD5dbV8Bx5Ts6LGq3Is5SsEQPfjJWIsOZ8fjDZ22tQ2q9u4
         L1DhpbCY/evDxGUO0Bd2zkNryb/ClutOFkWmgdfOmOqMAwdEq9XEtGHGZZXtMNkOXZ+E
         5ZiSry4mD1CHl/2l20Tfz8urBJ4PB0QlAmTRuh6XdEW72DPqq8zYjGnbmCneqKmYel/X
         7nRXOr7GVqmv/Vemc0xltBhRgsQDj4Gwje9QytuzDPmAX68Z5u8Xtj9HxD1H58n7FKh+
         S6qQ==
X-Gm-Message-State: AOJu0Yxdkn35iHCrz1rgQ9auG/KuWrmBe9DNoxBDmKuWAf82fsa6yTV4
	/K0hWl0aMKjl+5e0Nn59CnPKaOwctLXWAProtNL4Y+D5nkyLiy/StdSfkA==
X-Gm-Gg: ASbGncs5yrOasfP3XTm2fl0hK4SXAbzmsJLDVpLjbQ40jBQUHUDV6J3alU1r+pbkaIY
	fx7/fwiPnUqBbxSgC0OYhjdCIi9jfFykA6pUAcgG2o81drq+XRVEQueS/lLCA20Oadts0ILbY1l
	4IH//R+EgC/FbGI6qB3xVGYGUtWpc+A1pj1MBrCiDX7baxaHRb2w0I3Q76M98TG7/3DQPEnhUbN
	KvqJtYP7KHctrR733+9KwDYT6FFge6D+OVb+yJ9ohGETc0JBmnZfs+3H3E5gJoc7vLfQMDV29kw
	+CNPdViX5Eo=
X-Google-Smtp-Source: AGHT+IFzsS4RdWTquCmXgIAKzQJ01ngrIMevsnJcbiZazGS/01cYTd2EDwwTOABuD93uf3iF8QZpAg==
X-Received: by 2002:a05:6808:34b:b0:3e7:edd9:8eb1 with SMTP id 5614622812f47-3ef2ec439femr18333582b6e.1.1737035707020;
        Thu, 16 Jan 2025 05:55:07 -0800 (PST)
Received: from ?IPV6:2804:1b1:fc80:270f::536f:6e69? ([2804:1b1:fc80:270f::536f:6e69])
        by smtp.googlemail.com with ESMTPSA id 5614622812f47-3f0376126c1sm5807672b6e.10.2025.01.16.05.55.05
        for <freebsd-net@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 16 Jan 2025 05:55:06 -0800 (PST)
Message-ID: <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com>
Date: Thu, 16 Jan 2025 10:54:50 -0300
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: freebsd-net@freebsd.org
From: "Soni \"It/Its\" L." <fakedme+freebsd@gmail.com>
Subject: ipsec as an address family
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-3.92 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.92)[-0.918];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	MIME_GOOD(-0.10)[text/plain];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_LAST(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	TAGGED_FROM(0.00)[freebsd];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::22d:from]
X-Spamd-Bar: ---
X-Rspamd-Queue-Id: 4YYkrr258jz48QW

we would like to propose an experiment where we treat ipsec as an 
address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead.

traditionally, ipsec is something the sysadmin configures between 
systems. well, nowadays we use wg because the configuration flow is 
basically the same. so ipsec as a vpn is conceptually very outdated.

this experiment basically involves adding ipsec as a first-class address 
family, including AF_IPSEC and sockaddr_ipsec. also, there's not much 
point trying to support ipv4 since ipsec (in)famously doesn't work over 
ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's 
enough interest).

the purpose of the experiment would be to see if such thing is at all 
viable, and whether or not it has the consequence of protecting an 
application endpoint against traditional forms of network scanning. (in 
particular, our hope is that someone at an internet exchange would be 
able to see the routing address (IPv6), but not the keys necessary to 
actually initiate a connection to the service. this should raise the 
cost of attacks that rely on such simple scanning techniques.)

we have also briefly discussed the experiment on the ipsec IETF mailing 
list.

would anyone be interested in such an experiment?