Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Jan 2025 22:57:43 +0300
From:      Vadim Goncharov <vadimnuclight@gmail.com>
To:        "Soni \"It/Its\" L." <fakedme+freebsd@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipsec as an address family
Message-ID:  <20250116225743.3bffd39f@nuclight.lan>
In-Reply-To: <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com>
References:  <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jan 2025 10:54:50 -0300
"Soni \"It/Its\" L." <fakedme+freebsd@gmail.com> wrote:

> we would like to propose an experiment where we treat ipsec as an 
> address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead.
> 
> traditionally, ipsec is something the sysadmin configures between 
> systems. well, nowadays we use wg because the configuration flow is 
> basically the same. so ipsec as a vpn is conceptually very outdated.
> 
> this experiment basically involves adding ipsec as a first-class address 
> family, including AF_IPSEC and sockaddr_ipsec. also, there's not much 
> point trying to support ipv4 since ipsec (in)famously doesn't work over 
> ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's 
> enough interest).
> 
> the purpose of the experiment would be to see if such thing is at all 
> viable, and whether or not it has the consequence of protecting an 
> application endpoint against traditional forms of network scanning. (in 
> particular, our hope is that someone at an internet exchange would be 
> able to see the routing address (IPv6), but not the keys necessary to 
> actually initiate a connection to the service. this should raise the 
> cost of attacks that rely on such simple scanning techniques.)
> 
> we have also briefly discussed the experiment on the ipsec IETF mailing 
> list.
> 
> would anyone be interested in such an experiment?

Could you provide technical overview, both from API and packet format side, at
least briefly?

-- 
WBR, @nuclight



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250116225743.3bffd39f>