Date: Thu, 16 Jan 2025 22:57:43 +0300 From: Vadim Goncharov <vadimnuclight@gmail.com> To: "Soni \"It/Its\" L." <fakedme+freebsd@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: ipsec as an address family Message-ID: <20250116225743.3bffd39f@nuclight.lan> In-Reply-To: <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com> References: <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jan 2025 10:54:50 -0300 "Soni \"It/Its\" L." <fakedme+freebsd@gmail.com> wrote: > we would like to propose an experiment where we treat ipsec as an > address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead. > > traditionally, ipsec is something the sysadmin configures between > systems. well, nowadays we use wg because the configuration flow is > basically the same. so ipsec as a vpn is conceptually very outdated. > > this experiment basically involves adding ipsec as a first-class address > family, including AF_IPSEC and sockaddr_ipsec. also, there's not much > point trying to support ipv4 since ipsec (in)famously doesn't work over > ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's > enough interest). > > the purpose of the experiment would be to see if such thing is at all > viable, and whether or not it has the consequence of protecting an > application endpoint against traditional forms of network scanning. (in > particular, our hope is that someone at an internet exchange would be > able to see the routing address (IPv6), but not the keys necessary to > actually initiate a connection to the service. this should raise the > cost of attacks that rely on such simple scanning techniques.) > > we have also briefly discussed the experiment on the ipsec IETF mailing > list. > > would anyone be interested in such an experiment? Could you provide technical overview, both from API and packet format side, at least briefly? -- WBR, @nuclight
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250116225743.3bffd39f>