From nobody Thu Jan 16 19:57:43 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YYtvK5yxFz5krnQ for ; Thu, 16 Jan 2025 19:57:49 +0000 (UTC) (envelope-from vadimnuclight@gmail.com) Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YYtvK06JHz3pMp for ; Thu, 16 Jan 2025 19:57:49 +0000 (UTC) (envelope-from vadimnuclight@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=NCML+maq; spf=pass (mx1.freebsd.org: domain of vadimnuclight@gmail.com designates 2a00:1450:4864:20::134 as permitted sender) smtp.mailfrom=vadimnuclight@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-lf1-x134.google.com with SMTP id 2adb3069b0e04-5401c68b89eso1464151e87.0 for ; Thu, 16 Jan 2025 11:57:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737057467; x=1737662267; darn=freebsd.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=cSfRKvKfUouaWsyaT+0GESP/CRbb2ZznvRomrd+oqB8=; b=NCML+maqjLLaXgKCWT6KNiqJg59oqLyKDSJ1vQNxHXSbx4dG6HOSlAgB0kZie4dROT MNNY9RGTY8+MmsBhws045gkjd0L0tmKXXJvwwrTu6BeSqLImhOvWR8mxzC9/eQ4Y5ru6 KqfSuWo/MZPAZB1kp7qOakAgyoSfnZjGEGAdyBy8u9NkIb4EUfK3OI5NqsDAJa8quekm 0ZzJPo8lfKjllV5+f3aAPOsn+/4+mkRYPzSIPqv8jdXc8NuC/uh/ZtFscxl/BTRoKZms LcGp7Zo9f/YDojRET1uEY3AG6I8d7ugA/mhSj6QtOA7YGY+0KvdnGzFw32R78RNJ1y6d 3oOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737057467; x=1737662267; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cSfRKvKfUouaWsyaT+0GESP/CRbb2ZznvRomrd+oqB8=; b=eSqE9RlS6aGrs4iy/gZxyhKniCbuVDZhzwYsjRvXHRasXkd0Uc/Rpq26QkhwJtiL7Z c4DTgvxf0e33F5iz2pggRGKLDlP2igKjKexIxqGYVILg87I5+iWXLh3wz5s52rdaxgvy 8p3n9HkqIs6tbN7uDuTkxxIRB6o3ztcdiitMqTM9u1ikKqKjoWPy3dwFY4p/qLZnaf/u sDI1CDF8GsPHaYhww3mk5hwe7jlHpsgmzuLtlsE9rQUq+Z6z1CZm5oAVJ1jVoh1plnEa 4YVI+hz/CxpX54YfKJQsjMhs/XS2JQ38a3WUbxaBdYeONiPRu1waymtcFcjJFj1VOPxc jobQ== X-Gm-Message-State: AOJu0YxYoglf94YCEGzf0XVaKbO9EEybypTMUQ5IqnXPa1jpH0A4A5fh 75AfM3yiZxwATzfgLXgEXRo8PM+DhN+Uy5T54meXdgr2wd47fHBh X-Gm-Gg: ASbGncsTqzFnu5YOInaEwOCPHcwfRPd0zqrV8VQ41kfTSBZGToyiPLIzqfcvub2YiwU W3T8rsU3bkpHf5aIVzi90+H0NBiKLiD56O91O/MtEiEEhUPLL1X9HyDATcq0XGs4k9AM+cgUJ0T zhRSnOxRMzdwk+cK27AUpQVXIuBeAcAFCxUh8gXekdPaPyKo1EfY72WpRqfJ6gfl4NX8L+mIPcL 1715xTYn+SodY6xnHUAA6TDOyhVBCRz0gX1XV8bTbKPg96zxh/lpzmOhVkpjwivblYFlHwpRqGY nvfrvZqvKcJU5k1gf2lYiQI= X-Google-Smtp-Source: AGHT+IG1xIi6ZwefZjIMm1ZduARwGUxotvY9rpQnf/+zeX2NRH2hSy/9PVSh1pFGRxZsoCOHMDJ3TA== X-Received: by 2002:a05:6512:3192:b0:542:2e05:313b with SMTP id 2adb3069b0e04-542abfd1f73mr2848696e87.21.1737057466940; Thu, 16 Jan 2025 11:57:46 -0800 (PST) Received: from nuclight.lan (broadband-37-110-95-35.ip.moscow.rt.ru. [37.110.95.35]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5439af732d2sm84678e87.176.2025.01.16.11.57.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jan 2025 11:57:46 -0800 (PST) Date: Thu, 16 Jan 2025 22:57:43 +0300 From: Vadim Goncharov To: "Soni \"It/Its\" L." Cc: freebsd-net@freebsd.org Subject: Re: ipsec as an address family Message-ID: <20250116225743.3bffd39f@nuclight.lan> In-Reply-To: References: X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; amd64-portbld-freebsd12.4) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.96 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.961]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TAGGED_RCPT(0.00)[freebsd]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::134:from] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4YYtvK06JHz3pMp On Thu, 16 Jan 2025 10:54:50 -0300 "Soni \"It/Its\" L." wrote: > we would like to propose an experiment where we treat ipsec as an > address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead. > > traditionally, ipsec is something the sysadmin configures between > systems. well, nowadays we use wg because the configuration flow is > basically the same. so ipsec as a vpn is conceptually very outdated. > > this experiment basically involves adding ipsec as a first-class address > family, including AF_IPSEC and sockaddr_ipsec. also, there's not much > point trying to support ipv4 since ipsec (in)famously doesn't work over > ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's > enough interest). > > the purpose of the experiment would be to see if such thing is at all > viable, and whether or not it has the consequence of protecting an > application endpoint against traditional forms of network scanning. (in > particular, our hope is that someone at an internet exchange would be > able to see the routing address (IPv6), but not the keys necessary to > actually initiate a connection to the service. this should raise the > cost of attacks that rely on such simple scanning techniques.) > > we have also briefly discussed the experiment on the ipsec IETF mailing > list. > > would anyone be interested in such an experiment? Could you provide technical overview, both from API and packet format side, at least briefly? -- WBR, @nuclight