Date: Thu, 16 Jan 2025 10:54:50 -0300 From: "Soni \"It/Its\" L." <fakedme+freebsd@gmail.com> To: freebsd-net@freebsd.org Subject: ipsec as an address family Message-ID: <aac3846a-ccfa-41bd-a7e1-4ee940f3c095@gmail.com>
next in thread | raw e-mail | index | archive | help
we would like to propose an experiment where we treat ipsec as an address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead. traditionally, ipsec is something the sysadmin configures between systems. well, nowadays we use wg because the configuration flow is basically the same. so ipsec as a vpn is conceptually very outdated. this experiment basically involves adding ipsec as a first-class address family, including AF_IPSEC and sockaddr_ipsec. also, there's not much point trying to support ipv4 since ipsec (in)famously doesn't work over ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's enough interest). the purpose of the experiment would be to see if such thing is at all viable, and whether or not it has the consequence of protecting an application endpoint against traditional forms of network scanning. (in particular, our hope is that someone at an internet exchange would be able to see the routing address (IPv6), but not the keys necessary to actually initiate a connection to the service. this should raise the cost of attacks that rely on such simple scanning techniques.) we have also briefly discussed the experiment on the ipsec IETF mailing list. would anyone be interested in such an experiment?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aac3846a-ccfa-41bd-a7e1-4ee940f3c095>