we would like to propose an experiment where we treat ipsec as an
address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead.
traditionally, ipsec is something the sysadmin configures between
systems. well, nowadays we use wg because the configuration flow is
basically the same. so ipsec as a vpn is conceptually very outdated.
this experiment basically involves adding ipsec as a first-class address
family, including AF_IPSEC and sockaddr_ipsec. also, there's not much
point trying to support ipv4 since ipsec (in)famously doesn't work over
ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's
enough interest).
the purpose of the experiment would be to see if such thing is at all
viable, and whether or not it has the consequence of protecting an
application endpoint against traditional forms of network scanning. (in
particular, our hope is that someone at an internet exchange would be
able to see the routing address (IPv6), but not the keys necessary to
actually initiate a connection to the service. this should raise the
cost of attacks that rely on such simple scanning techniques.)
we have also briefly discussed the experiment on the ipsec IETF mailing
list.
would anyone be interested in such an experiment?
