On Thu, 16 Jan 2025 10:54:50 -0300 "Soni \"It/Its\" L." <fakedme+free...@gmail.com> wrote:
> we would like to propose an experiment where we treat ipsec as an > address family, similar to tcp/ip or tcp/ipv6 but with tcp/ipsec instead. > > traditionally, ipsec is something the sysadmin configures between > systems. well, nowadays we use wg because the configuration flow is > basically the same. so ipsec as a vpn is conceptually very outdated. > > this experiment basically involves adding ipsec as a first-class address > family, including AF_IPSEC and sockaddr_ipsec. also, there's not much > point trying to support ipv4 since ipsec (in)famously doesn't work over > ipv4 due to NAT (but we can still discuss AF_IPSEC_LEGACY if there's > enough interest). > > the purpose of the experiment would be to see if such thing is at all > viable, and whether or not it has the consequence of protecting an > application endpoint against traditional forms of network scanning. (in > particular, our hope is that someone at an internet exchange would be > able to see the routing address (IPv6), but not the keys necessary to > actually initiate a connection to the service. this should raise the > cost of attacks that rely on such simple scanning techniques.) > > we have also briefly discussed the experiment on the ipsec IETF mailing > list. > > would anyone be interested in such an experiment? Could you provide technical overview, both from API and packet format side, at least briefly? -- WBR, @nuclight
