On 2025-01-16 16:57, Vadim Goncharov wrote:
Could you provide technical overview, both from API and packet format side, at
least briefly?
packet format is just regular ipsec, there are no protocol changes required!
API... we're currently thinking the sockaddr_ipsec struct would take a
key (appropriate for the task, e.g. public key for connect, private key
for bind). we're however not so certain about the private key part, but
at least for connecting, it makes sense to just take the public key of
the target. ideally we would also be able to request just
authentication, just encryption, or both, tho we're not entirely sure
how the API should look (authentication-only is the most useful to us,
as we're just trying to prevent port scanning and most modern protocols
(TLS, SSH, minecraft server protocol, etc) provide their own encryption
anyway).
it's not unusual to have an asymmetry between connect and bind, as an
example, port 0 is reserved for connect but lets the OS pick a port for
bind.
