On Jan 14, 2025, at 14:43, Soni "It/Its" L. <fakedme+i...@gmail.com> wrote: > > we really wanna be able to use ipsec in end-user applications...
If you look at my Opportunistic IPsec presentations (pdf and videos available), you will an ondemand system triggered by DNS lookups in the resolver. Thus an application looking up a dns name can cause ipsec tunnels to be established. Key material is provided in DNS as well. Applications usually only have flows, not own IP addresses, so your term “to use in an application” needs some clarification. The above assumes a “this app wants to talk to X, if possible over IPsec” style request. Giving apps permissions to throw key material around can be dangerous. As the resulting tunnels apply to all applications taking to the same remote IP addresses. Additionally, if you are behind NAT, there are other concerns such as being on RFC1918 space and a remote server will have a hard time talking to two applications on the same IP behind different NATs. That is why libreswan has support for opportunistic using a NAT within the IPsec subsystem to give all clients a unique IP from the servers’ view (who hands it out from its own addresspool). The apps are not aware of this IP. Paul _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
