On 14.01.25 20:41, Soni "It/Its" L. wrote: > we've been looking at various ipsec RFCs, mailing list discussions, > deployments, etc, and the protocol looks very neat, this "transport > mode" stuff looks really useful, but we see no way for an app to use it. > > we would like to propose a small experiment which we would call "ipsec > address families". rather than using ipv4 or ipv6 address families and > letting the os quietly use ipsec but only if configured by the admin, > the application would open a socket explicitly for ipsec, either on ipv4 > or ipv6, and then give it public key material (for connect) or private > key material (for listen) and then the application can enforce ipsec > instead. > > we don't propose any further changes to any other apis, for now. these > changes would only impact calls to socket, bind, and connect. depending > on how this goes, we can then discuss the implications for other parts > of the network stack. > > thoughts? would anyone be interested in this idea? we really wanna be > able to use ipsec in end-user applications...
FWIW, Android's IpSecManager API [1] works kinda like that (protecting individual sockets via a transport mode IPsec SA). It does not include IKE, so the key exchange and transform negotiation etc. is up to the application. Regards, Tobias [1] https://developer.android.com/reference/android/net/IpSecManager _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
