Ok, so QUIC or some other common layer 4/4+5 'Modern TCP over UDP for network compatibility' solution.
Lets just throw away the concept of 'addresses' for authentication and actually use a cryptographic authentication identifier of somekind, combined with some mux iteration ID.
This seems really complicated. Is ZeroTier closer to an cjdns- / i2p-style system, or is it closer to CurveCP/MinimaLT/QUIC? (QUIC being the odd one out of the trio as it grafts on some awful HTTP semantics, but that's Google for you.)
There are a number of statements like "QUIC is functionally equivalent to TCP+TLS+HTTP/2" in the "QUIC wire specification" and other documents, and this agrees with what I remember seeing in the source in the Chromium repo when I last looked.
I've not read about the IETF version; I'll look into it.
I haven't been following QUIC very closely, but from what I understand, they have put in a proper abstraction between the TCP+TLS part and the HTTP part. While the mapping of how to use HTTP over QUIC is still part of the spec, as I understand it, there shouldn't be any major problems mapping other protocols onto it.
Drop the idea of ports too. Every program gets its own IP
Mentioning ideas like that at work get queer looks about how it'd be impossible to configure a firewall at that point
But keep going further. End up with 128 bit CPU where every byte is IP addressable. Necessary security to block random outsiders from reading your memory, but capable of potentially running various parts remotely transparently
With NAT, this has essentially already happened. You could say IPv4 is actually 48-bit addressing, at least on the client side. For all useful purposes, NAT expanded every /24 or even /32 subnet by an extra 16 bits, which is the real reason we still haven't run out of IPv4 addresses.
That could be extended to the server side if we used something like SRV records instead of defaulting to port 80/443.
On another note, I have long wished for something like specifying protocol port numbers in a DNS record. Ever since I ran my first ircd on a shared hosting server, and continuing to today with multiple httpds (nginx, znc, etc) and ircds (ZNC, bitlbee) and such on a single IP.
Not for any technical reasons, though--I'm just lazy, and specifying port numbers is annoying.
Maybe it's early and I've not drank enough coffee yet, but what benefit would this provide? You'll be in effect doubling the DNS lookups needed to connect to a website adding latency to time to first byte, with seemingly zero benefit.
The main benefit would be the ability to offer public Internet-facing services through a NAT, even a carrier-grade NAT that lumps multiple ISP customers behind a single IP address. (You would need some kind of cooperation from the NAT to be able to allow incoming connections on a port range.)
JdeBP's post provides a good answer about the SRV records. The short version is a single DNS packet can contain both A/AAAA and SRV responses.
> But keep going further. End up with 128 bit CPU where every byte is IP addressable. Necessary security to block random outsiders from reading your memory, but capable of potentially running various parts remotely transparently
But that breaks the layering (where reachability is provided by l3 and transport by l4). Now existing internetwork routers cannot handle your new 144-bit address format.
The folks at IETF meetings are doing a wonderful job trying to keep existing tech working. That's why you always extend old standards and rarely deprecate anything. Just look at BGP, for example.
We, the application software programmers on layers 5 through 7 with the "move fast and break things" attitude, could not ever have designed anything like the internet and keep it running as long as our current one has been.
With IP-per-container we're pretty close to this already. systemd could launch every service on my system into it's own network namespace with a unique IPv6 address + NAT via my IPv4.
Not even IP. Source/destinations would both only be crypto identifiers. The multiplexing part is just a convenient way of expressing different data streams to simpler protocols for QoS and other activities.
That does imply that there should be a way (possibly host to host, possibly build in to some kind of service resolution system) of looking up a 'name entry' and 'service type'.
> how it'd be impossible to configure a firewall at that point
Why is that? Wouldn't those addresses be hierarchical?
Mobile addresses for applications would make the usual case of "hey, you migrate service X to that other switch, and nothing works anymore" basically disappear.
Because of the myriad of firewalls and routers that don't understand IP protocols that isn't TCP or UDP. IPsec tunnels were commonly encapsulated in UDP packets for this very reason because its safer to assume that at least one device alobg the way won't understand protocol 50.
Multipath tcp isn't really a new protocol as much as it is an extension to tcp and wouldn't offer the benefits that UDP would as it is still constrained by (and benefiting from) the design goals of tcp.
Lets just throw away the concept of 'addresses' for authentication and actually use a cryptographic authentication identifier of somekind, combined with some mux iteration ID.