There have been several plans for deploying IPSec everywhere as a evolution of IP with different key management strategies. There needs to be a way to look up a public key for a ip address, there's more than one way to do it.

In prior configuration, the UDP client must get a certificate which uses three way handshake to verify the IP address. Once a client has it's certificate, it can perform transactions with a simple two way transactions.

One way could be to require signing with a TLS certificate whose hostname resolves to the source IP(s).

When NAT gets involved things get very complicated very quickly for that. For many networks and ISPs this would need to happen at the IP egress level and couldn’t happen on the end device, since the end device doesn’t even know its own IP and neither does the on-prem router.

Thank you. It's the best argument against the certificate suggestion I have read so far. It's a problem I overlooked.

Edit: If the server creates the certificate with a three way handshake, it will use the remote IP address. So the client doesn't have to know it's IP address

How is that no prior configuration on the client side?

Clients could use the same certificate for every server, so there is only a one-time setup. Analogous to how clients need to be "configured" with an IP address, the certificate could be given to them by their internet gateway if desired.

Yeah, and in what universe could that work? I need directions.

Seems far simpler to send a physical mail to the service operator who then hardcodes the IP in the server.

Or, maybe do a handshake once and cache it for X amounts of time whatever makes sense for that service.