And since a given IP address can be legitimately used by many different devices, human beings, or organizations in a short timeframe, it's hard to see what this would look like.
Maybe if we could go back in time, we could add a new field to the Internet Protocol that indicates a unique endpoint ID for IPsec purposes. Two hosts desiring to communicate would exchange endpoint IDs, and an encryption "session" would only apply to the IP+endpoint combination. That way it's still possible to implement UDP and TCP on top of IP, but it doesn't necessarily solve the case when different TCP or UDP ports on a single IP address correspond to a different machine and the port-based router should not be able to decrypt the traffic.
Maybe if we could go back in time, we could add a new field to the Internet Protocol that indicates a unique endpoint ID for IPsec purposes. Two hosts desiring to communicate would exchange endpoint IDs, and an encryption "session" would only apply to the IP+endpoint combination. That way it's still possible to implement UDP and TCP on top of IP, but it doesn't necessarily solve the case when different TCP or UDP ports on a single IP address correspond to a different machine and the port-based router should not be able to decrypt the traffic.