On Wed, Mar 24, 2021 at 04:57:28PM -0700, Joseph Touch wrote: > IMO, what IPsec got wrong was tunnel mode; it should have just been > transport mode and IP-IP tunneling (RFC 3884 explains why). But IPsec also got transport mode wrong because what it really got wrong was authentication and authorization. Since IPsec deals in IP addresses as node IDs it would want to authenticate IP addresses, but that's a lost cause in IPv4 because IP address assignments are just too dynamic. Authorization is downstream of authentication, so for IPsec it's busted too. A better approach would have been to have had connection latching (RFC 5660) and IPsec-specific socket options so that IPsec would do no authorization in transport mode. That would have left authorization to the application, and then authentication could be PKIX (or KINK, or...) without IPsec caring one bit about name types or forms (again, the apps would deal with that). If you get transport mode right like that, then gateways for IP tunneling over transport mode IPsec would just have been one of many applications. But I'm the author of RFC 5660, so call me biased. The above opinion has been a minority view since the inception of the now-concluded BTNS WG. Nico --
