> On Mar 25, 2021, at 11:53 AM, Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote: > > On Wed, Mar 24, 2021 at 04:57:28PM -0700, Joseph Touch wrote: >> IMO, what IPsec got wrong was tunnel mode; it should have just been >> transport mode and IP-IP tunneling (RFC 3884 explains why). > > But IPsec also got transport mode wrong because what it really got wrong > was authentication and authorization. ... > A better approach would have been to have had connection latching (RFC > 5660) and IPsec-specific socket options so that IPsec would do no > authorization in transport mode. ... > But I'm the author of RFC 5660, so call me biased. The above opinion > has been a minority view since the inception of the now-concluded BTNS > WG. And given I created BTNS, you’ll get no argument from me ;-) But that seems like more of an argument against IKE than IPsec. Joe
