On Thu, Mar 25, 2021 at 02:22:51PM -0700, Joseph Touch wrote: > Just wanted to know what we need to eventually fix… It's water under the bridge. Transport mode IPsec isn't going to take off. Among other things, having an out of band KE is not really a selling point anymore -- everything uses TLS (or DTLS, or whatever) now and that's that. Doing cryptographic session protection closer to the application layer won out, and always was going to because it's by far the most available, portable, and flexible option for application developers. Going back in time to make IPsec perfect from day one might not produce a different result.
