On 3/25/21 2:39 PM, Nico Williams wrote:
On Thu, Mar 25, 2021 at 02:22:51PM -0700, Joseph Touch wrote:
Just wanted to know what we need to eventually fix…
It's water under the bridge. Transport mode IPsec isn't going to take
off. Among other things, having an out of band KE is not really a
selling point anymore -- everything uses TLS (or DTLS, or whatever) now
and that's that.
Doing cryptographic session protection closer to the application layer
won out, and always was going to because it's by far the most available,
portable, and flexible option for application developers.
Going back in time to make IPsec perfect from day one might not produce
a different result.
We ended up with tortured history of DTLS because TLS had so thoroughly
won that it was better in the eyes of many to invent a UDP alternative
to TLS so that SIP could use TLS. Of course the joke is that UDP based
SIP is probably a thing of the past because of bloat.
Mike
