logoalt Hacker News

Sesse__last Sunday at 10:19 AM2 repliesview on HN

I was at a talk where he brought up exactly this (I also once did a talk alongside him, but that's a different story). He said there would be two changes:

1. It would have 128-bit addresses. 2. It would have end-to-end encryption (or was it authentication, I forget).

IPv6 was supposed to fix both of these, with IPsec mandatory, but the latter demand sort of faded out into obscurity. We ended up basically solving encryption by pushing everything into TLS anyway, which I guess solved much of the same problems although at a very different layer.


Replies

throw0101alast Sunday at 2:03 PM

> We ended up basically solving encryption by pushing everything into TLS anyway, which I guess solved much of the same problems although at a very different layer.

The "solving" of encryption with TLS should not be celebrated.

Everything needs to go over TLS/HTTP-443 because of middleware boxes basically blocking everything else by default in many cases, and so application/protocol designs have to shoehorn / kludge everything into a round hole even if it's a square peg.

Certainly I'd want everything to have encryption at the higher layers (OSI 5-7), but having opportunistic encryption at IP (OSI 3) would also be great because snoopers could tell that two nodes are communicating but not how / what: RTSP? Torrent? Mindcraft? PvP2 game? If every node could (say) do an IKEv2 negotiation with every other node have IP-level traffic wrapped in IPsec that would help with traffic analysis.

hyperman1last Sunday at 10:44 AM

Doing this brings you close to OSI, which famously failed by being overcomplicated. The current design was implementable by zillions of cheap humans running cheap hardware.

I always wonder if the internet is thesurvivor of the networking cambrian explosion, with a slight roll of the dice making another candidate the winner.

show 4 replies