
The Evolution of IPsec [pdf] - DyslexicAtheist
https://www.cs.columbia.edu/~smb/talks/why-ipsec.pdf
======
pathseeker
>Other technologies, especially NATs and firewalls, got in the way of IPsec

This is a bit understated. From my perspective this is 100% what killed ipsec.
By the time workstations had the processing power use ipsec for everything, we
were rolling out NAT boxes everywhere to deal with the ipv4 crisis.

ipsec traversal was either non-existent or the connection tracking would be
limited to the IP so only one person behind the NAT box could establish a
session with a given ipsec endpoint on the other side.

I remember it was common to not be able to connect to the corporate ipsec VPN
when at a conference with another employee who was already connected.
Limitations like this made it super unreliable and pushed people to VPNs built
on top of the standard NAT-friendly transport protocols.

~~~
xorcist
Another serious problem was/is the lack of interoperability. The key
management protocol is complex with features for everyone and their cat. Lots
of people expected operating systems to implement IPsec which would make it
easier to manage large scale. That didn't work out all that well.

Since you can't count on interoperability, especially not in the future,
everybody uses tested server/client combinations, that whole standardization
process wasn't that useful anymore which somewhat negates any gain over using
a much simpler protocol (whether TLS or something else).

~~~
peterwwillis
So rather than securing connections at the os level, we re-invent the network
stack past layer 3. First you bring your own crypto, then create a whole new
virtual network stack, then create connections. Or do what Google does and
bring your own crypto, then bring your own layer 5-7 routing and transport on
the server. These are "interoperable" if 1) your users download an extra app,
or 2) your server implements custom app-specific solutions.

------
bogomipz
The author of this presentation Steve Bellovin, is a real heavyweight of
networking and internet security going back to the early 80's and Bell Labs.
For those interested there's a good USENIX interview with him here:

[https://www.usenix.org/system/files/login/articles/07_bellov...](https://www.usenix.org/system/files/login/articles/07_bellovin.pdf)

