

Ask HN: Why IPsec isn't already the “norm”? - omeid2

Or in other words, Why IPsec isn&#x27;t the standard?
======
tptacek
Two reasons, I think.

First, it was overcomplicated. IKE is widely regarded as one of the most
complex crypto protocols ever to come out of the IETF. It's a nightmare to
implement and not much easier to deploy.

Second, the policy layer is underspecified. IPSEC works for point-to-point VPN
links (though it's not the simplest or best way to get that). It could work
opportunistically (but was never deployed that way). But what other service
model is there? How do I use IPSEC to talk to Google? How does my stack know
who Google is? There are solutions for these problems, but not in mainstream
IPSEC implementations.

So, IPSEC became a VPN protocol instead.

------
UnoriginalGuy
Have you ever tried routing IPSec traffic through a NAT? It sucks. Oh and NATs
are everywhere, every home, every office, so that alone might hamper
adoption...

Here's a Cisco article that touches on it:

[https://supportforums.cisco.com/document/64281/how-does-
nat-...](https://supportforums.cisco.com/document/64281/how-does-nat-t-work-
ipsec)

Wikipedia even talks about the problem:

[http://en.wikipedia.org/wiki/NAT_traversal#IPsec_traversal_a...](http://en.wikipedia.org/wiki/NAT_traversal#IPsec_traversal_across_NAT)

Maybe when IPv6 is common and NAT goes away... But frankly NAT is too useful
as a "firewall" surrogate.

Plus what does IPSec really bring that SSL doesn't? It hides port numbers?
Meh. For the headache that IPSec setup is, I'll live with the NSA seeing I
connected to port 80. Even with IPSec they still know the IPs on both sides.
For VPNs give me OpenVPN over L2TP/IPSec any day of the week (plus setting up
UDP encapsulation on Windows is a huge PITA).

------
fulafel
Early adoption of end-to-end IPsec fizzled because of PKI problems and absence
of IPsec support in operating system IP stacks, and corporate "connect to our
swiss cheese intranet" VPN use case eclipsed the end-to-end usage. VPN use
then evoured 99.9% of user/developer/standardization mindshare.

------
wmf
Did they ever figure out how to prevent downgrade attacks?

