Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 14:44 UTC (Thu) by djao (guest, #4263)
In reply to: Transport-level encryption with Tcpcrypt by jackb
Parent article: Transport-level encryption with Tcpcrypt

You can, but it's unbelievably difficult. To start with, opportunistic encryption is (to my knowledge) not yet a standard part of IPsec. It's a nonstandard extension offered by some implementations, not all of which are compatible. Also, installation and configuration of IPsec is much more intrusive and time-consuming than tcpcrypt. But the biggest problem is that the DNS TXT key needs to go in the reverse DNS zone file. I don't know a single residential ISP that allows customers to add something to their reverse DNS, and even among business ISPs this kind of thing is very rare. So, in practice, opportunistic encryption via IPsec is available only to a very few privileged users, which is not enough to support large-scale deployment or make any measurable difference in the percentage of internet traffic that undergoes encryption.