The article is focused on general ossification of TCP preventing newer improvements from functioning. E.g. "performance enhancing proxies" from the article is not a euphemism for censorship, it's boxes design to do one thing with TCP which ends up breaking something for MPTCP. Any bypassing of censorship by avoiding ossification is completely incidental (and likely some extremely bad censorship if it just allows any protocol it can't filter through).

I wouldn't expect this to fare any better at evading deep packet inspection than any other current technique.

Israeli "network traffic monitoring hw used by law enforcement" was deployed in one European country and after few years of deployment public officials embarrassingly confessed that, device was not capable of monitoring IPv6 at all XD just sayin. people expect things working but even west devices are embarrassingly nonsensically flawed. Huawei / zte etc stealing sourcecode and blatantly copying it is even worse situation because they do not even understand how it should work. XD

So what are you using? Is there a softrouter using mutual TLS over IPv6 that you can recommend?

Around 50% of internet packets are IPv6. It's not the future. It's now the present, and IPv4 is the past.

It's a shame they still have ports in IPv6, but I can see why: imagine having to ARP (IPv6 calls it ND) every connection separately. At least you can just allocate another privacy address if you need more than 65535 concurrent connections to the same destination.

I'm a networking guy by profession + a big IPv6 fan as well (yay HN these days! news.ycombinator.com->2606:7100:1:67::26)... but don't hold your breath that IPv6 will lower the price of routers at all, let alone by a factor of 10x. From a hardware perspective there are a few minor gains with changes to the protocol but there are also some losses due to the address and network prefix sizes taking up more expensive TCAM/SRAM.

You still want ports, they actually make networking hardware cheaper overall by moving some of the scaling requirements out of the IP layer and into the transport layer. Imagine needing router which can hold 1,000,000 IPv6<->MAC address bindings just because you have 1,000 clients in your network using new addresses instead of ports! ND code is more complex than the code to bind to ports, but I still like the introduction of ND more than not regardless :).

IPv6 infra will probably never adopt the cert stuff you mention. The protocol is just designed to be able to, it doesn't mandate it. In practice it's almost never done and having everyone do it would likely be harder than getting people off IPv4 has been. On the internet routing side, PKI with BGP doesn't really care about the address format and works fine with IPv4.

For the network manager the 2 biggest changes are 1) All of their client subnets are /64s, no more subnet mask tables. 2) No more NAT, which feeds into the debugging side of things, though some of this is advantage is intentionally lost in a tradeoff for increased privacy via temporary addresses. In the last one it's tempting to tie that back to enormous hardware gains but, in reality, the box at that position of the network needs to statefully track sessions regardless of if it needs to translate them, and that's the majority of the cost.

By wrapping TCP in UDP, you essentially lose all benefits of compatibility, though. If neither middleboxes nor your OS are involved, there's not much left to be compatible with.