[tptacek]

Everything about this comment is horrifying.

Start with AES-CTR (which wouldn't have been an option in 1979; counter mode hadn't been invented): you can't use TCP sequence numbers as counters; among other things, multiple segments can be sent with the same sequence number, and while the byte described at the stream offset of those sequence number (usually, but not always) agrees with every other packet, no other guarantee exists about the nature of those segments. Reuse of a counter in CTR mode is a devastating flaw.

Running DH over an unsecured connection with no previous trust anchor is also a recipe for disaster; attackers don't even need a fully-functioning man-in-the-middle to break it; they just need to be able to inject two segments, one in each direction, to fixate the derived key.

Everything else you propose to layer on top of this DH + AES-CTR connection is handwaving; if you have to run "application-layer" TLS, what's the value of hardcoding (broken) crypto into the TCP layer?

Sorry for the rabid response to a well-intentioned comment, but wow I couldn't disagree with you more strongly.