[tialaramex]

Under IPv6 the original pressure for "virtual hosts" and eventually SNI wouldn't necessarily have existed because there are plenty of addresses.

However I suspect that by now somebody would have spotted that we're smuggling the thing we actually wanted to convey via the IPv6 address. some.specialised.thing.example resolves to an address with a particular combination of low 64-bits which are then de-coded by server software listening on that entire subnet as some.specialised.thing.example. And somebody would have proposed just actually transmitting the text across the wire instead.

So I expect that today SNI would exist or at least, the exact same discussion that led to eSNI and today ECH would have happened for other reasons in the world where everybody has IPv6 and the fix for that would be under development.

If you have plentiful IPv6 addresses the privacy aspect still matters, but maybe it gets pushed out further and we're only talking about it now rather than earlier.

[infogulch]

Yes there is still a 1-1 mapping from IPv6 to domain, but that mapping is pushed back into the DNS layer where it belongs instead of being smuggled (poorly) through TLS. DNS isn't perfect for privacy either, but at least there's a chance that it can be solved with DoH / private dns servers / etc, instead of the only solution (eSNI) requiring everyone voluntarily signing up to a giant mitm called "cloudflare".

[tialaramex]

The problem with just solving DNS privacy is that Winnie doesn't care whether you "privately" resolved the name or not, blocking the entire server works fine when each server corresponds to one name. The ability of users to privately resolve winnie-the-pooh.china.example to 10.20.30.40 doesn't help when Winnie can just block 10.20.30.40 entirely.

One of the things we see with the Great Firewall is that you can reach some brand new service, and then a few minutes later (after presumably some automation span up, examined it and didn't like what it found) it's blocked.

In contrast under ECH Winnie can choose to have 10.20.30.40 blocked, and if the only things on it are winnie-the-pooh.china.example and kick-putin-out.russia.example then why not. But if it also features popular-website.example then that's a difficulty.

If it helps while I expect Cloudflare will continue as before, ECH is actually carefully designed so that intermediates can be set up to be able to discern that you want winnie-the-pooh.example and make that work without in fact knowing how to answer for that name. In effect you can sign up to have some popular host (e.g. Google, Amazon, or indeed Cloudflare) provide their servers for your names, but not provide your services and not have any ability to MITM you, they're acting as a sort of IP proxy instead. And some of the big names are clearly enthusiastic about enabling this capability, albeit for a price.

[Dylan16807]

It's really easy to make a mapping of domain names to IPs. If you want a chance at privacy, you need load balancer IPs that have a huge number of sites behind them.