Two questions -
- Is DoH necessary for this to work? Can it work with IPSEC assuming the target website also implements the relevant TLS 1.3 extension?
- Will it be ported to PM/is it already available, presumably if it is no longer a draft spec?
Not at all. See also this bug at Mozilla. It's been open for 5 years but clearly Mozilla wanted to push using DoH so they didn't implement the feature outside of the new DoH plumbing.
There's currently nothing to port because Mozilla only implemented it using DoH and our DNS resolver isn't kitted out to handle it.
"Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations." -- even the Mozilla blog post specifically states "if technologies are used in isolation", which is usually never the case.Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations. Everything that is done here is specifically to eliminate any "leaks" to the local network and trying to make the browser stealth except for an outbound tunnel, if used. It's nonsense for any other workflow.
Once more, none of this is needed or useful if you use a VPN (or any other encapsulation protocol) tunnel to tunnel your way out of what you consider an untrusted local network. Even a web proxy over https will already completely bypass the need for any of these service-based encryptions/cloaking methods.