I might be wrong, but OHAI is an additional HPKE layer within the TLS protected HTTP tunnel; a more nauced take on the HTTP CONNECT method, if you will. MASQUE seems more of IPsec take 2.
Ah, so basically the distinction is private relaying at the HTTP exchange level vs. at the TLS flow level?
MASQUE is more about tunneling TLS flows (i.e. TCP or TCP-ish connections such as QUIC/HTTP 3) than about the IP layer, is my understanding, but I suppose that's what you mean by IPsec take 2?
> MASQUE has now evolved to the point one can potentially build VPNs with it
Wow, so we've gone full circle :D Hopefully this will only be used using the QUIC Datagram – IP-over-TCP isn't fun. But I can see it making sense in certain scenarios/as a last resort.
I'm aware of the great apnic post, but it seems to predate OHAI. Hopefully somebody will write an explainer on that as well.
See section 3.1 for a brief comparison between the two: https://datatracker.ietf.org/doc/html/draft-schinazi-masque-...