Has Mosh crypto been reviewed? Last I checked they were using some custom crypto on top of UDP instead of using something like DTLS or QUIC. Given SSH is one of the most battle tested protocols out there I am wary of replacing it with something else.
The cryptography is standard AES-128 in OCB3 mode. It's been around long enough, and has had enough security scrutiny to at least discover a few minor DoS vulnerabilities, that it isn't entirely unreviewed.
Mosh has been effectively unmaintained since long before QUIC even existed.
It should be rewritten to use QUIC, except that QUIC's requirement for TLS certificates rather than generic asymmetric cryptography basically breaks any integrations like this.
