They use peering and not the reader mode that suck will use.
Depends on the amount of article you load.
Both sites need to configure their NNTP server to have outgoing
articles and incoming.
IIRC INN can spool messages if a server is unreachable (the statistics
sometimes show that). But for servers that are not always online (most
time), UUCP is a better protocol.
Using a TLS certificate should be technically possible, but I don't
know which servers support that.

Without knowing further details, a first superficial examination
of this question would lead me to think that it does not seem
unfair to use such a program, because the server is free to
refuse anything that would expose it to unwanted overload.

Peers usually push articles to each other.

Readers usually poll / pull articles from the server(s).
It depends.

I would never want to use suck for a full Usenet feed for anything other
than academic purposes.
I would have to refer to RFCs to know for sure, but these seem to be
ways to push articles to peers. Which is used when requires brushing up
on some RFCs.

I believe that innfeed is just one of the ways that INN supports to feed
articles to a configured peer.
My understanding is that INN (which uses innfeed) has knowledge of
articles that are queued to be sent to a peer and which queued articles
have been sent.

With this in mind, INN simply sends articles for desired newsgroups /
distributions to wanting peers henceforth.

Peers don't have a way to say I want you to send me article <such and
such>. That's the domain of the reader to pull articles.
My understanding of the mechanics may be flawed.
In a manner of speaking, sort of.

INN will periodically try to establish communications and will send (or
at least offer) spooled articles once communications is established.
What is "better"? IP is quite convenient and works quite well between
static (or rarely changing) IPs.

You could use something like IPsec transport mode, or a full fledged VPN
to have much stronger cryptographic validation about the remote system.
But is such worth it for a news server?
I believe that some have TLS encryption in play.

I believe a very small number are using NNCP (?)

I would not be shocked to learn about IPsec / VPN being used.
Why?

IMHO that wouldn't be worth it.

What reason do you have to upset the apple cart? -- This is one of the
reasons that I'm not interested in NNCP.

I'd be more inclined to use standard NNTP on a standard news server and
rely on the kernel to add IPsec transport mode encryption +
authentication to the traffic. News software doesn't have to be
involved and can rely on the kernel.

Hi immibis,
FWIW, innd also supports identifying a peer with the Ident protocol (RFC
1413) or with a password.
I doubt they are really used by people nowadays. Besides, these data
are not encrypted.

See the identd and password parameters in incoming.conf:
https://www.eyrie.org/~eagle/software/inn/docs/incoming.conf.html

peer bob {
hostname: "1.2.3.4"
password: "therealbob"
}


You may use that as an additional "proof" (because that's still
insecure) that the peer at 1.2.3.4 is the expected one.

Note that you cannot use "*" as hostname, and then parameter several
peers matching any IP but with several different passwords because the
first matching entry for hostname in incoming.conf, read from the last
one to the first one in the file, will be used. If the conditions like
max-connections, identd and password do not correspond, then access is
denied.

Hi immibis,
FWIW, innd also supports identifying a peer with the Ident protocol (RFC
1413) or with a password.
I doubt they are really used by people nowadays. Besides, these data
are not encrypted.

See the identd and password parameters in incoming.conf:
https://www.eyrie.org/~eagle/software/inn/docs/incoming.conf.html

peer bob {
hostname: "1.2.3.4"
password: "therealbob"
}


You may use that as an additional "proof" (because that's still
insecure) that the peer at 1.2.3.4 is the expected one.

Note that you cannot use "*" as hostname, and then parameter several
peers matching any IP ("*") but with several different passwords because
the first matching entry for hostname in incoming.conf will be used for
the upcoming connection. If the conditions like max-connections, identd
and password do not correspond, then access is denied.