Les Mikesell wrote:
Robert Moskowitz wrote:
I have never liked the SSLvpn architecture. Never really liked the SSL handshake; just too chatty. I wear my biases quite plainly on my arm sleeve (I chaired the IPsec workgroup during the time the RFCs came out). You want security, go with IPsec. Even ESP NULL gives you per packet authentication and thus proof of server and client. Just pay the price for IKE, which I never liked. Part of the reason I invented HIP....
But ssl vpns work though just about any firewall/proxy/nat that already permit https. Traversing those can be painful or impossible for ipsec.
The problem is NATs (so speaks a co-author of RFC 1918!). SSL vpns tunnel networking over Transport. Gee I wonder why that works through NATs?
Part of the NAT traversal mess contributed to my drive for HIP which the actual developers realized needed a different ESP mode: BEET. Of course even HIP needs ICE to find things out there and to be found....