Les Mikesell wrote: > Robert Moskowitz wrote: > >> I have never liked the SSLvpn architecture. Never really liked the SSL >> handshake; just too chatty. I wear my biases quite plainly on my arm >> sleeve (I chaired the IPsec workgroup during the time the RFCs came >> out). You want security, go with IPsec. Even ESP NULL gives you per >> packet authentication and thus proof of server and client. Just pay the >> price for IKE, which I never liked. Part of the reason I invented HIP.... >> > > But ssl vpns work though just about any firewall/proxy/nat that already > permit https. Traversing those can be painful or impossible for ipsec. The problem is NATs (so speaks a co-author of RFC 1918!). SSL vpns tunnel networking over Transport. Gee I wonder why that works through NATs? Part of the NAT traversal mess contributed to my drive for HIP which the actual developers realized needed a different ESP mode: BEET. Of course even HIP needs ICE to find things out there and to be found....