* Stefan Mink: > a) It would be good to hear from this community if there > are any negative aspects of OpenVPN (vs. IPsec VPNs).
It's not standardized, and it only interoperates with itself (but this is true for many IPsec implementations as well). This is more than compensated by its portability. OpenVPN has a very interesting feature set, including hybrid authentication and a HMAC-based integrity check before TLS processing for the paranoid. (Static key mode is also possible and doesn't require TLS at all.) Unfortunately, the protocol would have to be reverse-engineered from the source code before it can be reviewed. You've already mentioned important aspects of the protocl (TSL on the control plane, ESP for the payload). What's still missing, though, is multicast support and PPPoE-style multihop authentication. PMUTD doesn't work for me at the moment, but this could also be a local configuration problem. > b) I still have a problem with the term "SSL/TLS VPN". What is an "SSL VPN"? A web application that runs over TLS? 8-) Uh-oh, it looks as if this joke isn't too far off. This reminds me of the good old times when we tried to use TeraTerm and SSH port forwarding to secure a Baan installation. > What OpenVPN seems to do is use SSL for authentication and key > exchange/rekeying, but does use "ESP similar" data protection > schemes/formats. Does the usage of SSL on a "control plane" make > OpenVPN an "SSL VPN"? No, it certainly isn't. OpenVPN doesn't work at the application layer, as SSL VPNs usually do. It's a real VPN, and you can choose between layer 2 or layer 3 operation. > This sounds to me like calling something a car just > because it uses a steering wheel... So far I thought > about SSL VPNs as doing everything over SSL (with > the known disadvantages...). At least OpenVPN uses a bit SSL and provides a VPN. SSL VPNs use a lot of SSL, but provide no VPN. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]