The common implementation of achieving network (L3) connectivity in SSL-VPN is to encapsulate data from the network layer (e.g. IP datagrams) with some link (L2) layer protocol and send data from L2 (e.g. PPP frames) over a SSL/TLS connection. Most, if not all, SSL-VPN vendors encounter poor performance when sending data through their SSL-VPN tunnels due to head of line blocking (when multiple L3 traffic are encapsulated within a SSL/TLS connection and loss occurs, TCP that transports the SSL/TLS connection must recover from loss and during recovery other encapsulated L3 traffic whose data not affected by the loss will not be sent. Datagram Transport Layer Security (DTLS), which uses UDP (User Datagram Protocol) as the transport instead of TCP, is used as an alternative to SSL/TLS-in SSL-VPN to avoid head of line blocking problem. However, the compression ratio achievable on a DTLS-based VPN tunnel is not as effective as that of the SSL/TLS-based VPN tunnel, since the compression history is limited to the maximum segment size of a DTLS packet, thereby resulting in potential loss. In comparison, SSL/TLS-based VPN tunnels provide for a larger compression history, thereby achieving a higher compression ratio.
Tunneling data from L3 within L2 over a secure connection (regardless SSL/TLS or DTLS) carries a number of disadvantages, in particular, tunneling data from one source endpoint to another destination endpoint incurs the overhead from these two layers (L2 and L3), which can be substantial.