I bet that Netscape would fail, though, DNS aside. Some remote web servers will do IPsec, but most won't (today). That's an example of an application that does lots of transactions with lots of different hosts, with many different security policies. I'm trying to think of other examples... Erik <fair@clock.org>