[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

To: "Venkat RK Reddy" <vpothams@cisco.com>
Subject: Re: Fw: IPSec vs. SSL
From: "Paul Heber" <pheber@qantas.com.au>
Date: Tue, 19 Dec 2000 11:15:58 +1000
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

If you look at the wording "In addition" then SSL V3 could be a better
solution or even TLS rather than both SSL and IPSec. Encryption of
encrypted packets is not a good look. I agree that with SSL and tools such
as Dsniff the man in the middle is an issue. IPSec will fix this problem,
but then you start limiting the scalability of implementation.

Look at a server that needs to be accessible from 100 points accross an
open IP community. If you must run IPSec then you must run 100 Tunnels from
100 end points. This gets worse the more open that you want the secure
network, say all 100 need to talk securely to all of the connections, it
become n*n-1 tunnels and surely this is un-manageable from a business
perspective.

SSL encrypts as it goes and at the application level or TLS at the
Transport level, hence there are no scalability issues here. (It is all a
Risk vs Business benefit statement.) Sure if the data MUST not be
accessible and it is highly confidential then IPSec maybe a good option,
but then why use SSL on top of that.

The other pitfall with IPSec that needs to be considered is the structure
of your environment and the addressing used internally. IPSec does not work
with NAT, however there are ways around this, but your security then does
not become end to end like SSL or TLS.




From: "Venkat RK Reddy" <vpothams@cisco.com>@lists.tislabs.com on
      18/12/2000 16:19 PST

Sent by:  owner-ipsec@lists.tislabs.com


To:   <ipsec@lists.tislabs.com>
cc:
Subject:  Fw: IPSec vs. SSL




IPSec's advantage over SSL: It has more  flexibility on choosing the
authentication mechanisms (like the PreSharedKey),  and therefore makes it
difficult for the attacker to do man in the middle.   SSL is based only on
public key and with tools (like dsniff2.3), its possible to  do man in the
middle breaking SSL.

SSL's advantage over IPSec: In SSL, the client and  the server exchage *
hash * over the "initial handshake" and therefore is  difficult for an
attacker to control (change the proposals that the client  has sent so that
the server chooses the proposals that attacker sends or  whatever) the main
mode "initial" handshake.

More discussion on this would be enlightening and  appreciated.

----- Original Message -----
From:  Tim Lee
To: ipsec@lists.tislabs.com
Sent: Saturday, December 16, 2000 5:30  PM
Subject: Re: IPSec vs. SSL

Are there any situations where it is useful to  have IPSec in addition to
SSL?

Follow-Ups:

Re: Fw: IPSec vs. SSL

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: IPv6 Neighbour Solicitation messages and IPsec
Next by Date: Re: Fw: IPSec vs. SSL
Prev by thread: Re: Fw: IPSec vs. SSL
Next by thread: Re: Fw: IPSec vs. SSL
Index(es):
- Main
- Thread