[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL


You are right there is no fundamental need unless the business requires it.
Purely an example of scalability and control using IPSec rather than SSL.
SSL is dynamic wheras IPSec needs setup and maintenance.

Paul Heber

From: Henry Spencer <henry@spsystems.net> on 18/12/2000 20:03 EST

To:   Paul Heber <pheber@qantas.com.au>
cc:   ipsec@lists.tislabs.com
Subject:  Re: Fw: IPSec vs. SSL

On Tue, 19 Dec 2000, Paul Heber wrote:
> Look at a server that needs to be accessible from 100 points accross an
> open IP community. If you must run IPSec then you must run 100 Tunnels
> 100 end points. This gets worse the more open that you want the secure
> network, say all 100 need to talk securely to all of the connections, it
> become n*n-1 tunnels and surely this is un-manageable from a business
> perspective.

Why?  There is no reason why all of them have to exist simultaneously,
unless there is actually traffic flowing on all of them... and in any
case, there is no n*n-1 on any single machine.  You could equally say that
there would have to be n*n-1 TCP connections involved, and nobody
complains about that.

I agree that n*n-1 gets troublesome if there needs to be explicit
per-tunnel management or configuration, but there is no fundamental
requirement for that.

                                                          Henry Spencer