[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

In message <OFFCB36D51.7DEBE250-ON4A2569BA.000EAB81@qantas.com.au>, "Paul Heber
" writes:
>> SSL is dynamic wheras IPSec needs setup and maintenance.
>Depends upon the implementation of the software, as to this setup and
>maintenance requirement.

I'm sorry, I still don't understand.  SSL has a key setup phase, too.

To me, the difference is ease of deployment versus scope of protection. 
SSL is easier to deploy, because it lives solely at user level.  It 
does not need any kernel mods, source code, etc., and is reasonably 
portable between operating systems.

On the other hand, with SSL you have to secure one application at a 
time.    You can't protect entire subnets.  There are trivial 
denial of service attacks by active attackers; they simply need to 
inject a single TCP packet.  And there's no way to protect UDP.

If IPsec had been widely available, there would have been no need for 
SSL.  But it wasn't there; that left a gaping ecological niche that SSL 
filled quite nicely.

		--Steve Bellovin