[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

> I'm sorry, I still don't understand.  SSL has a key setup phase, too.
> To me, the difference is ease of deployment versus scope of protection.
> SSL is easier to deploy, because it lives solely at user level.  It
> does not need any kernel mods, source code, etc., and is reasonably
> portable between operating systems.

"Deployment" may not be a critical issue, because its a one time thing.  I
would add flexibility and purpose like
whether the client authentication is needed (optional in SSL), or various
options for payload specification and ofcourse application Vs entire subnet

> On the other hand, with SSL you have to secure one application at a
> time.    You can't protect entire subnets.  There are trivial
> denial of service attacks by active attackers; they simply need to
> inject a single TCP packet.  And there's no way to protect UDP.

I beleive both SSL and IPSec are susceptible to DoS.

> If IPsec had been widely available, there would have been no need for
> SSL.  But it wasn't there; that left a gaping ecological niche that SSL
> filled quite nicely.
> --Steve Bellovin