[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fw: IPSec vs. SSL
> I'm sorry, I still don't understand. SSL has a key setup phase, too.
> To me, the difference is ease of deployment versus scope of protection.
> SSL is easier to deploy, because it lives solely at user level. It
> does not need any kernel mods, source code, etc., and is reasonably
> portable between operating systems.
"Deployment" may not be a critical issue, because its a one time thing. I
would add flexibility and purpose like
whether the client authentication is needed (optional in SSL), or various
options for payload specification and ofcourse application Vs entire subnet
> On the other hand, with SSL you have to secure one application at a
> time. You can't protect entire subnets. There are trivial
> denial of service attacks by active attackers; they simply need to
> inject a single TCP packet. And there's no way to protect UDP.
I beleive both SSL and IPSec are susceptible to DoS.
> If IPsec had been widely available, there would have been no need for
> SSL. But it wasn't there; that left a gaping ecological niche that SSL
> filled quite nicely.
> --Steve Bellovin