[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

To: <ipsec@lists.tislabs.com>
Subject: Re: Fw: IPSec vs. SSL
From: "Venkat RK Reddy" <vpothams@cisco.com>
Date: Mon, 18 Dec 2000 23:28:05 -0800
Cc: "Henry Spencer" <henry@spsystems.net>, "Steven M. Bellovin" <smb@research.att.com>
References: <20001219024836.136D035DC2@smb.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

> I'm sorry, I still don't understand.  SSL has a key setup phase, too.
>
> To me, the difference is ease of deployment versus scope of protection.
> SSL is easier to deploy, because it lives solely at user level.  It
> does not need any kernel mods, source code, etc., and is reasonably
> portable between operating systems.

"Deployment" may not be a critical issue, because its a one time thing.  I
would add flexibility and purpose like
whether the client authentication is needed (optional in SSL), or various
options for payload specification and ofcourse application Vs entire subnet

> On the other hand, with SSL you have to secure one application at a
> time.    You can't protect entire subnets.  There are trivial
> denial of service attacks by active attackers; they simply need to
> inject a single TCP packet.  And there's no way to protect UDP.

I beleive both SSL and IPSec are susceptible to DoS.

> If IPsec had been widely available, there would have been no need for
> SSL.  But it wasn't there; that left a gaping ecological niche that SSL
> filled quite nicely.
>
>
> --Steve Bellovin
>
>

References:

Re: Fw: IPSec vs. SSL

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: IKE attributes consistency.
Next by Date: Re: Fw: IPSec vs. SSL
Prev by thread: Re: Fw: IPSec vs. SSL
Next by thread: Re: Fw: IPSec vs. SSL
Index(es):
- Main
- Thread