Re: Fw: IPSec vs. SSL

[Stephen Kent <kent@bbn.com>]

Much of this SSL vs. IPsec discussion has been based on unarticulated 
assumptions, and there have been some explicit technical errors, 
further confusing the debate.

One fair observation is that SSL configuration, from a client 
perspective, is much easier than for IPsec precisely because SSL does 
not address access control issues. Even at the server side, access 
control is an add on, outside scope of SSL. This relates to the 
observation made earlier re pre-configured CAs in SSL clients. This 
is a convenience feature that works fairly well for the public access 
to server model that SSL is designed to support. It is less 
attractive in an intranet environment, as it creates more 
opportunities for spoofing.  But, even this is not a criticism of 
SSL, because SSL does not embody any notion of root CAs in clients. 
All fo that is outside the SSL spec, and is not standardized.

So, let's keep in mind the differences between standards and 
implementations when comparing SSL and IPsec.  There are legitimate 
differences in services and functional requirements between these 
protocols, and many of these differences relate to the contexts for 
which each was designed. In some cases they might be competitors, in 
other cases one offers features that make it incomparable to the 
other.

Steve

---

References:

• Re: Fw: IPSec vs. SSL
• From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>

---

• Prev by Date: Re: IPv6 Neighbour Solicitation messages and IPsec
• Next by Date: Re: Collision in IPSec SA negotiation
• Prev by thread: Re: Fw: IPSec vs. SSL
• Next by thread: Re: Fw: IPSec vs. SSL
• Index(es):
  • Main
  • Thread