tcp/routing question...
Lai Zit Seng
lzs at pobox.com
Tue Jun 7 23:43:08 UTC 2005
On Tue, 7 Jun 2005, Felipe Alfaro Solana wrote:
> On 6/7/05, bruce <bedouglas at earthlink.net> wrote:
>> matt...
>>
>> if i understand them both, ssl/ipsec are essentially the same thing, ie the
>> ability to create a secure connection between two points...
>
> No... SSL operates at a higher level in the TCP/IP protocol stack. To
> be more concrete, SSL is an application-level protocol, whereas IPSec
> operates at the network level. IPSec can be configured to set up an
> encrypted and/or authenticated link between two peers, or in tunnel
> mode, where IP datagrams coming from several client machines get
> multiplexed, encapsulated, encrypted and/or authenticated, then sent
> over a "tunnel" over a public IP network to the tunnel endpoint, where
> the process is reversed and the decapsulated packet delivered to its
> target.
>
> SSL is an application service, and end-to-end encrypted/authenticated
> link between application peers and thus, the protocol or application
> must explicitly support it (although there are tricks like using
> stunnel). IPSec encrypts/authenticates a whole link (or parts of a
> link) and it's application transparent: you can implement an
> IPSec-protected link and have SSL-unfriendly or SSL-disabled
> applications or protocols get automatic encryption/authentication via
> IPSec features.
Just to add on a little bit.
SSL and IPsec may appear seem to be similar because they're both about
encrypting traffic on the network. But what it achieves in the end result
is quite different.
With IPsec, you are encrypting between computers. SSL goes beyond that by
encrypting end-to-end application traffic which generally is what that
really matters to a user. It's possible to paint an example where just
merely having IPsec between client and the bank is not enough... the user
could still be fooled by an attacker.
Regards,
.lzs
--
http://zitseng.com/
More information about the fedora-list
mailing list