[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: tcp/routing question...



On Tue, 7 Jun 2005, Felipe Alfaro Solana wrote:

On 6/7/05, bruce <bedouglas earthlink net> wrote:
matt...

if i understand them both, ssl/ipsec are essentially the same thing, ie the
ability to create a secure connection between two points...

No... SSL operates at a higher level in the TCP/IP protocol stack. To be more concrete, SSL is an application-level protocol, whereas IPSec operates at the network level. IPSec can be configured to set up an encrypted and/or authenticated link between two peers, or in tunnel mode, where IP datagrams coming from several client machines get multiplexed, encapsulated, encrypted and/or authenticated, then sent over a "tunnel" over a public IP network to the tunnel endpoint, where the process is reversed and the decapsulated packet delivered to its target.

SSL is an application service, and end-to-end encrypted/authenticated
link between application peers and thus, the protocol or application
must explicitly support it (although there are tricks like using
stunnel). IPSec encrypts/authenticates a whole link (or parts of a
link) and it's application transparent: you can implement an
IPSec-protected link and have SSL-unfriendly or SSL-disabled
applications or protocols get automatic encryption/authentication via
IPSec features.

Just to add on a little bit.

SSL and IPsec may appear seem to be similar because they're both about encrypting traffic on the network. But what it achieves in the end result is quite different.

With IPsec, you are encrypting between computers. SSL goes beyond that by encrypting end-to-end application traffic which generally is what that really matters to a user. It's possible to paint an example where just merely having IPsec between client and the bank is not enough... the user could still be fooled by an attacker.

Regards,

.lzs
--
http://zitseng.com/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]