Menu
▾
▴
Re: [Ipsec-tools-devel] future of Ipsec
|
From: Timo T. <tim...@ik...> - 2009-12-28 08:31:07
|
Naveen BN wrote: > Tls can provide client to site solution ( VPN solution) and It is no > problems even in the presence of NAT nor the overhead of NAT keep alive. > For the end user the configuration of Ipsec policies is also an overhead . 1. TLS != VPN solution. There are *TLS-based* VPN solutions such as OpenVPN, but TLS in itself is an application level protocol. 2. TLS does have NAT keep-alive in form of TCP-keepalive, or if running over UDP it needs an application level keep-alive mechanism (see e.g. OpenVPN --keepalive option). 3. Proper TLS based solution requires also configuration. For clear server-client installs, you should be using autogenerated IPsec policies. Which one is easier depends on which one you know better ;) >> TLS is TCP-based and not suited really for VoIP or any other UDP-based >> program. TCP-inside-TCP tunneling is also bad. So TLS is good only for >> application level stuff. So if you are good with running https, sips >> etc. then you are ok with TLS. Oh, OpenVPN does have UDP mode so it's not strictly like this, but you do need to be careful on choosing how the protocols are stacked. >> IPsec is a layer 2 transport. And does it job at very low level. >> Any application that is not TLS aware, can be secured with it. It works >> good with any protocol. It also is typically faster as IPsec part of >> the protocol is done in kernel mode (only IKE runs in userland). This >> results in lower hardware requirements. This applies. Please read the basics how the two protocols differ. Start with: http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/IPsec These two protocols work in separate layer of TCP/IP stack. They have separate use cases. Short guide to choose is: - If you want to combine networks: use IPsec - If you want to provide secure services or connect one computer to centralized place: use TLS - Timo |