[Swan] TLS vs IPsec

Paul Wouters paul at nohats.ca
Mon Nov 23 23:50:44 UTC 2015


On Mon, 23 Nov 2015, Kaushal Shriyan wrote:

> Is it better to go with IPsec over TLS for server to server communication?
> I know TLS is at Layer 7 (Application layer) and IPsec is at Layer 3 and inside linux kernel.

Do you mean use TLS on the application or use a TLS VPN? There is a big
difference. If you are just doing HTTP between the servers, perhaps TLS
is easier. If you are going to do all kinds of different communication
between the servers, then IPsec is much better.

IPsec covers all traffic while (application) TLS only covers only specific
port/application. If using a TLS VPN then all ports are covered too, but things
are also worse, because the packet goes from kernel to userland, decrypts there,
then back to the kernel. That's a lot of overhead. And if there is
packet loss, you will have two application layers attempting to
retransmit and things get even worse. Or your UDP application suddenly
turns from Unreliable to Reliable, which is not what you want for
instance for audio streams where lost packets should be forgotten, not
retransmited.

You can read this draft's introduction on why doing VPN over TCP should
only be a last ditch effort at doing a VPN:

https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-01

Paul


More information about the Swan mailing list