[Swan] TLS vs IPsec

Kaushal Shriyan kaushalshriyan at gmail.com
Wed Nov 25 09:59:41 UTC 2015

Thanks Paul for the explanation. I am still reading it.



On Tue, 24 Nov 2015 at 05:20 Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 23 Nov 2015, Kaushal Shriyan wrote:
> > Is it better to go with IPsec over TLS for server to server
> communication?
> > I know TLS is at Layer 7 (Application layer) and IPsec is at Layer 3 and
> inside linux kernel.
> Do you mean use TLS on the application or use a TLS VPN? There is a big
> difference. If you are just doing HTTP between the servers, perhaps TLS
> is easier. If you are going to do all kinds of different communication
> between the servers, then IPsec is much better.
> IPsec covers all traffic while (application) TLS only covers only specific
> port/application. If using a TLS VPN then all ports are covered too, but
> things
> are also worse, because the packet goes from kernel to userland, decrypts
> there,
> then back to the kernel. That's a lot of overhead. And if there is
> packet loss, you will have two application layers attempting to
> retransmit and things get even worse. Or your UDP application suddenly
> turns from Unreliable to Reliable, which is not what you want for
> instance for audio streams where lost packets should be forgotten, not
> retransmited.
> You can read this draft's introduction on why doing VPN over TCP should
> only be a last ditch effort at doing a VPN:
> https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-01
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151125/82e1c773/attachment.html>

More information about the Swan mailing list