On Mon, 23 Nov 2015, Kaushal Shriyan wrote:
Is it better to go with IPsec over TLS for server to server communication? I know TLS is at Layer 7 (Application layer) and IPsec is at Layer 3 and inside linux kernel.
Do you mean use TLS on the application or use a TLS VPN? There is a big difference. If you are just doing HTTP between the servers, perhaps TLS is easier. If you are going to do all kinds of different communication between the servers, then IPsec is much better. IPsec covers all traffic while (application) TLS only covers only specific port/application. If using a TLS VPN then all ports are covered too, but things are also worse, because the packet goes from kernel to userland, decrypts there, then back to the kernel. That's a lot of overhead. And if there is packet loss, you will have two application layers attempting to retransmit and things get even worse. Or your UDP application suddenly turns from Unreliable to Reliable, which is not what you want for instance for audio streams where lost packets should be forgotten, not retransmited. You can read this draft's introduction on why doing VPN over TCP should only be a last ditch effort at doing a VPN: https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-01 Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
