Thanks Paul for the explanation. I am still reading it. Regards,
Kaushal On Tue, 24 Nov 2015 at 05:20 Paul Wouters <[email protected]> wrote: > On Mon, 23 Nov 2015, Kaushal Shriyan wrote: > > > Is it better to go with IPsec over TLS for server to server > communication? > > I know TLS is at Layer 7 (Application layer) and IPsec is at Layer 3 and > inside linux kernel. > > Do you mean use TLS on the application or use a TLS VPN? There is a big > difference. If you are just doing HTTP between the servers, perhaps TLS > is easier. If you are going to do all kinds of different communication > between the servers, then IPsec is much better. > > IPsec covers all traffic while (application) TLS only covers only specific > port/application. If using a TLS VPN then all ports are covered too, but > things > are also worse, because the packet goes from kernel to userland, decrypts > there, > then back to the kernel. That's a lot of overhead. And if there is > packet loss, you will have two application layers attempting to > retransmit and things get even worse. Or your UDP application suddenly > turns from Unreliable to Reliable, which is not what you want for > instance for audio streams where lost packets should be forgotten, not > retransmited. > > You can read this draft's introduction on why doing VPN over TCP should > only be a last ditch effort at doing a VPN: > > https://tools.ietf.org/html/draft-pauly-ipsecme-tcp-encaps-01 > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
