Question

Discuss TLS and IPsec in terms of their functionality. If you could only have one (TLS...

Discuss TLS and IPsec in terms of their functionality. If you could only have one (TLS or IPsec), how would that affect your system and data?
0 0
Add a comment Improve this question Transcribed image text
Answer #1

Difference between TLS (SSL) and IPsec in terms of functionality:-

IPsec (Internet Protocol Security):-

IPsec, also known as the Internet Protocol Security or IP Security protocol, defines the architecture for security services for IP network traffic. IPsec describes the framework for providing security at the IP layer, as well as the suite of protocols designed to provide that security, through authentication and encryption of IP network packets. Also included in IPsec are protocols that define the cryptographic algorithms used to encrypt, decrypt and authenticate packets, as well as the protocols needed for secure key exchange and key management.

IPsec originally defined two mechanisms for imposing security on IP packets: the Encapsulating Security Payload (ESP) protocol, which defined a method for encrypting data in IP packets, and the Authentication Header (AH) protocol, which defined a method for digitally signing IP packets. The Internet Key Exchange (IKE) protocol is used to manage the cryptographic keys used by hosts for IPsec.

Well, given that, by IPsec, you mean only AH and ESP (that is, RFC4301-4303), well, the obvious answer is that IPsec doesn't mandate any way to generate keys, select algorithms, or to establish contexts. All that is assumed to be done by some other protocol (which might be IKEv1, IKEv2, GDOI, manual configuration or possibly others), and exactly how that is done is not IPsec's concern.

TLS (Transport Layer Secirity)

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VOIP). In this article we will focus on the role of TLS in web application security.

TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization, and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was published in 2018.

TLS can be used on top of a transport-layer security protocol like TCP. There are three main components to TLS: Encryption, Authentication, and Integrity.

  • Encryption: hides the data being transferred from third parties.
  • Authentication: ensures that the parties exchanging information are who they claim to be.
  • Integrity: verifies that the data has not been forged or tampered with.

TLS can be used on top of a transport-layer security protocol like TCP. There are three main components to TLS: Encryption, Authentication, and Integrity.

  • Encryption: hides the data being transferred from third parties.
  • Authentication: ensures that the parties exchanging information are who they claim to be.
  • Integrity: verifies that the data has not been forged or tampered with.

A TLS connection is initiated using a sequence known as the TLS handshake. The TLS handshake establishes a cypher suite for each communication session. The cypher suite is a set of algorithms that specifies details such as which shared encryption keys, or session keys, will be used for that particular session. TLS is able to set the matching session keys over an unencrypted channel thanks to a technology known as public key cryptography.

How would that affect your system and data if you have only one either TLS or IPsec:-

Well, given that, by IPsec, you mean only AH and ESP (that is, RFC4301-4303), well, the obvious answer is that IPsec doesn't mandate any way to generate keys, select algorithms, or to establish contexts. All that is assumed to be done by some other protocol (which might be IKEv1, IKEv2, GDOI, manual configuration or possibly others), and exactly how that is done is not IPsec's concern.

TLS (which is the name I prefer to SSL; you shouldn't be using SSLv3 and you really shouldn't even consider SSLv2) has embedded in it an authentication and key establishment protocol, which spells out exactly how things ought to be done.

Of course, as for how they do encryption and decryption, there are some differences. Some of these differences are design decisions (TLS has traditionally done 'MAC and then ENCRYPT', while IPsec does 'ENCRYPT and then MAC'); on the other hand, a lot of the differences are due to the fact that they're addressing different problems:

  • TLS is over a reliable transport (typically TCP), while IPsec is over an unreliable transport (IP, which can drop and reorder packets). What this means is that TLS keeps context between the sender and the receiver and updates that state (such as the sequence number); with IPsec, all that needs to be made explicit (as there is no guarantee that the receiver will get same packets in the same order that the sender sent). [1]

  • IPsec was designed specifically to protect IP traffic; hence it has a bunch of rules built in with IP in mind; for example, how fragments are processed, how it interacts with IP MTU, how packets interact with the security policy database, how DSCP bits are handled, how ECN (Explicit Congestion Notify) is handled. In contrast, TLS was designed to protect a byte stream, and it makes no assumptions about what that byte stream means.

  • IPsec was always envisioned to be security gateway-friendly. That is, it was always expected that one use case for it would be a router in the middle that accepts plaintext packets (say, from your local office LAN), and sends them off encrypted through the internet (perhaps to another security gateway in a different location). Of course, you could also use IPsec in an end-to-end fashion; both usages were considered in its design. In contrast, TLS was always envisioned to be end-to-end; that say PC that generates the plaintext was expected to be the one encrypting it. Now, you can design a TLS security gateway (and most certainly, people have); it is significantly less clean because of design choices behind TLS.

Add a comment
Know the answer?
Add Answer to:
Discuss TLS and IPsec in terms of their functionality. If you could only have one (TLS...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions
ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT