| |
 |
|
|
Science Forum Index » Cryptography Forum » IPSec vs. SSL/SRTP?
Page 1 of 1
|
| Author |
Message |
| Kim Hyldgaard |
 Posted: Wed Jan 28, 2004 7:19 am |
|
|
|
Guest
|
Hi,
Forgive my subject. This post is not intended to be a battle between
protocols,
but I would very much like a piece of advice since I have to choose between
the
two solutions.
Background:
I have an application which uses both voice and data traffic.
The application is running on two PC's and communicates
with each other (thus my application is always the end point)
I'd like to authenticate both ends by using X.509 certificates,
and I'll also like to encrypt the data transfer.
I have two solutions:
1. To use SSL for X.509 authentication and data transfers and SRTP
for voice transfers.
2. To use IPSec with X.509 authentication.
I would rather like to use IPSec, since I like introducing security on
the layer 3 instead of on layer 6.
Furthermore I don't want to patch SSL and SRTP together - for instance
fetching a key from SSL to use in SRTP.
However, the IPSec solution is probably a little more performance
demanding - if you use the same algorithms for encryption and
authentication, at least the number of bytes to handle is bigger
with IPSec than SSL.
(Notice: In the SSL solution, everything should run through SSL
and no data should go un-touched)
Do you have any good arguments for me to make a choice?
- Basicly (if the patch between SSL and SRTP is OK) the I
don't see any big difference in security.
Kind regards and thanks in advance
Kim Hyldgaard |
|
|
| Back to top |
|
| Mailman |
| Posted: Wed Jan 28, 2004 9:27 am |
|
|
|
Guest
|
On Wed, 28 Jan 2004 13:19:33 +0100, Kim Hyldgaard wrote:
Quote: Hi,
Forgive my subject. This post is not intended to be a battle between
protocols,
but I would very much like a piece of advice since I have to choose between
the
two solutions.
Background:
I have an application which uses both voice and data traffic.
The application is running on two PC's and communicates
with each other (thus my application is always the end point)
I'd like to authenticate both ends by using X.509 certificates,
and I'll also like to encrypt the data transfer.
I have two solutions:
1. To use SSL for X.509 authentication and data transfers and SRTP
for voice transfers.
2. To use IPSec with X.509 authentication.
I would rather like to use IPSec, since I like introducing security on
the layer 3 instead of on layer 6.
Furthermore I don't want to patch SSL and SRTP together - for instance
fetching a key from SSL to use in SRTP.
However, the IPSec solution is probably a little more performance
demanding - if you use the same algorithms for encryption and
authentication, at least the number of bytes to handle is bigger
with IPSec than SSL.
(Notice: In the SSL solution, everything should run through SSL
and no data should go un-touched)
Do you have any good arguments for me to make a choice?
- Basicly (if the patch between SSL and SRTP is OK) the I
don't see any big difference in security.
Kind regards and thanks in advance
Kim Hyldgaard
I would probably go with IPSec simply on the basis of extensibility: if in
the future your needs change (as they so often do) you can easily add
channels/protocols and have all the necessary infrastructure already in
place. This also applies if your VoIP tries to use unexpected (read:
undocumented) ports.
In my experience IPSec is not a problem performance-wise - the compression
that is built-in more than compensates for the extra CPU cycles (unless
you want it to run on a Gigabit Ethernet at full speed). In any case
hardware acceleration is available for both IPSec and SSL and quite well
supported, so the CPU is not really a problem.
--
Mailman
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =----- |
|
|
| Back to top |
|
| Lassi Hippeläinen |
| Posted: Wed Jan 28, 2004 1:32 pm |
|
|
|
Guest
|
Kim Hyldgaard wrote:
<...>
Quote: Do you have any good arguments for me to make a choice?
- Basicly (if the patch between SSL and SRTP is OK) the I
don't see any big difference in security.
If you use the same cryptoalgorithms, there aren't essential differences
between SSL and IPSec, in terms of security or throughput.
Architecturally the main difference is that SSL requires each socket to
have its own security association, but IPSec can handle all of them at
the same time, if their end points are in the same IP addresses. This
may speed up initial connections. It also leaks less information about
identities.
The main difference is in configuration management. IPSec is almost by
definition kernel code, and installing it requires root privileges. SSL
runs in the application layer.
-- Lassi |
|
|
| Back to top |
|
| Kim Hyldgaard |
| Posted: Thu Jan 29, 2004 5:58 am |
|
|
|
Guest
|
Thanks to both of you.
Since I only have to communicate with one end-point in a rather static
scenario,
put with a lot of different sockets, the Information concerning SSL and SA's
was quite good.
As previously stated I like the IPSec solution best anyway and updating
kernel
is not an issue for my application.
Kind regards
Kim Hyldgaard |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Fri Dec 05, 2008 5:38 am
|
|