Comparison of SSL and IPSec
Comparison of SSL and IPSec
This article non-original content, compiled by himself. Only for learning purposes. See footnote text.
SSL and IPSec network security technology are two widely used.
0.5 Software Hardware
IPSec network of networks suitable for VPN connections (Site-Site), widely used VPN router deployments.
SSL more suitable for mobile users remote access (Client-Site), widely used in network security transactions and remote control.
IPSecVPN users often need to have the appropriate client software.
SSLVPN usually without having to install the client browser.
Require the same software at both ends of the IPSec vendors (see 5. collaborative), is not conducive to the establishment of enterprise applications outside the network. Each node needs to be configured to manage communications, and access from a particular device, increasing the cost of configuration and operation.
SSL allow enterprises to multi-user access at different locations, the need to maintain central node and gateway devices, maintenance-free client, the client devices that require low, reducing the configuration and operation costs.
1. Authentication Algorithm
| technology | Supported authentication algorithms |
|---|---|
| IPSec | Digital signatures, key algorithm |
| SSL | digital signature |
2. Authentication Method
IPSec support an authentication method, SSL supports several different authentication methods.
IPSec uses two-way authentication, SSL uses a one-way / two-way authentication.
| technology | Authentication method | Verification algorithm |
| IPSec | Peer authentication | Key Digital Signature Algorithm |
| SSL | Server-side authentication | RSA algorithm (query / response) |
| DSA Digital Signature Algorithm | ||
| Client Authentication | RSA / DSA Digital Signature Algorithm |
3. underlying protocol
IPSec is a network layer to ensure that IP communication protocol suite and provided to the network layer as the center. Phase 1 negotiation in the UDP layer, the use of port 500, the retransmission timer to be retained. Allows multiple users to use the same tunnel between two endpoints, may be reduced by the establishment of a single connection overhead required.
SSL is a protocol to protect HTTP communications socket layer to the application layer as the center. Handshake agreement negotiated in the TCP layer, use port may vary depending upon the application. You need to assign a separate channel and a key for each user, independently of each other each other.
On the server side, IPSec and SSL must be bound to a specific port.
In the client, IPSec needs to bind to a specific port, and SSL do not.
UDP may cause data loss or been tampered with during transmission, in order to avoid unreliable UDP transport:
IPSec original packet header to add new TCP, UDP and TCP support applications.
SSL works on the TCP layer, which only supports TCP applications.
4. The encryption operation command
IPSec to encrypt data, and then generates a message authentication code MAC for the encrypted data.
SSL to create MAC plain text and then encrypt the data.
Before performing any IPSec decryption, verify MAC.
SSL first decrypt the packets, and then verify the MAC.
5. Collaborative
IPSec vendors in some respects is not well unified, need to make the appropriate changes according to the situation.
6. overhead
IPSec adds a header to the original packet, resulting in additional overhead. Specific expenses as follows:
| protocol | mode | Overhead (bytes) |
| IPSec Tunnel | ESP | 32 |
| ESP & AH | 44 | |
| IPSec Transport | ESP | 36 |
| ESP & AH | 48 | |
| SSL | HMAC-MD5 | 21 |
| HMAC-SHA1 | 25 |
7. The time required for a handshake
IPSec handshake time, based on the 2048 RSA key exchange mechanism, 1536 the DH exchange algorithm.
| Mode type | The time required handshake (ms) |
|---|---|
| Master mode (PSK authentication algorithm) | 97 |
| Advanced Mode (PSK authentication algorithm) | 56 |
| Master mode (RSA digital signatures) | 170 |
SSL handshake time, based on RSA key exchange mechanism based on 2048, and 768 of the DH exchange algorithm.
| Mode type | The time required handshake (ms) |
|---|---|
| Server-side authentication | 41.7 |
| Client Authentication | 74.8 |
| Server-side authentication (DH algorithm) | 66.1 |
| Client Authentication (DH algorithm) | 118.6 |
1536 DH algorithm using client authentication needs 1648ms, compared with the 768 is extremely slow.
8. Compression Algorithm
IPSec is compressed by IPComp protocol.
SSL uses compression in a small area, OpenSSL support compression.
Low bandwidth environment topology, the use of compression, IPSec and SSL has improved throughput.
In the high-bandwidth environment topology, the use of compression, IPSec 3DES except the case where the throughput were reduced, the SSL is still increasing throughput.
Factors affecting the throughput of change are: where the level of agreement, each protocol overhead generated, compression, encryption and transmission speed.
[1] Jiang Ya snow comparative analysis of IPSec and SSL [J] Computer Knowledge and Technology, 2011, 7 (5):. 1208-1210
[2] IPSec VPN and SSL VPN specific What is the difference