In message
<Pine(_dot_)LNX(_dot_)4(_dot_)21(_dot_)0012190905370(_dot_)13276-100000(_at_)pescado(_dot_)lanl(_dot_)gov>,
Mike Fi
sk writes:
The marginal value I see in IPsec is that it is useful for protocols other
than TCP. For TCP applications, I confess that I don't see much value in
IPsec (not that TLS has any particular merits, it just became more common
first).
Why do I think I'm having this discussion for the Nth time? IPsec has
two other advantages: it protects *all* transmissions without touching
the applications, which would otherwise need to be converted one at a
time; it also protects TCP against one-packet denial-of-service
attacks. All I have to do to tear down a TLS session is send one
packet with the correct port and sequence numbers. TLS will notice
that the packet doesn't belong, and will tear down the session. With
IPsec, TCP will never even see the garbage packet, since it will fail
the integrity check before it gets to that layer.
--Steve Bellovin