I've read about IPsec today. The article stated that IPsec provides security and integrity checks at layer 3. If information above is correct, does it mean that UDP used over IPsec can be considered reliable in the same way as TLS over bare IP?
-
do you mean TLS or TCP? either could fit from context, but TLS does not provide increased "reliability", and TLS operates at layer 7 (the application layer) so TLS always uses TCP or UDP (and its almost always TCP).– Frank ThomasCommented Jun 22, 2021 at 18:05
-
What I meant is: TLS ensures reliablity and security. The article stated that IPsec ensures the very same thing. That is why I asked about comparison of UDP over IPsec and TLS over IP.– mikerruCommented Jun 22, 2021 at 18:09
-
I thought that UDP stood for Unreliable Datagram Protocol, lol. (It doesn't.)– Andrew MortonCommented Jun 22, 2021 at 18:09
-
You need to define what "reliability" actually means to you. TLS ensures data integrity, but not reliable delivery, e.g. it doesn't implement retransmissions or flow control. (It relies on the delivery guarantees of TCP.)– grawity_u1686Commented Jun 22, 2021 at 18:19
-
Per Wikepedia, RFC5246 says "TLS runs "on top of some reliable transport protocol (e.g., TCP)". en.wikipedia.org/wiki/Transport_Layer_Security so TLS uses TCPs reliable delivery. I agree that you are likely looking at different definitions of "reliable". UDP based applications can only be reliable if the application itself takes responsibility for its own reliability features at layer 7.– Frank ThomasCommented Jun 22, 2021 at 18:22
1 Answer
Wikipedia has a good article on reliability here: https://en.wikipedia.org/wiki/Reliability_(computer_networking)
UDP over IPsec will just encrypt your UDP packets and do nothing to reliability as defined in the above article.
IPsec does not have a way for the client and server to tell each other if they got all the data sent by the other.
IPsec can add data integrity, data origination authentication, and replay protection.
Before I look at the UDP packet you've sent me over IPsec, I can know its you and also know it's not a replay of a very old packet from you.
IPsec was designed to tunnel arbitrary connections and so individual connection state was not something it cares about. If you want reliability with IPsec, you make TCP connections.