MTU and Fragmentation Considerations in an IPsec VPN
Table 7-2. IPsec VPN Packet Sizes
shows the overhead added when using AH and/or ESP (in tunnel and transport modes) and a variety of cryptographic algorithms to a user packet size of 1500 bytes sent over an IPsec or GRE/IPsec VPN tunnel.
SSL indeed has an header of 5 bytes. However it's not only that.
TCP Header (20 bytes)
The header (5 bytes)
The sequence number (DTLS only) (8 bytes)
The IV (8-16 bytes)
The MAC (10-20 bytes)
Padding (CBC mode only, 1-16 bytes)
----> In fact, SSL and IPSEC overhead avec very comparable....
From Security standpoint, IPSEC is better suited than SSL/TLS.
IPSEC always use a Diffie Helman exchange to generate keyeing material. [More info at http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange]. In that way, as long you use AES as encryption mechanism, there is no ways of decrypting the traffic by brute force even over billions years.
With SSL/TLS for instance, the usual method to generate the crypto keying material is the following:
|"In order to generate the session keys used for the secure connection, the client encrypts a random number with the server's public key and sends the result to the server. Only the server should be able to decrypt it, with its private key." From the random number, both parties generate key material for encryption and decryption. More info at http://en.wikipedia.org/wiki/Transport_Layer_Security
So, in order words, if someone get access to the RSA private key [ most likely if you get physical access to the device ], then the encrypted traffic can be easily decrypted [ offline - instantaneous].
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...