There are many reasons to prefer transport-layer to network-layer security. As you have mentioned, network-layer solutions need to be implemented in the operating system kernel making them particularly inconvenient to deploy. Also, IPsec (which for all practical purposes is the only network-layer protocol we have) has been widely criticized (http://www.schneier.com/paper-ipsec.html) for being exceptionally complex and this fact hinders in depth security evaluations. However, I think that the most important argument against network-layer security is that it violates basic networking stack architecture principles. When you are doing security management at the network layer it usually means that you lose all the reliability and reassembly features provided by the transport layer. To be able to make security decisions (like authentication, authorization, etc.) you need to re-implement many TCP features that allow you to assemble network packets at the network layer, thus breaking the purpose behind the separation of functionality into layers.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2007-02-20 09:06 pm (UTC)--
Patroklos Argyroudis
http://ntrg.cs.tcd.ie/~argp/