Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 07 Sep 1999 01:33:37 -0700
From:      dmp@aracnet.com
To:        Christian Kuhtz <ck@adsu.bellsouth.com>
Cc:        "Bryan Smith (Administrator)" <bryan@valiant.cis.hcc.cc.il.us>, freebsd-security@FreeBSD.ORG
Subject:   Re: Layer 2 ethernet encryption?
Message-ID:  <37D4CDE1.8FF6DA73@aracnet.com>
References:  <37D496A5.A0576E0F@aracnet.com> <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us> <19990907010827.A124@ns1.adsu.bellsouth.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Christian Kuhtz wrote:
> 
> Err, there are some things that don't run easily over SSH.
> 
> You could approach this at least four ways (that I can think of):
> 
>         a) write a device driver layer which inserts link layer encryption and
>            crypto management functions.  - you'd need to do this with each box
>            and device driver you want to be able to communicate with each
>            other -- very cumbersome, IMHO, and a bad idea unless you got a
>            damn good reason to do so.
> 
>         b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal
>            with in my professional life.  Lots and lots of interop issues.
> 
>         c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit
>            high, but the rest is pretty straightforward and IMHO more clean
>            than IPv4 IPSec, particularly IPSec host-mode.
> 
>         d) use SSL style application layer encryption. -- by far the most
>            portable implementation.

All of these are software-based security measures.  In other words,
they aren't very good.

> It'd help if you could describe a little more of what exactly you're trying
> to do..

What it comes down to is a hardware-based means of encrypting
ethernet traffic in a way that allows only the MAC address to be
seen.  I won't go into much detail about the network in question.
I will say that an unencrypted MAC address is required, and that only
the source and destination computers need know the unencrypted
contents of layers 3 and higher.

> Ask yourself who you mistrust and who you trust in your application.  That's
> usually the best way to approach encryption, unless you are a marketing
> moron^H^H^H^H^Hgenius.

I mistrust everyone in general.  I grant trust to those I must deal
with, in order to deal with them.  When I'm not dealing with someone,
I do not trust them.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4CDE1.8FF6DA73>