Date: Tue, 07 Sep 1999 03:37:18 -0700 From: dmp@aracnet.com To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <37D4EADE.6F1506F4@aracnet.com> References: <199909070904.CAA05294@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote: > > What it comes down to is a hardware-based means of encrypting > > ethernet traffic in a way that allows only the MAC address to be > > seen. I won't go into much detail about the network in question. > > I will say that an unencrypted MAC address is required, and that only > > the source and destination computers need know the unencrypted > > contents of layers 3 and higher. > > This can be done, even in software, though it is not going to be either > fast due to DES or any other cryptograph overhead or easy to do with > any off the shelf software due to mods required. Getting software that could do the work isn't a problem. Running that software on computers that don't have good FP performance is. > It might be easier to do this in hardware, just like was done on the > Wavelan stuff, only modify the crypt/decrypt engine so that it skips > the MAC address bytes. You could even glue this into a modified NIC > card between the NIC chip and the MII with a custom ASIC. You'd need > a way to program the keys, and a few other details, but not that hard > to do. This was pretty much the idea I had come up with. I had my eye on a cypher chip and a socketed ROM that would let you change the keys for the NIC just by swapping ROMs. Chassis intrusion is a small risk in this case. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4EADE.6F1506F4>