Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Sep 1999 01:08:27 -0400
From:      Christian Kuhtz <ck@adsu.bellsouth.com>
To:        "Bryan Smith (Administrator)" <bryan@valiant.cis.hcc.cc.il.us>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Layer 2 ethernet encryption?
Message-ID:  <19990907010827.A124@ns1.adsu.bellsouth.com>
In-Reply-To: <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>; from Bryan Smith (Administrator) on Mon, Sep 06, 1999 at 11:51:10PM -0500
References:  <37D496A5.A0576E0F@aracnet.com> <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>
next in thread | previous in thread | raw e-mail | index | archive | help 

Err, there are some things that don't run easily over SSH.

You could approach this at least four ways (that I can think of):

	a) write a device driver layer which inserts link layer encryption and
	   crypto management functions.  - you'd need to do this with each box 
	   and device driver you want to be able to communicate with each 
	   other -- very cumbersome, IMHO, and a bad idea unless you got a
	   damn good reason to do so.

	b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal
	   with in my professional life.  Lots and lots of interop issues.

	c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit
	   high, but the rest is pretty straightforward and IMHO more clean 
	   than IPv4 IPSec, particularly IPSec host-mode.

	d) use SSL style application layer encryption. -- by far the most 
	   portable implementation.

It'd help if you could describe a little more of what exactly you're trying 
to do..

Ask yourself who you mistrust and who you trust in your application.  That's
usually the best way to approach encryption, unless you are a marketing 
moron^H^H^H^H^Hgenius.

Cheers,
Chris

On Mon, Sep 06, 1999 at 11:51:10PM -0500, Bryan Smith (Administrator) wrote:
> where would you implement this on the system?
> 
> I just use SSH.  
> 
> Bryan Smith
[.. huge sig clipped ..]

-- 
Christian Kuhtz, Sr. Network Architect                    BellSouth Corporation
<ck@adsu.bellsouth.com> -wk, <ck@gnu.org> -hm            Advanced Data Services
"Affiliation given for identification, not representation."   Atlanta, GA, U.S.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990907010827.A124>