Date: Tue, 7 Sep 1999 01:08:27 -0400 From: Christian Kuhtz <ck@adsu.bellsouth.com> To: "Bryan Smith (Administrator)" <bryan@valiant.cis.hcc.cc.il.us> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <19990907010827.A124@ns1.adsu.bellsouth.com> In-Reply-To: <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>; from Bryan Smith (Administrator) on Mon, Sep 06, 1999 at 11:51:10PM -0500 References: <37D496A5.A0576E0F@aracnet.com> <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Err, there are some things that don't run easily over SSH. You could approach this at least four ways (that I can think of): a) write a device driver layer which inserts link layer encryption and crypto management functions. - you'd need to do this with each box and device driver you want to be able to communicate with each other -- very cumbersome, IMHO, and a bad idea unless you got a damn good reason to do so. b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal with in my professional life. Lots and lots of interop issues. c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit high, but the rest is pretty straightforward and IMHO more clean than IPv4 IPSec, particularly IPSec host-mode. d) use SSL style application layer encryption. -- by far the most portable implementation. It'd help if you could describe a little more of what exactly you're trying to do.. Ask yourself who you mistrust and who you trust in your application. That's usually the best way to approach encryption, unless you are a marketing moron^H^H^H^H^Hgenius. Cheers, Chris On Mon, Sep 06, 1999 at 11:51:10PM -0500, Bryan Smith (Administrator) wrote: > where would you implement this on the system? > > I just use SSH. > > Bryan Smith [.. huge sig clipped ..] -- Christian Kuhtz, Sr. Network Architect BellSouth Corporation <ck@adsu.bellsouth.com> -wk, <ck@gnu.org> -hm Advanced Data Services "Affiliation given for identification, not representation." Atlanta, GA, U.S. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990907010827.A124>