Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 06 Sep 1999 23:39:42 -0700
From:      dmp@aracnet.com
To:        "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc:        Gary Palmer <gpalmer@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: Layer 2 ethernet encryption?
Message-ID:  <37D4B32E.CD58CA8E@aracnet.com>
References:  <199909070542.WAA04637@gndrsh.dnsmgr.net>

next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote:
> > dmp@aracnet.com wrote in message ID
> > <37D496A5.A0576E0F@aracnet.com>:
> > > Is it possible to encrypt ethernet packets so that all layers above
> > > layer 2 would be encrypted?  The idea I had was to make a device that
> > > could defeat a TCP sniffer by encrypting the IP headers.  Is this
> > > doable?  Viable?  A reinvention of the wheel?
> >
> > How would you route the traffic?  No routers would be able to pass the
> > traffic.
> 
> No, only routers knowing the key would be able to route traffic.

In my idea, only the machine to which the packet is being sent would
have the decryption key.  If the router had the decryption key, it
would mean that it would have to be programmable for it to load the
right decryption key.  That opens a security hole in which a DoS
could be executed by corrupting the router's keys.  The router's key
cache would also have to be retrivable, making it possible to steal
the keys from the router.

A hardcoded decryption key is the only answer.  Not completely
secure in and of itself, but to compromise it would require a
physical effort, not just an electronic/software one.

> > If you are doing this for a local LAN, I suggest you have bigger
> > problems :)
> 
> Maybe the LAN is ``wireless'' :-).   But more seriously the Wavelan
> and several other wireless cards do DES encryption at layer 1... so
> it _can_ be done.  And more importantly is being done (first hand
> knowledge on that one).

It's a wired LAN.  UTP.  Layer 1 encryption wouldn't work unless all
devices on the LAN had the same key pair.  Great for preventing
unauthorized use of the network, but it doesn't do a thing to prevent
sniffing by an authorized machine.  Unauthorized use of the network
isn't an issue, but sniffable traffic is.

I like your solution, though.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4B32E.CD58CA8E>