From owner-freebsd-security Mon Sep 6 23:41:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 073FA14C57; Mon, 6 Sep 1999 23:41:26 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id XAA25403; Mon, 6 Sep 1999 23:37:22 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4B32E.CD58CA8E@aracnet.com> Date: Mon, 06 Sep 1999 23:39:42 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? References: <199909070542.WAA04637@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > dmp@aracnet.com wrote in message ID > > <37D496A5.A0576E0F@aracnet.com>: > > > Is it possible to encrypt ethernet packets so that all layers above > > > layer 2 would be encrypted? The idea I had was to make a device that > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > doable? Viable? A reinvention of the wheel? > > > > How would you route the traffic? No routers would be able to pass the > > traffic. > > No, only routers knowing the key would be able to route traffic. In my idea, only the machine to which the packet is being sent would have the decryption key. If the router had the decryption key, it would mean that it would have to be programmable for it to load the right decryption key. That opens a security hole in which a DoS could be executed by corrupting the router's keys. The router's key cache would also have to be retrivable, making it possible to steal the keys from the router. A hardcoded decryption key is the only answer. Not completely secure in and of itself, but to compromise it would require a physical effort, not just an electronic/software one. > > If you are doing this for a local LAN, I suggest you have bigger > > problems :) > > Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan > and several other wireless cards do DES encryption at layer 1... so > it _can_ be done. And more importantly is being done (first hand > knowledge on that one). It's a wired LAN. UTP. Layer 1 encryption wouldn't work unless all devices on the LAN had the same key pair. Great for preventing unauthorized use of the network, but it doesn't do a thing to prevent sniffing by an authorized machine. Unauthorized use of the network isn't an issue, but sniffable traffic is. I like your solution, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message