From owner-freebsd-security Mon Sep 6 23:56:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E106E14EBB; Mon, 6 Sep 1999 23:56:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA04873; Mon, 6 Sep 1999 23:56:06 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909070656.XAA04873@gndrsh.dnsmgr.net> Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <37D4B32E.CD58CA8E@aracnet.com> from "dmp@aracnet.com" at "Sep 6, 1999 11:39:42 pm" To: dmp@aracnet.com Date: Mon, 6 Sep 1999 23:56:06 -0700 (PDT) Cc: gpalmer@FreeBSD.ORG (Gary Palmer), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Charset UTF-8 unsupported, skipping...] [pulled contect from save of message...] > "Rodney W. Grimes" wrote: > > > dmp@aracnet.com wrote in message ID > > > <37D496A5.A0576E0F@aracnet.com>: > > > > Is it possible to encrypt ethernet packets so that all layers above > > > > layer 2 would be encrypted? The idea I had was to make a device that > > > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > > > doable? Viable? A reinvention of the wheel? > > > > > > How would you route the traffic? No routers would be able to pass the > > > traffic. > > > > No, only routers knowing the key would be able to route traffic. > > In my idea, only the machine to which the packet is being sent would > have the decryption key. If the router had the decryption key, it > would mean that it would have to be programmable for it to load the > right decryption key. Usually one key per interface, not a big deal, and required for what I was discussing since this even encrypts the MAC address. > That opens a security hole in which a DoS > could be executed by corrupting the router's keys. The router's key > cache would also have to be retrivable, making it possible to steal > the keys from the router. You can't corrupt the router key unless you know the key, it won't hear you unless your data is properly encrypted. Remeber this is layer 1 encryption, so you have to know the key to encrypt the MAC to get the router to even listen to you. You can steal ``physcially'' steal the keys from the router itself, but then we would have to post armed gards as others mentioned to stop physical access attacks. > > A hardcoded decryption key is the only answer. Not completely > secure in and of itself, but to compromise it would require a > physical effort, not just an electronic/software one. See above... > > > > If you are doing this for a local LAN, I suggest you have bigger > > > problems :) > > > > Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan > > and several other wireless cards do DES encryption at layer 1... so > > it _can_ be done. And more importantly is being done (first hand > > knowledge on that one). > > It's a wired LAN. UTP. Layer 1 encryption wouldn't work unless all > devices on the LAN had the same key pair. Great for preventing > unauthorized use of the network, but it doesn't do a thing to prevent > sniffing by an authorized machine. Unauthorized use of the network > isn't an issue, but sniffable traffic is. Hummm... defantitly a different problem than we are solving... and defanitly different than the wireless problem we did solve. > I like your solution, though. > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message