From owner-freebsd-security Tue Sep 7 0:20:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id CDC8A14EDF for ; Tue, 7 Sep 1999 00:20:51 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id AAA28450; Tue, 7 Sep 1999 00:18:13 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D4BCC2.34AFAE9D@aracnet.com> Date: Tue, 07 Sep 1999 00:20:34 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: ks@itp.ac.ru Cc: freebsd-security@freebsd.org Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Sergey S. Kosyakov" wrote: > On 07-Sep-99 dmp@aracnet.com wrote: >> "Sergey S. Kosyakov" wrote: >>> On 07-Sep-99 dmp@aracnet.com wrote: >>> > Is it possible to encrypt ethernet packets so that all layers above >>> > layer 2 would be encrypted? The idea I had was to make a device that >>> > could defeat a TCP sniffer by encrypting the IP headers. Is this >>> > doable? Viable? A reinvention of the wheel? >>> > >>> >>> You can establish secure tunnel with TUND - over tun(4) pseudo-devices if >>> you >>> use routing, or over divert(4) sockets with ipfw(8) rules for LAN. >> >> Both of which require that unencrypted IP headers be used. This >> allows the use of a TCP sniffer to monitor from where and to whom >> traffic is going. By the standards of my group, that's a security >> problem. > > Could you please describe you problem more detailed - I mean what do you want > to do? You want hide from where and to whom traffic is going on Ethernet LAN, > isn't it? Then use ethernet switching hub. I have two problems. The first is that EM emissions on UTP allows one to monitor all traffic on that cable. The second is that a sniffer run on an authorized machine will be able to see the source and destination IP and port of all IP traffic on it's segment. I want to fix both problems. Encrypting everything above layer 2 does this. The only determinable aspects of the packets would be the source and destination MAC addresses, relatively sufficient security given the security policy and topology of the network in question. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message