Date: Tue, 07 Sep 1999 01:33:37 -0700 From: dmp@aracnet.com To: Christian Kuhtz <ck@adsu.bellsouth.com> Cc: "Bryan Smith (Administrator)" <bryan@valiant.cis.hcc.cc.il.us>, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <37D4CDE1.8FF6DA73@aracnet.com> References: <37D496A5.A0576E0F@aracnet.com> <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us> <19990907010827.A124@ns1.adsu.bellsouth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Kuhtz wrote: > > Err, there are some things that don't run easily over SSH. > > You could approach this at least four ways (that I can think of): > > a) write a device driver layer which inserts link layer encryption and > crypto management functions. - you'd need to do this with each box > and device driver you want to be able to communicate with each > other -- very cumbersome, IMHO, and a bad idea unless you got a > damn good reason to do so. > > b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal > with in my professional life. Lots and lots of interop issues. > > c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit > high, but the rest is pretty straightforward and IMHO more clean > than IPv4 IPSec, particularly IPSec host-mode. > > d) use SSL style application layer encryption. -- by far the most > portable implementation. All of these are software-based security measures. In other words, they aren't very good. > It'd help if you could describe a little more of what exactly you're trying > to do.. What it comes down to is a hardware-based means of encrypting ethernet traffic in a way that allows only the MAC address to be seen. I won't go into much detail about the network in question. I will say that an unencrypted MAC address is required, and that only the source and destination computers need know the unencrypted contents of layers 3 and higher. > Ask yourself who you mistrust and who you trust in your application. That's > usually the best way to approach encryption, unless you are a marketing > moron^H^H^H^H^Hgenius. I mistrust everyone in general. I grant trust to those I must deal with, in order to deal with them. When I'm not dealing with someone, I do not trust them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4CDE1.8FF6DA73>