From owner-freebsd-security  Tue Sep  7  3:38:24 1999
Delivered-To: freebsd-security@freebsd.org
Received: from guppy.pond.net (guppy.pond.net [205.240.25.2])
	by hub.freebsd.org (Postfix) with ESMTP id A122214E48
	for <freebsd-security@FreeBSD.ORG>; Tue,  7 Sep 1999 03:38:21 -0700 (PDT)
	(envelope-from dmp@aracnet.com)
Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89])
	by guppy.pond.net (8.9.3/8.9.3) with ESMTP id DAA10341;
	Tue, 7 Sep 1999 03:34:55 -0700 (PDT)
From: dmp@aracnet.com
Message-ID: <37D4EADE.6F1506F4@aracnet.com>
Date: Tue, 07 Sep 1999 03:37:18 -0700
X-Mailer: Mozilla 4.6 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: ck@adsu.bellsouth.com, bryan@valiant.cis.hcc.cc.il.us,
	freebsd-security@FreeBSD.ORG
Subject: Re: Layer 2 ethernet encryption?
References: <199909070904.CAA05294@gndrsh.dnsmgr.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Rodney W. Grimes" wrote:
> > What it comes down to is a hardware-based means of encrypting
> > ethernet traffic in a way that allows only the MAC address to be
> > seen.  I won't go into much detail about the network in question.
> > I will say that an unencrypted MAC address is required, and that only
> > the source and destination computers need know the unencrypted
> > contents of layers 3 and higher.
> 
> This can be done, even in software, though it is not going to be either
> fast due to DES or any other cryptograph overhead or easy to do with
> any off the shelf software due to mods required.

Getting software that could do the work isn't a problem.  Running
that software on computers that don't have good FP performance is.

> It might be easier to do this in hardware, just like was done on the
> Wavelan stuff, only modify the crypt/decrypt engine so that it skips
> the MAC address bytes.  You could even glue this into a modified NIC
> card between the NIC chip and the MII with a custom ASIC.  You'd need
> a way to program the keys, and a few other details, but not that hard
> to do.

This was pretty much the idea I had come up with.  I had my eye on
a cypher chip and a socketed ROM that would let you change the keys
for the NIC just by swapping ROMs.  Chassis intrusion is a small risk
in this case.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message