From owner-freebsd-security Tue Sep 7 23:47:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id A085914FF9 for ; Tue, 7 Sep 1999 23:47:02 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.3/8.9.1) with ESMTP id KAA45640; Wed, 8 Sep 1999 10:44:19 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D60350.6E85A7A1@aracnet.com> Date: Wed, 08 Sep 1999 10:41:47 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: Re: Layer 2 ethernet encryption? Cc: freebsd-security@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG, Garrett Wollman Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 08-Sep-99 dmp@aracnet.com wrote: > Garrett Wollman wrote: >> <>> I have two problems. The first is that EM emissions on UTP allows >>> one to monitor all traffic on that cable. >> >> Use fiber NICs. > > Short of winning a significant lottery, it would be economically > impossible to move the network to fibre, there's too many nodes to > upgrade. Security was always expensive :-) More security, more expensies. >>> The second is that a >>> sniffer run on an authorized machine will be able to see the source >>> and destination IP and port of all IP traffic on it's segment. >> >> Use a good switch and hard-wire the bridge table. > > The network currently can't be segmented any more than it is without > breaking it's applications. 1. I don't undestand. What do you mean "breaking it's applications". 2. Do you thing about huge CPUs load on each host in the case of "too many nodes"? In the case of layer2 encryption each host must decrypt each packet in the segment, or at least each packet header. --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 10:36:35 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message