From owner-freebsd-security Wed Sep 8 1:48:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from guppy.pond.net (guppy.pond.net [205.240.25.2]) by hub.freebsd.org (Postfix) with ESMTP id 78E6F14EF3 for ; Wed, 8 Sep 1999 01:48:45 -0700 (PDT) (envelope-from dmp@aracnet.com) Received: from aracnet.com (snapuser2-89.pacificcrest.net [216.36.34.89]) by guppy.pond.net (8.9.3/8.9.3) with ESMTP id BAA14282; Wed, 8 Sep 1999 01:42:41 -0700 (PDT) From: dmp@aracnet.com Message-ID: <37D6221D.82C57D6B@aracnet.com> Date: Wed, 08 Sep 1999 01:45:17 -0700 X-Mailer: Mozilla 4.6 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Sergey S. Kosyakov" Cc: freebsd-security@FreeBSD.ORG, Garrett Wollman Subject: Re: Layer 2 ethernet encryption? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Sergey S. Kosyakov" wrote: >> Short of winning a significant lottery, it would be economically >> impossible to move the network to fibre, there's too many nodes to >> upgrade. > > Security was always expensive :-) More security, more expensies. True, but the resources needed for the upgrade are well beyond our means. >> The network currently can't be segmented any more than it is without >> breaking it's applications. > > 1. I don't undestand. What do you mean "breaking it's applications". The applications we run would cease to work properly if the network was segmented any more than it already is. > 2. Do you thing about huge CPUs load on each host in the case of "too many > nodes"? In the case of layer2 encryption each host must decrypt each packet in > the segment, or at least each packet header. CPU power isn't a concern. Encryption would be handled by the cypher chip, not the CPU, and the MAC address wouldn't be encrypted. The cypher encrypts layers 3 and up. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message