Date: Wed, 08 Sep 1999 12:52:17 +0400 (MSD) From: "Sergey S. Kosyakov" <ks@Chg.RU> To: dmp@aracnet.com Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <XFMail.990908125217.ks@chg.ru> In-Reply-To: <37D6221D.82C57D6B@aracnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08-Sep-99 dmp@aracnet.com wrote: >>> The network currently can't be segmented any more than it is without >>> breaking it's applications. >> >> 1. I don't undestand. What do you mean "breaking it's applications". > > The applications we run would cease to work properly if the network > was segmented any more than it already is. Ok, may be we have different undestanding of word "network segment". Who knows network application which can not run on ethernet network, connected to switch (except shiffers, of cause :-))? It is almost the right, that switch simply supress unneeded ethernet packets, and threfore makes network more secure. > >> 2. Do you thing about huge CPUs load on each host in the case of "too many >> nodes"? In the case of layer2 encryption each host must decrypt each packet >> in >> the segment, or at least each packet header. > > CPU power isn't a concern. Encryption would be handled by the cypher > chip, not the CPU, and the MAC address wouldn't be encrypted. The > cypher encrypts layers 3 and up. If MAC addresses wouldn't be encrypted, why not to use well-known encryption soft, e.g. SSH or TUND or IPSec? --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 12:45:52 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990908125217.ks>