From owner-freebsd-security Wed Sep 8 1:56:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id A788E15B07 for ; Wed, 8 Sep 1999 01:55:57 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.3/8.9.1) with ESMTP id MAA46041; Wed, 8 Sep 1999 12:54:49 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <37D6221D.82C57D6B@aracnet.com> Date: Wed, 08 Sep 1999 12:52:17 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: dmp@aracnet.com Subject: Re: Layer 2 ethernet encryption? Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 08-Sep-99 dmp@aracnet.com wrote: >>> The network currently can't be segmented any more than it is without >>> breaking it's applications. >> >> 1. I don't undestand. What do you mean "breaking it's applications". > > The applications we run would cease to work properly if the network > was segmented any more than it already is. Ok, may be we have different undestanding of word "network segment". Who knows network application which can not run on ethernet network, connected to switch (except shiffers, of cause :-))? It is almost the right, that switch simply supress unneeded ethernet packets, and threfore makes network more secure. > >> 2. Do you thing about huge CPUs load on each host in the case of "too many >> nodes"? In the case of layer2 encryption each host must decrypt each packet >> in >> the segment, or at least each packet header. > > CPU power isn't a concern. Encryption would be handled by the cypher > chip, not the CPU, and the MAC address wouldn't be encrypted. The > cypher encrypts layers 3 and up. If MAC addresses wouldn't be encrypted, why not to use well-known encryption soft, e.g. SSH or TUND or IPSec? --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 08-Sep-99 Time: 12:45:52 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message