From owner-freebsd-security  Mon Sep  6 22:11:22 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.adsu.bellsouth.com (ns1.adsu.bellsouth.com [205.152.173.2])
	by hub.freebsd.org (Postfix) with ESMTP id 436E014CF7
	for <freebsd-security@FreeBSD.ORG>; Mon,  6 Sep 1999 22:11:19 -0700 (PDT)
	(envelope-from ck@ns1.adsu.bellsouth.com)
Received: (from ck@localhost)
	by ns1.adsu.bellsouth.com (8.9.1a/8.9.1) id BAA12550;
	Tue, 7 Sep 1999 01:08:28 -0400 (EDT)
Date: Tue, 7 Sep 1999 01:08:27 -0400
From: Christian Kuhtz <ck@adsu.bellsouth.com>
To: "Bryan Smith (Administrator)" <bryan@valiant.cis.hcc.cc.il.us>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Layer 2 ethernet encryption?
Message-ID: <19990907010827.A124@ns1.adsu.bellsouth.com>
References: <37D496A5.A0576E0F@aracnet.com> <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <Pine.LNX.4.10.9909062350020.10516-100000@valiant.cis.hcc.cc.il.us>; from Bryan Smith (Administrator) on Mon, Sep 06, 1999 at 11:51:10PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Err, there are some things that don't run easily over SSH.

You could approach this at least four ways (that I can think of):

	a) write a device driver layer which inserts link layer encryption and
	   crypto management functions.  - you'd need to do this with each box 
	   and device driver you want to be able to communicate with each 
	   other -- very cumbersome, IMHO, and a bad idea unless you got a
	   damn good reason to do so.

	b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal
	   with in my professional life.  Lots and lots of interop issues.

	c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit
	   high, but the rest is pretty straightforward and IMHO more clean 
	   than IPv4 IPSec, particularly IPSec host-mode.

	d) use SSL style application layer encryption. -- by far the most 
	   portable implementation.

It'd help if you could describe a little more of what exactly you're trying 
to do..

Ask yourself who you mistrust and who you trust in your application.  That's
usually the best way to approach encryption, unless you are a marketing 
moron^H^H^H^H^Hgenius.

Cheers,
Chris

On Mon, Sep 06, 1999 at 11:51:10PM -0500, Bryan Smith (Administrator) wrote:
> where would you implement this on the system?
> 
> I just use SSH.  
> 
> Bryan Smith
[.. huge sig clipped ..]

-- 
Christian Kuhtz, Sr. Network Architect                    BellSouth Corporation
<ck@adsu.bellsouth.com> -wk, <ck@gnu.org> -hm            Advanced Data Services
"Affiliation given for identification, not representation."   Atlanta, GA, U.S.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message