From owner-freebsd-security Mon Sep 6 22:44:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8773115008; Mon, 6 Sep 1999 22:44:52 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id WAA04637; Mon, 6 Sep 1999 22:42:32 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909070542.WAA04637@gndrsh.dnsmgr.net> Subject: Re: Layer 2 ethernet encryption? In-Reply-To: <39480.936682378@noop.colo.erols.net> from Gary Palmer at "Sep 7, 1999 01:32:58 am" To: gpalmer@FreeBSD.ORG (Gary Palmer) Date: Mon, 6 Sep 1999 22:42:32 -0700 (PDT) Cc: dmp@aracnet.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > dmp@aracnet.com wrote in message ID > <37D496A5.A0576E0F@aracnet.com>: > > Is it possible to encrypt ethernet packets so that all layers above > > layer 2 would be encrypted? The idea I had was to make a device that > > could defeat a TCP sniffer by encrypting the IP headers. Is this > > doable? Viable? A reinvention of the wheel? > > How would you route the traffic? No routers would be able to pass the > traffic. No, only routers knowing the key would be able to route traffic. > > If you are doing this for a local LAN, I suggest you have bigger > problems :) Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan and several other wireless cards do DES encryption at layer 1... so it _can_ be done. And more importantly is being done (first hand knowledge on that one). See one ``bigger problem''? Without DES on our wireless network any old joe with a wavelan card could come along, sniff for a while, find an open IP and jump right on into our network. Though many other safe gards would make his life a fair bit harder than this, until we implemented DES at layer 1 we had a problem.... I could care less about them being able to see the data, but being able to join the network was the real problem. We are facing a similiar engineering/security problem on another project that involves wired networks, but I can't get into that one. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message