Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 07 Sep 1999 00:20:34 -0700
From:      dmp@aracnet.com
To:        ks@itp.ac.ru
Cc:        freebsd-security@freebsd.org
Subject:   Re: Layer 2 ethernet encryption?
Message-ID:  <37D4BCC2.34AFAE9D@aracnet.com>
References:  <XFMail.990907105629.ks@osi.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Sergey S. Kosyakov" wrote:
> On 07-Sep-99 dmp@aracnet.com wrote:
>> "Sergey S. Kosyakov" wrote:
>>> On 07-Sep-99 dmp@aracnet.com wrote:
>>> > Is it possible to encrypt ethernet packets so that all layers above
>>> > layer 2 would be encrypted?  The idea I had was to make a device that
>>> > could defeat a TCP sniffer by encrypting the IP headers.  Is this
>>> > doable?  Viable?  A reinvention of the wheel?
>>> >
>>>
>>> You can establish secure tunnel with TUND - over tun(4) pseudo-devices if
>>> you
>>> use routing, or over divert(4) sockets with ipfw(8) rules for LAN.
>>
>> Both of which require that unencrypted IP headers be used.  This
>> allows the use of a TCP sniffer to monitor from where and to whom
>> traffic is going.  By the standards of my group, that's a security
>> problem.
> 
> Could you please describe you problem more detailed - I mean what do you want
> to do? You want hide from where and to whom traffic is going on Ethernet LAN,
> isn't it? Then use ethernet switching hub.

I have two problems.  The first is that EM emissions on UTP allows
one to monitor all traffic on that cable.  The second is that a
sniffer run on an authorized machine will be able to see the source
and destination IP and port of all IP traffic on it's segment.

I want to fix both problems.  Encrypting everything above layer 2
does this.  The only determinable aspects of the packets would be
the source and destination MAC addresses, relatively sufficient
security given the security policy and topology of the network in
question.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37D4BCC2.34AFAE9D>