Date: Tue, 7 Sep 1999 02:26:51 -0400 (EDT) From: Mike Nowlin <mike@argos.org> To: dmp@aracnet.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Layer 2 ethernet encryption? Message-ID: <Pine.LNX.4.05.9909070210440.3318-100000@jason.argos.org> In-Reply-To: <37D4AB40.AEE4C2EA@aracnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> The network in question doesn't use IP-based routing. > > > If you are doing this for a local LAN, I suggest you have bigger > > problems :) > > You're right, I do have bigger problems. Like deep paranoia among > the users of the LAN. I'm having trouble grasping the idea behind this... Generally speaking, even if you couldn't see the IP src and dst addrs for a packet (as if they were encrypted), you could still see the ethernet addresses, and those are almost as good when it comes to local networks. Anybody with half a clue could figure out which ethernet addresses match up to which machines and their uses. As far as the paranoia, it sounds like your users know enough to be dangerous, but don't really understand the problem. Marketing people, perhaps? :) Assuming someone has physical access to something (the ethernet) that carries traffic they're not supposed to see (like the packets in question), there's little you can do to ensure that somebody can't figure out a way around your security. If that isn't enough, you start looking into managed switches, locked server rooms, and (if all else fails) a new profession. I'm not against the idea, (actually, it sounds kinda neat), but there's a lot of problems.. mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9909070210440.3318-100000>