Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 1999-q3

FreeBSD Security Archives: Re: Layer 2 ethernet encryption?

Re: Layer 2 ethernet encryption?

dmparacnet.com
Mon, 06 Sep 1999 23:39:42 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Sergey S. Kosyakov: "Re: Layer 2 ethernet encryption?"
Previous message: Mike Nowlin: "Re: Layer 2 ethernet encryption?"
In reply to: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
Next in thread: Rodney W. Grimes: "Re: Layer 2 ethernet encryption?"
Next in thread: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
Reply: Rodney W. Grimes: "Re: Layer 2 ethernet encryption?"

"Rodney W. Grimes" wrote:
> > dmparacnet.com wrote in message ID
> > <37D496A5.A0576E0Faracnet.com>:
> > > Is it possible to encrypt ethernet packets so that all layers above
> > > layer 2 would be encrypted? The idea I had was to make a device that
> > > could defeat a TCP sniffer by encrypting the IP headers. Is this
> > > doable? Viable? A reinvention of the wheel?
> >
> > How would you route the traffic? No routers would be able to pass the
> > traffic.
>
> No, only routers knowing the key would be able to route traffic.

In my idea, only the machine to which the packet is being sent would
have the decryption key. If the router had the decryption key, it
would mean that it would have to be programmable for it to load the
right decryption key. That opens a security hole in which a DoS
could be executed by corrupting the router's keys. The router's key
cache would also have to be retrivable, making it possible to steal
the keys from the router.

A hardcoded decryption key is the only answer. Not completely
secure in and of itself, but to compromise it would require a
physical effort, not just an electronic/software one.

> > If you are doing this for a local LAN, I suggest you have bigger
> > problems :)
>
> Maybe the LAN is ``wireless'' :-). But more seriously the Wavelan
> and several other wireless cards do DES encryption at layer 1... so
> it _can_ be done. And more importantly is being done (first hand
> knowledge on that one).

It's a wired LAN. UTP. Layer 1 encryption wouldn't work unless all
devices on the LAN had the same key pair. Great for preventing
unauthorized use of the network, but it doesn't do a thing to prevent
sniffing by an authorized machine. Unauthorized use of the network
isn't an issue, but sniffable traffic is.

I like your solution, though.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Sergey S. Kosyakov: "Re: Layer 2 ethernet encryption?"
Previous message: Mike Nowlin: "Re: Layer 2 ethernet encryption?"
In reply to: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
Next in thread: Rodney W. Grimes: "Re: Layer 2 ethernet encryption?"
Next in thread: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
Reply: Rodney W. Grimes: "Re: Layer 2 ethernet encryption?"

This archive was generated by hypermail 2.0b3 on Tue Sep 07 1999 - 01:39:18 CDT