OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: Layer 2 ethernet encryption?

Re: Layer 2 ethernet encryption?

dmparacnet.com
Tue, 07 Sep 1999 00:20:34 -0700

"Sergey S. Kosyakov" wrote:
> On 07-Sep-99 dmparacnet.com wrote:
>> "Sergey S. Kosyakov" wrote:
>>> On 07-Sep-99 dmparacnet.com wrote:
>>> > Is it possible to encrypt ethernet packets so that all layers above
>>> > layer 2 would be encrypted? The idea I had was to make a device that
>>> > could defeat a TCP sniffer by encrypting the IP headers. Is this
>>> > doable? Viable? A reinvention of the wheel?
>>> >
>>>
>>> You can establish secure tunnel with TUND - over tun(4) pseudo-devices if
>>> you
>>> use routing, or over divert(4) sockets with ipfw(8) rules for LAN.
>>
>> Both of which require that unencrypted IP headers be used. This
>> allows the use of a TCP sniffer to monitor from where and to whom
>> traffic is going. By the standards of my group, that's a security
>> problem.
>
> Could you please describe you problem more detailed - I mean what do you want
> to do? You want hide from where and to whom traffic is going on Ethernet LAN,
> isn't it? Then use ethernet switching hub.

I have two problems. The first is that EM emissions on UTP allows
one to monitor all traffic on that cable. The second is that a
sniffer run on an authorized machine will be able to see the source
and destination IP and port of all IP traffic on it's segment.

I want to fix both problems. Encrypting everything above layer 2
does this. The only determinable aspects of the packets would be
the source and destination MAC addresses, relatively sufficient
security given the security policy and topology of the network in
question.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Tue Sep 07 1999 - 02:18:47 CDT