|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Layer 2 ethernet encryption?
dmp
aracnet.com
Tue, 07 Sep 1999 01:33:37 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
- Previous message: Dag-Erling Smorgrav: "Re: Init(8) cannot decrease securelevel"
- In reply to: Matthew Dillon: "Re: Init(8) cannot decrease securelevel"
Christian Kuhtz wrote:
>
> Err, there are some things that don't run easily over SSH.
>
> You could approach this at least four ways (that I can think of):
>
> a) write a device driver layer which inserts link layer encryption and
> crypto management functions. - you'd need to do this with each box
> and device driver you want to be able to communicate with each
> other -- very cumbersome, IMHO, and a bad idea unless you got a
> damn good reason to do so.
>
> b) use IPv4 IPSec -- pain in the a** after all the junk we had to deal
> with in my professional life. Lots and lots of interop issues.
>
> c) use IPv6 IPSec -- learning curve to properly run IPv6 may be a bit
> high, but the rest is pretty straightforward and IMHO more clean
> than IPv4 IPSec, particularly IPSec host-mode.
>
> d) use SSL style application layer encryption. -- by far the most
> portable implementation.
All of these are software-based security measures. In other words,
they aren't very good.
> It'd help if you could describe a little more of what exactly you're trying
> to do..
What it comes down to is a hardware-based means of encrypting
ethernet traffic in a way that allows only the MAC address to be
seen. I won't go into much detail about the network in question.
I will say that an unencrypted MAC address is required, and that only
the source and destination computers need know the unencrypted
contents of layers 3 and higher.
> Ask yourself who you mistrust and who you trust in your application. That's
> usually the best way to approach encryption, unless you are a marketing
> moron^H^H^H^H^Hgenius.
I mistrust everyone in general. I grant trust to those I must deal
with, in order to deal with them. When I'm not dealing with someone,
I do not trust them.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: dmparacnet.com: "Re: Layer 2 ethernet encryption?"
- Previous message: Dag-Erling Smorgrav: "Re: Init(8) cannot decrease securelevel"
- In reply to: Matthew Dillon: "Re: Init(8) cannot decrease securelevel"
This archive was generated by hypermail 2.0b3 on Tue Sep 07 1999 - 03:32:13 CDT