SC-based link encryption
John Denker
jsd at av8n.com
Fri Jan 5 15:22:19 EST 2007
On 01/05/2007 10:53 AM, Paul Hoffman wrote:
> You could take an IPsec stack and repurpose it down one layer in the
> stack. At least that way you'll know the security properties of what you
> create.
That is a Good Idea that can be used in a wide range of
situations. Here is some additional detail:
This can be understood as follows: Half of IPsec "tunnel
mode" can be described as IPIP encapsulation layered on
top of "transport mode" which does the encryption and
arranges for transport of the encrypted packets.
The other half of IPsec is the SPDB, which is an
important part of IPsec but is often underappreciated
by non-experts.
So ... one obvious way forward is to do what might be
called L2sec (layer 2 security) in analogy to IPsec.
That is, do layer-2-in-IP encapsulation using GRE or
the like, and then layer that on top of IPsec transport
mode.
Then you make some straightforward tweaks to the
SPDB and you've something pretty nice. As PH
said, the security properties will be well known.
This may sound like overkill, but it is likely to be
/easier/ than anything else you can think of (not to
mention more secure and more richly featured).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list