great, don't forget that Intel's Nightshade mboard, with the integrated NIC that does Wake on LAN, can also be put to sleep with an IP packet. these will most likely suffer the same problem. now all of your trusted IPsec Intel NICs are asleep. where did your network logging and IDS's go? oh yeah... nowhere.:) have a nice day, folks.
Actually, having access to a cryptochip would possibly facilitate protection against this kind of attacks. You could design a protocol for decently secure sleep-on-LAN using shared secrets (between client and management server). Thus only the management server would have to be trusted, and if it gets cracked you're done for anyway... (Note: I dont' say that Intel does this, and it's probably not in the wake-on-LAN specs (I haven't checked, though) but it would be possible.)
Why physical layer security? This isn't physical layer security. The poster who though it was was wrong. If you want to adhere to strict OSI layer definitions -- well, you're out of touch with modern networking reality, but if you do -- then this is a Link Layer security.
As we're talking about IPSEC it's Network Layer security. (Ref: IETF ipsec charter -- "A security protocol in the network layer will be developed".) Technically, the chip could be used for Link Layer security, but the Intel article does not suggest any such use.
Uhm, what is that comment about? If you go by the standards you're out of touch with modern networking? How is the OSI model obsolete?
The OSI model is not really obsolete, but for classifying many systems it's really overkill. Some of the layers in the OSI model rarely correspond to any used protocols or functions, notably the Session and Presentation Layers. Therefore many people prefer the five-layer model of the TCP/IP-stack.
"On the other hand, if the encryption is done at layer 2... They have to decrpyt every single packet you send looking for gold..."
Yeah, except there's a flaw in this logic: if you're encrypting everything at a low layer, the network has no idea where to send the packets because their destination addresses are all encrypted. So, the network hardware needs to be able to read the destination, which means the FBI, CIA, NSA, McDonalds can just check the source/destination on the packets the same way the network does.
There is however a (not very important) case where link layer encryption could be useful, and that's if you suspect promiscous client machines snooping on your own LAN. If you encrypt at link layer, they would only know that the packet is headed for the router, but not know the final destination. So, they would have to crack one of the routers instead, but it would be a wee bit safer... IMHO it would be a waste of resources, as switching the network would do almost the same trick, but link layer encryption isn't completely useless. You would still be vulnerable to traffic analysis, though.
Slashdot Mirror
This article discusses nondisclosure:
http://www.badsoftware.com/nondisc.htm