From: VaX#n8 <vax@linkdead.paranoia.com>
Date: Sun, 6 Oct 1996 19:12:17 +0800
To: roy@scytale.com
Subject: Re: encrypting pppd?
In-Reply-To: <961002.235706.1R8.rnr.w165w@sendai.scytale.com>
Message-ID: <199610060919.EAA03227@linkdead.paranoia.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <961002.235706.1R8.rnr.w165w@sendai.scytale.com>, Roy M. Silvernail 
writes:
>What threat model does this address?

snooping the link

>It'd be link encryption, where the
>best security is found in end-to-end encryption.

Encrypting at higher levels involves a different effort/cost
tradeoff that doesn't do much better at addressing the threat
mentioned above.  AFAIK, application-level involves modification
of every app we are interested in, and network or transport level
should probably best wait for IPv6.  I think link-layer is best
for what we need.

Come to think of it I've never seen papers on this kind of issue,
probably because I haven't looked.  Anyone got any URLs/bibliorefs
to a paper on the benefits of encryption or authentication at the
different levels of the OSI or other network models?

Thinking about it a bit more, if you only encrypt, say, telnet
then you've got a pretty predictable plaintext stream.  If you
encrypt the entire link level properly then it might be much harder
to isolate the nonvariant bits of the protocols since the port and
that kind of header info is not available to the attacker at that
level.