On 01/05/2007 10:53 AM, Paul Hoffman wrote: > You could take an IPsec stack and repurpose it down one layer in the > stack. At least that way you'll know the security properties of what you > create.
That is a Good Idea that can be used in a wide range of situations. Here is some additional detail: This can be understood as follows: Half of IPsec "tunnel mode" can be described as IPIP encapsulation layered on top of "transport mode" which does the encryption and arranges for transport of the encrypted packets. The other half of IPsec is the SPDB, which is an important part of IPsec but is often underappreciated by non-experts. So ... one obvious way forward is to do what might be called L2sec (layer 2 security) in analogy to IPsec. That is, do layer-2-in-IP encapsulation using GRE or the like, and then layer that on top of IPsec transport mode. Then you make some straightforward tweaks to the SPDB and you've something pretty nice. As PH said, the security properties will be well known. This may sound like overkill, but it is likely to be /easier/ than anything else you can think of (not to mention more secure and more richly featured). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]