| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 483.1 | Huh? | FLUKES::SUTTON | He roams the seas in freedom... | Fri Feb 21 1992 08:52 | 21 |
| I think I'm missing something here:
Why do you need the second DESNC on each of your Ethernets, the one
just before the FDDI Bridge? The data going from your Ethernet segment
to the FDDI portion is already encrypted by the first DESNC, and
decrypted by the last one just before the VAX. The only DESNCs you
should need are the two UNDER your Ethernets in your diagram, not the
additional two OVER your Ethernets in your diagram. What passes on your
ring (between the 6XX Bridges in your diagram) will already have been
encrypted.
DESNC was designed and offered to address the concern that Ethernets
are (relatively) easy to tap into and pull plaintext data (including
passwords) off of, since they are by design a broadcast medium; FDDI
Rings do not share this susceptibility. First of all, the optical
transmission medium cannot be unobtrusively tapped; secondly, it's a
token-passing ring topology, not broadcast.
Does this answer the question, or did I miss something?
/Harry
|
| 483.2 | | STAR::PARRIS | _ 13,26,42,96... What comes next? | Fri Feb 21 1992 09:43 | 8 |
| > Rings do not share this susceptibility. First of all, the optical
> transmission medium cannot be unobtrusively tapped; secondly, it's a
> token-passing ring topology, not broadcast.
I disagree with your second point; as I understand it, packets go through all
the stations on a ring, and are removed when they get back to the originating
station. An FDDI interface can be set up to receive packets directed to all
addresses (promiscuous mode), so it should be possible to eavesdrop that way.
|
| 483.3 | | RACER::dave | Attending The School of Comparative Irrevelevance | Fri Feb 21 1992 09:47 | 17 |
| > Rings do not share this susceptibility. First of all, the optical
> transmission medium cannot be unobtrusively tapped; secondly, it's a
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This, of course, is not true, and is the reason why there are entire companies
that make all their money manufacturing special "fiber within a fiber" cables
that are orders of magnitude more difficult to tap than the "standard fare".
I ran into this "stuff" a while back when working on a network for a customer
that builds lots of military equipment. They had significant amounts of
electronics on each end. They said it was not encryption, but tap detection.
More specific information did not follow, nor was I about to ask more questions.
The feeling was that "standard fiber" was to easy to tap, and did not meet the
security requirements of the data. Of course, the DESNC didnt meet their
requirements, either. They ended up running KGxx devices, where I have
forgotten the exact values of xx.
|
| 483.4 | Where is the Encryption??? | SAHQ::TROTTER | | Fri Feb 21 1992 10:03 | 3 |
| There is a lot more on the Ethernet segments that I didn't show. If
the DESNC's to the VAX's are removed where is the encryption on the
FDDI ring or the Ethernet segments?
|
| 483.5 | End-to-End Encryption | HAGELN::MyTH | M. T. Hollinger | Fri Feb 21 1992 12:14 | 10 |
| > If the DESNC's to the VAX's are removed...
No, the suggestion was to remove the DESNC controllers attached to the FDDI
bridges and *keep* the ones attached to the VAX systems. The idea is to
encrypt the data as it leaves the VAX and not perform any decryption until
it reaches its destination. From the DESNC perspective, your configuration
is a single extended Ethernet; the fact that the bridges happen to use FDDI
as a transport mechanism between Ethernet segments is incidental.
- MyTH
|
| 483.6 | Minor clarification of a minor point.... | FLUKES::SUTTON | He roams the seas in freedom... | Fri Feb 21 1992 15:39 | 17 |
| re: .2, .3
My comment about tapping was made in the context of comparison to
Ethernet technology.
It's a far simpler matter to find a coax segment in a closet or air
plenum and pierce it with a vampire tap (okay, okay, it's got to be
thickwire Ethernet to do this) and set a station in promiscuous mode,
and to do all this without being detected, than it would be to find a
fiber optic ring in a working FDDI network, break the connection, make
a useable spliced connection that would allow you to insert another
station, and start intercepting traffic, all without anyone knowing
that anything was happening on the network.
Cheers,
/Harry
|
| 483.7 | Who said anything about adding to the ring? | RACER::dave | Attending The School of Comparative Irrevelevance | Fri Feb 21 1992 15:58 | 6 |
| The "fiber" tapping technologies do not require any "breaking" of the ring
or splicing of any sort. Like ethernet tapping, simply physical access
(and the right tap equipmet) is all that is required. There is no need to
"insert a station", only to "monitor" the light going down the fiber and
provide a "copy" of that signal. Like ethernet, this would be fairly straight-
forward in a closet or some such space.
|
| 483.8 | | KONING::KONING | Paul Koning, NI1D | Mon Feb 24 1992 11:47 | 6 |
| FDDI taps are available off the shelf; at least one FDDI network analyzer
comes with one, for obvious reasons.
The notion that (ordinary) fiber is hard to tap is nonsense.
paul
|
| 483.9 | I give! | FLUKES::SUTTON | He roams the seas in freedom... | Tue Feb 25 1992 12:26 | 9 |
| Uncle! Uncle! Uncle!
My apologies for opening a rathole with what is so obviously outdated
information. Forget I said anything about fiber being difficult to tap.
Forget I said anything about anything.
Cheers,
/Harry
|