[Bridge] Encrypting Bridge?

[Francois Ambrosini]

On Mon, 23 Aug 2004 10:31:26 -0700
Stephen Hemminger <shemminger at osdl.org> wrote:

[snip]
> The encrypting bridge isn't a bad idea, just not sure it is worth maintaining
> yet another VPN solution.
> 

Greetings,

IMHO, and in addition to what Rene Bartsch said, providing an encrypted tunnel at layer 2 can be really useful when it comes to bandwidth and/or latency matters.
Moreover, paranoid network administrators will always be interested in such a feature. It would be the closest solution to direct physical encryption without having to buy any special hardware, and without the overhead of a layer 3 tunnel (just like the encryption part of WPA is to Wi-Fi).

Alas, adding encryption to the brigde features is not enough: it should scale well, meaning that a decent key management system would have to be provided as well, in user space. To make things clear, I am only speaking of managing the keys on the different nodes of the encrypted switched network (no things like authentication, certificates, PKI and alike). On the top of that, if direct interoperability with other OSes was to be achieved with such a feature, one would have to provide drivers for this to work.

Isn't all this getting outside the limits of the bridge ? Maybe encryption should be provided by a seperate piece of code that would stand beetween the ethernet driver(s) and the bridge (or the IP stack) ? I am no specialist of neither the bridging code nor the networking implementation in the Linux kernel, so correct me if I'm going in the wrong direction.

Regards,

Francois