[Bridge] Encrypting Bridge?

Stephen Hemminger shemminger at osdl.org
Tue Aug 24 09:09:15 PDT 2004

On Tue, 24 Aug 2004 01:45:02 +0200
Francois Ambrosini <fambrosini at nerim.fr> wrote:

> On Mon, 23 Aug 2004 10:31:26 -0700
> Stephen Hemminger <shemminger at osdl.org> wrote:
> [snip]
> > The encrypting bridge isn't a bad idea, just not sure it is worth maintaining
> > yet another VPN solution.
> > 
> Greetings,
> IMHO, and in addition to what Rene Bartsch said, providing an encrypted tunnel at layer 2 can be really useful when it comes to bandwidth and/or latency matters.
> Moreover, paranoid network administrators will always be interested in such a feature. It would be the closest solution to direct physical encryption without having to buy any special hardware, and without the overhead of a layer 3 tunnel (just like the encryption part of WPA is to Wi-Fi).
> Alas, adding encryption to the brigde features is not enough: it should scale well, meaning that a decent key management system would have to be provided as well, in user space. To make things clear, I am only speaking of managing the keys on the different nodes of the encrypted switched network (no things like authentication, certificates, PKI and alike). On the top of that, if direct interoperability with other OSes was to be achieved with such a feature, one would have to provide drivers for this to work.
> Isn't all this getting outside the limits of the bridge ? Maybe encryption should be provided by a seperate piece of code that would stand beetween the ethernet driver(s) and the bridge (or the IP stack) ? I am no specialist of neither the bridging code nor the networking implementation in the Linux kernel, so correct me if I'm going in the wrong direction.
> Regards,
> Francois

It seems to me this is a generic problem (not a bridge problem), how to provide a layered
in-kernel tunnel. I would prefer to see a separate driver (and key management in user space).
Let's keep the bridge code focused on the bridging standard, and add link enhancements
in other drivers.

More information about the Bridge mailing list