Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!uunet!mcvax!ukc!cam-cl!scc
From: scc@cl.cam.ac.uk (Stephen Crawley)
Newsgroups: comp.protocols.tcp-ip
Subject: Re:  Re: IP based authentication of hosts
Message-ID: <709@scaup.cl.cam.ac.uk>
Date: 13 Apr 89 00:58:15 GMT
References: <376@ists.ists.ca> <29416@bu-cs.BU.EDU> <Apr.10.23.46.46.1989.12488@geneva.rutgers.edu> <29455@bu-cs.BU.EDU> <10526@bloom-beacon.MIT.EDU> <29475@bu-cs.BU.EDU>
Sender: news@cl.cam.ac.uk
Organization: U of Cambridge Comp Lab, UK
Lines: 20

Kent England suggests that it is possible to prevent ether snooping
in many cases, and that this can be used to give ``a modest level of
security sufficient to fulfill [his] obligations to protect data and
yet still allow [] applications to use network technology'' 

Kent, how do you propose to stop J R User from unplugging his Sun and 
plugging in a PC to run an etherspy?

The only way to prevent etherspying is to:
  1) place all ethernet wire and any machine attached to it in a physically
     secured area and post a guard to keep out anyone who you can't trust 100%,
  2) make sure that all machines on the ethernet accessible from outside
     the secured area run a verified secure operating system.
These restrictions are just not practical in an academic environment, and in
most other environments too. 

I put it to you that your ``modest degree of security'' is actually
no security worth speaking of.  

-- Steve