Ethernet and IP form the basis of the vast majority of LAN installations. But these protocols do not provide comprehensive security mechanisms, and thus give way for a plethora of attack scenarios. Therefore we have developed a layer 2/3 security extension for LANs, the Cryptographic Link Layer (CLL). CLL provides authentication and confidentiality to the hosts in the LAN by safeguarding all layer 2 traffic including ARP and DHCP handshakes. It is transparent to existing protocol implementations, especially to the ARP module and to DHCP clients and servers. Beyond fending off external attackers, CLL also protects from malicious behavior of authenticated clients. We have implemented CLL as a user-mode service for both Windows and Linux. In typical 100 Mbit Ethernet LANs our CLL implementation operates at full wire-speed.
- CLL.zip (last updated on 2009/08/21)
Yves Igor Jerschow, Christian Lochert, Björn Scheuermann, Martin Mauve
CLL: A Cryptographic Link Layer for Local Area Networks. SCN 2008: Proceedings of the 6th Conference on Security and Cryptography for Networks, Amalfi, Italy, September 2008.
Yves Igor Jerschow, Björn Scheuermann, Martin Mauve
Counter-Flooding: DoS Protection for Public Key Handshakes in LANs. ICNS 2009: Proceedings of the Fifth International Conference on Networking and Services, Valencia, Spain, April 2009.