Re: [liberationtech] Security over SONET/SDH
- Forwarded message from s...@wwcandt.com - Date: Tue, 25 Jun 2013 19:34:17 -0400 (EDT) From: s...@wwcandt.com To: sur...@mauigateway.com Cc: na...@nanog.org Subject: Re: Security over SONET/SDH User-Agent: SquirrelMail/1.4.8-21.el5.centos Reply-To: s...@wwcandt.com The sticky problem remains for any communications carrier, we are looking for a technical solution to a legal problem. I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto. With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto. Regardless of how well built our networks are internally and externally we still must obey a court order. Sam --- morrowc.li...@gmail.com wrote: From: Christopher Morrow morrowc.li...@gmail.com On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson william.allen.simp...@gmail.com wrote: :: ...in addition to everything else What security protocols :: are folks using to protect SONET/SDH? At what speeds? : Correct. : But the answer appears to be: none. Not Google. Not any : public N/ISP. would they say if they had? --- Yes, especially in light of the current news regarding internet privacy. Could you imagine the advertising they'd be able to do to prospective customers? scott - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Security over SONET/SDH
- Forwarded message from Leo Bicknell bickn...@ufp.org - Date: Tue, 25 Jun 2013 19:56:24 -0500 From: Leo Bicknell bickn...@ufp.org To: s...@wwcandt.com Cc: na...@nanog.org Subject: Re: Security over SONET/SDH X-Mailer: Apple Mail (2.1508) On Jun 25, 2013, at 6:34 PM, s...@wwcandt.com wrote: I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto. With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto. The value here isn't preventing insert federal agency from getting the data, as you point out there are multiple tools at their disposal, and they will likely compel data at some other point in the stack. The value here is increasing the visibility of the tapping, making more people aware of how much is going on. Forcing the tapping out of the shadows and into the light. For instance if my theory that some cables are being tapped at the landing station is correct, there are likely ISP's on this list right now that have transatlantic links /and do not know that they are being tapped/. If the links were encrypted and they had to serve the ISP directly to get the unencrypted data or make them stop encrypting, that ISP would know their data was being tapped. It also has the potential to shift the legal proceedings to other courts. The FISA court can approve tapping a foreign cable as it enters the country in near perfect, unchallengeable secrecy. If encryption moved that to be a regular federal warrant under CALEA there would be a few more avenues for challenging the order legally. People can't challenge what they don't know about. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Security over SONET/SDH
- Forwarded message from s...@wwcandt.com - Date: Tue, 25 Jun 2013 07:56:38 -0400 (EDT) From: s...@wwcandt.com To: Glen Turner g...@gdt.id.au Cc: na...@nanog.org Subject: Re: Security over SONET/SDH User-Agent: SquirrelMail/1.4.8-21.el5.centos Reply-To: s...@wwcandt.com Even if your crypto is good enough end to end CALEA will require you to hand over the keys and/or put in a backdoor if you have a US nexus. From Wikipedia http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic. Modern voice switches now have this capability built in, yet Internet equipment almost always requires some kind of intelligent Deep Packet Inspection probe to get the job done. In both cases, the intercept-function must single out a subscriber named in a warrant for intercept and then immediately send some (headers-only) or all (full content) of the intercepted data to an LEA. The LEA will then process this data with analysis software that is specialized towards criminal investigations. All traditional voice switches on the U.S. market today have the CALEA intercept feature built in. The IP-based soft switches typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes. Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a self-contained probe. In order to be compliant, IP-based service providers (Broadband, Cable, VoIP) must choose either a self-contained probe (such as made by IPFabrics), or a dumb probe component plus a mediation device (such as made by Verint, or they must implement the delivery of correctly formatted for a named subscriber's data on their own. Link encryption isn't to protect the contents of the user's communication. There is no reason for users to trust their ISP more than a national institution full of people vetted to the highest level. What link encryption gets the user is protection from traffic analysis from parties other than the ISP. You've seen in the NSA documents how highly they regard this traffic analysis. I'd fully expect the NSA to collect it by other means. -glen -- Glen Turner http://www.gdt.id.au/~gdt/ - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech