On Feb 20, 2013, at 3:20 PM, Jack Bates <[email protected]> wrote:
> On 2/20/2013 1:05 PM, Jon Lewis wrote:
>>
>> See thread: nanog impossible circuit
>>
>> Even your leased lines can have packets copied off or injected into them,
>> apparently so easily it can be done by accident.
>>
>
> This is especially true with pseudo-wire and mpls. Most of my equipment can
> filter based mirror to alternative mpls circuits where I can drop packets
> into my analyzers. If I misconfigure, those packets could easily find
> themselves back on public networks.
>
An amazing percentage of "private" lines are pseudowires, and neither you nor
your telco salesdroid can know or tell; even the "real" circuits are routed
through DACS, ATM switches, and the like. This is what link encryptors are all
about; use them. (Way back when, we had a policy of using link encryptors on
all overseas circuits -- there was a high enough probability of underwater
fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our
circuits mighty suddenly end up on a satellite link. And we were only worrying
about commercial-grade security.)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
