Re: Security over SONET/SDH

[JP Velders]

> Date: Tue, 25 Jun 2013 06:38:23 -0600
> From: Phil Fagan 
> Subject: Re: Security over SONET/SDH

> Are these private links or customer links? Why encrypt at that 
> layer? I'm looking for the niche usecase.

If I recall correctly the PCI stuff says an MPLS network is 
sufficiently safe. If I were a financial, I would mandate at the very 
least that all my communications extra-country be encrypted. Since we 
know how "young" some of the languages and protocols on which our 
financial infrastructure is built are, we can bet the house you need 
link-layer-level encryption to make that work.

Now, whether the institution puts it in place, or requires the 
international transport carrier to do so (hey, howdy, SONET/SDH) is 
another thing.

Nortel at one point had an OC192 AES256 encryption option:
http://www.igrid2005.org/media/press_09.28.05_nortel.html

In the end remember, a lot of trans/inter-national bandwidth is still 
SONET/SDH based and only slowly changing to Ethernet-like transports.

Kind regards,
JP Velders

Re: Security over SONET/SDH

[sam]

Well put, and point taken :-).
Sam
>
> On Jun 25, 2013, at 6:34 PM, s...@wwcandt.com wrote:
>
>> I believe that if you encrypted your links sufficiently that it was
>> impossible to siphon the wanted data from your upstream the response
>> would
>> be for the tapping to move down into your data center before the crypto.
>>
>> With CALEA requirements and the Patriot Act they could easily compel you
>> to give them a span port prior to the crypto.
>
> The value here isn't preventing  from getting the
> data, as you point out there are multiple tools at their disposal, and
> they will likely compel data at some other point in the stack.  The value
> here is increasing the visibility of the tapping, making more people aware
> of how much is going on.  Forcing the tapping out of the shadows and into
> the light.
>
> For instance if my theory that some cables are being tapped at the landing
> station is correct, there are likely ISP's on this list right now that
> have transatlantic links /and do not know that they are being tapped/.  If
> the links were encrypted and they had to serve the ISP directly to get the
> unencrypted data or make them stop encrypting, that ISP would know their
> data was being tapped.
>
> It also has the potential to shift the legal proceedings to other courts.
> The FISA court can approve tapping a foreign cable as it enters the
> country in near perfect, unchallengeable secrecy.  If encryption moved
> that to be a regular federal warrant under CALEA there would be a few more
> avenues for challenging the order legally.
>
> People can't challenge what they don't know about.
>
> --
>Leo Bicknell - bickn...@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
>
>

Re: Security over SONET/SDH

[Phil Fagan]

Well put Leo; defense-in-depth.
On Jun 25, 2013 6:57 PM, "Leo Bicknell"  wrote:

>
> On Jun 25, 2013, at 6:34 PM, s...@wwcandt.com wrote:
>
> > I believe that if you encrypted your links sufficiently that it was
> > impossible to siphon the wanted data from your upstream the response
> would
> > be for the tapping to move down into your data center before the crypto.
> >
> > With CALEA requirements and the Patriot Act they could easily compel you
> > to give them a span port prior to the crypto.
>
> The value here isn't preventing  from getting the
> data, as you point out there are multiple tools at their disposal, and they
> will likely compel data at some other point in the stack.  The value here
> is increasing the visibility of the tapping, making more people aware of
> how much is going on.  Forcing the tapping out of the shadows and into the
> light.
>
> For instance if my theory that some cables are being tapped at the landing
> station is correct, there are likely ISP's on this list right now that have
> transatlantic links /and do not know that they are being tapped/.  If the
> links were encrypted and they had to serve the ISP directly to get the
> unencrypted data or make them stop encrypting, that ISP would know their
> data was being tapped.
>
> It also has the potential to shift the legal proceedings to other courts.
>  The FISA court can approve tapping a foreign cable as it enters the
> country in near perfect, unchallengeable secrecy.  If encryption moved that
> to be a regular federal warrant under CALEA there would be a few more
> avenues for challenging the order legally.
>
> People can't challenge what they don't know about.
>
> --
>Leo Bicknell - bickn...@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
>
>

Re: Security over SONET/SDH

[Leo Bicknell]

On Jun 25, 2013, at 6:34 PM, s...@wwcandt.com wrote:

> I believe that if you encrypted your links sufficiently that it was
> impossible to siphon the wanted data from your upstream the response would
> be for the tapping to move down into your data center before the crypto.
> 
> With CALEA requirements and the Patriot Act they could easily compel you
> to give them a span port prior to the crypto.

The value here isn't preventing  from getting the data, 
as you point out there are multiple tools at their disposal, and they will 
likely compel data at some other point in the stack.  The value here is 
increasing the visibility of the tapping, making more people aware of how much 
is going on.  Forcing the tapping out of the shadows and into the light.

For instance if my theory that some cables are being tapped at the landing 
station is correct, there are likely ISP's on this list right now that have 
transatlantic links /and do not know that they are being tapped/.  If the links 
were encrypted and they had to serve the ISP directly to get the unencrypted 
data or make them stop encrypting, that ISP would know their data was being 
tapped.

It also has the potential to shift the legal proceedings to other courts.  The 
FISA court can approve tapping a foreign cable as it enters the country in near 
perfect, unchallengeable secrecy.  If encryption moved that to be a regular 
federal warrant under CALEA there would be a few more avenues for challenging 
the order legally.

People can't challenge what they don't know about.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Security over SONET/SDH

[Scott Weeks]

> --- morrowc.li...@gmail.com wrote:
> From: Christopher Morrow 
> On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson
>  wrote:
>
> :: ...in addition to everything else "What security protocols
> :: are folks using to protect SONET/SDH?  At what speeds?"
>
> : Correct.
>
> : But the answer appears to be: none.  Not Google.  Not any
> : public N/ISP.
>
>
>> would they say if they had?
> ---
>
>
> Yes, especially in light of the current news regarding
> internet privacy.  Could you imagine the advertising
> they'd be able to do to prospective customers?


--- s...@wwcandt.com wrote:

The sticky problem remains for any communications carrier, we are looking
for a technical solution to a legal problem.

I believe that if you encrypted your links sufficiently that it was
impossible to siphon the wanted data from your upstream the response would
be for the tapping to move down into your data center before the crypto.

With CALEA requirements and the Patriot Act they could easily compel you
to give them a span port prior to the crypto.

Regardless of how well built our networks are internally and externally we
still must obey a court order.
--



I'm speaking about blocking non-court ordered (in whatever country the 
circuits cross) sniffing of traffic in the middle by anyone.  There is
no legal problem there.  They do not follow the laws in this country,
or in others, and we need to protect ourselves.

scott

Re: Security over SONET/SDH

[Phil Fagan]

Since we're no longer trying to dodge the NSAwhy would one want to
encrypt transport? I think protected links are a great business model.
L3VPN encryption? Whats the best offering?

Re: Security over SONET/SDH

[sam]

The sticky problem remains for any communications carrier, we are looking
for a technical solution to a legal problem.

I believe that if you encrypted your links sufficiently that it was
impossible to siphon the wanted data from your upstream the response would
be for the tapping to move down into your data center before the crypto.

With CALEA requirements and the Patriot Act they could easily compel you
to give them a span port prior to the crypto.

Regardless of how well built our networks are internally and externally we
still must obey a court order.

Sam

>
>
> --- morrowc.li...@gmail.com wrote:
> From: Christopher Morrow 
> On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson
>  wrote:
>
> :: ...in addition to everything else "What security protocols
> :: are folks using to protect SONET/SDH?  At what speeds?"
>
> : Correct.
>
> : But the answer appears to be: none.  Not Google.  Not any
> : public N/ISP.
>
>
>> would they say if they had?
> ---
>
>
> Yes, especially in light of the current news regarding
> internet privacy.  Could you imagine the advertising
> they'd be able to do to prospective customers?
>
> scott
>

Re: Security over SONET/SDH

[Scott Weeks]

--- morrowc.li...@gmail.com wrote:
From: Christopher Morrow 
On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson
 wrote:

:: ...in addition to everything else "What security protocols 
:: are folks using to protect SONET/SDH?  At what speeds?"

: Correct.

: But the answer appears to be: none.  Not Google.  Not any 
: public N/ISP.


> would they say if they had?
---


Yes, especially in light of the current news regarding 
internet privacy.  Could you imagine the advertising 
they'd be able to do to prospective customers?

scott

Re: Security over SONET/SDH

[Christopher Morrow]

On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson
 wrote:
> But the answer appears to be: none.  Not Google.  Not any public N/ISP.

would they say if they had?

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

On 6/25/13, Warren Bailey  wrote:
> Is there a realistic way to deal with dropped packets in that situation? I
> would think packet loss could get really messy.. ;)
>
>

As you know this is not such a problem for UDP streams however, we
have not worked out all the bugs for services that run on TCP. Oh yeah
it's messy!!! You know it brings a different set of challenges (i.e.,
PITA, Pamela Anderson). It's a tuff world out there guys

We are however trying to conform to RFC standards as pointed out by
Jev. You guys really need to look at this. It's easily implementable:

http://tools.ietf.org/html/rfc1149

N.

Re: Security over SONET/SDH

[Mike A]

On Mon, Jun 24, 2013 at 11:19:52PM -0500, Philip Dorr wrote:
> On Mon, Jun 24, 2013 at 9:59 PM, Christopher Morrow
>  wrote:
> > it's fair to say, I think, that if you want to  say something on the
> > network it's best that you consider:
> >   1) is the communication something private between you and another party(s)
> >   2) is the communication going to be seen by other than you +
> > the-right-other-party(s)
> >
> > and probably assume 2 is always going to be the case... So, if 1) is
> > true then make some way to keep it private:
> >   ssl + checking certs 'properly' (where is dane?)
> >   gpg + good key material security
> >   private-key/shared-key - don't do this, everyone screws this up.
> 
> SSH + SSHFP + DNSSEC does public/private key pretty well

If one or another of the TLAs hasn't solved, say, the BIGNUM_factoring
problem. If they have, then elliptic curve crypto looks interesting. 

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

On 6/25/13, Javier Henderson  wrote:
> RFC 1149 addresses the practice of avian carriers.
>
> -jav

Jav, this one takes the trump!!! You sir are a man of few words! :)

N.

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Warren Bailey]

>From the site:
Problem - federal integrator with a government customer needed to connect
geographically dispersed antenna sites to a central pool of monitoring
equipment.

Our Solution - With Glimmerglass managing the reconfiguration of optical
signals, 
the integrator was able to create an RF-over-fiber solution that
performed better and cost less than traditional implementations.


.. I would be *REALLY* interested in seeing how they did this. We've been
doing this (it's called Fiber IFL) for a long time, but the range with
nearly everything has been sub 40km for the most part. Getting
geographically diverse sites all linked up via rf to fiber would be a
nightmare unless you were planning on demodulating the signals and sending
them via IP, which wouldn't surprise me.


On 6/25/13 10:14 AM, "Hank Nussbacher"  wrote:

>At 10:38 25/06/2013 -0400, Christopher Morrow wrote:
>
>>this involved, I think, just intuiting signals from the nearfield
>>effects of the cable, no? 'drop a large sensor ontop-of/next-to the
>>cable, win!'
>>
>> > 
>>
>>this I thought included the capabilities to drag the fiber/line into
>>the hull for 'work' to be done... I'd note that introducing signal
>>loss on the longhaul fiber seems 'risky', you'd have to know (and this
>>isn't hard I bet) the tolerances of the link in question and have a
>>way to stay inside those tolerances and not introduce new
>>splice-points/junctions/etc and be careful for the undersea cable
>>power (electric) requirements as well.
>>
>>fun stuff!
>
>Fun stuff indeed...sell to one org or the other:
>http://www.glimmerglass.com/solutions/submarine-cable-landing-stations/
>http://www.glimmerglass.com/solutions/cyber-security-and-lawful-intercepti
>on/
>
>-Hank
>
>

Re: Security over SONET/SDH

[William Allen Simpson]

On 6/25/13 3:55 AM, Scott Weeks wrote:

Yeah, but I was just thinking through what the original question asked.
After reading his emails over the years, I am assuming he meant in
addition to everything else "What security protocols are folks using to
protect SONET/SDH?  At what speeds?"


Correct.

But the answer appears to be: none.  Not Google.  Not any public N/ISP.



I now see it quickly devolves into what various governments will allow
its citizenry to do on the internet.  :-(


With a lot of dithering by folks who have no operational or security
responsibilities at any providers. :-(

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Hank Nussbacher]

At 10:38 25/06/2013 -0400, Christopher Morrow wrote:


this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'

> 

this I thought included the capabilities to drag the fiber/line into
the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this
isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new
splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.

fun stuff!


Fun stuff indeed...sell to one org or the other:
http://www.glimmerglass.com/solutions/submarine-cable-landing-stations/
http://www.glimmerglass.com/solutions/cyber-security-and-lawful-interception/

-Hank

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Warren Bailey]

Is there a realistic way to deal with dropped packets in that situation? I 
would think packet loss could get really messy.. ;)


Sent from my Mobile Device.


 Original message 
From: Javier Henderson 
Date: 06/25/2013 8:47 AM (GMT-08:00)
To: Nick Khamis 
Cc: NANOG 
Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: 
Security over SONET/SDH]


RFC 1149 addresses the practice of avian carriers.

-jav


On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis  wrote:

> Screw the pyramids. Look at that building Yeah we though about this
> and currently in the process of training pigeons to carry
> messages. Will keep everyone posted. :)
>
> Nick.
>
>
>
>

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Javier Henderson]

RFC 1149 addresses the practice of avian carriers.

-jav


On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis  wrote:

> Screw the pyramids. Look at that building Yeah we though about this
> and currently in the process of training pigeons to carry
> messages. Will keep everyone posted. :)
>
> Nick.
>
>
>
>

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 9:53 PM, Måns Nilsson wrote:

> IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, 
> and it did use EMI tapping (TEMPEST) to get to the traffic
> without tampering with the cable.

Fiber can be tapped, too, though it's not as easy as EMI.  Heck, it can even be 
potentially 'pre-tapped' prior to deployment.

> Having gotten that cleared, I'd argue that if you're on speaking terms with 
> the cable operator, it is much easier to use a full-spectrum monitor port on 
> the WDM system.

The issue is that the cable operator may be on speaking terms with reporters at 
the Guardian.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 9:38 PM, Christopher Morrow wrote:

> this I thought included the capabilities to drag the fiber/line into the hull 
> for 'work' to be done... I'd note that introducing signal
> loss on the longhaul fiber seems 'risky', you'd have to know (and this isn't 
> hard I bet) the tolerances of the link in question and have a
> way to stay inside those tolerances and not introduce new 
> splice-points/junctions/etc and be careful for the undersea cable
> power (electric) requirements as well.

Kind of makes one think about the spate of high-profile submarine cable breaks 
over the past couple of years in a different light, doesn't it?

;>

> and yea, why not just work with the landindstation operators to use the 
> existing monitoring ports they use? (or get a copy of the monitor ports)

Operational security in the original meaning of the term (i.e., what people 
don't know about, they can't talk to reporters from the Guardian about).

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Måns Nilsson]

Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: 
Security over SONET/SDH] Date: Tue, Jun 25, 2013 at 10:38:30AM -0400 Quoting 
Christopher Morrow (morrowc.li...@gmail.com):

> > It's potentially a lot simpler than that:
> >
> > <http://en.wikipedia.org/wiki/Operation_Ivy_Bells>
> 
> this involved, I think, just intuiting signals from the nearfield
> effects of the cable, no? 'drop a large sensor ontop-of/next-to the
> cable, win!'

IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era
project, and it did use EMI tapping (TEMPEST) to get to the traffic
without tampering with the cable.

Having gotten that cleared, I'd argue that if you're on speaking terms
with the cable operator, it is much easier to use a full-spectrum
monitor port on the WDM system.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no BOUNDS --


signature.asc
Description: Digital signature

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Christopher Morrow]

On Tue, Jun 25, 2013 at 10:23 AM, Dobbins, Roland  wrote:
>
> On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:
>
>> Which made me immediately realize it would be far simpler to strong arm the 
>> cable operators to split off all channels before connecting them to the 
>> customer.
>
> It's potentially a lot simpler than that:
>
> 

this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'

> 

this I thought included the capabilities to drag the fiber/line into
the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this
isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new
splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.

fun stuff!

and yea, why not just work with the landindstation operators to use
the existing monitoring ports they use? (or get a copy of the monitor
ports)

-chris

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:

> Which made me immediately realize it would be far simpler to strong arm the 
> cable operators to split off all channels before connecting them to the 
> customer.  

It's potentially a lot simpler than that:





---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Phil Fagan]

Transnational seems like a good place to start. It seems like a tough space
to break into ( no PUN intended).



On Tue, Jun 25, 2013 at 7:15 AM, Leo Bicknell  wrote:

>
> On Jun 25, 2013, at 7:38 AM, Phil Fagan  wrote:
>
> > Are these private links or customer links? Why encrypt at that layer? I'm
> > looking for the niche usecase.
>
> I was reading an article about the UK tapping undersea cables (
> http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa)
> and thought back to my time at AboveNet and dealing with undersea cables.
>  My initial reaction was doubt, there are thousands of users on the cables,
> ISP's and non-ISP's, and working with all of them to split off the data
> would be insanely complicated.  Then I read some more articles that
> included quotes like:
>
>   Interceptors have been placed on around 200 fibre optic cables where
> they come ashore. This appears to have been done with the secret
> co-operation (
> http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)
>
> Which made me immediately realize it would be far simpler to strong arm
> the cable operators to split off all channels before connecting them to the
> customer.  If done early enough they could all be split off as 10G
> channels, even if they are later muxed down to lower speeds reducing the
> number of handoffs to the spy apparatus.
>
> Very few ISP's ever go to the landing stations, typically the cable
> operators provide cross connects to a small number of backhaul providers.
>  That makes a much smaller number of people who might ever notice the
> splitters and taps, and makes it totally transparent to the ISP.  But the
> big question is, does this happen?  I'm sure some people on this list have
> been to cable landing stations and looked around.  I'm not sure if any of
> them will comment.
>
> If it does, it answers Phil's question.  An ISP encrypting such a link end
> to end foils the spy apparatus for their customers, protecting their
> privacy.  The US for example has laws that provide greater authority to tap
> "foreign" communications than domestic, so even though the domestic links
> may not be encrypted that may still pose a decent roadblock to siphoning
> off traffic.
>
> Who's going to be the first ISP that advertises they encrypt their links
> that leave the country? :)
>
> --
>Leo Bicknell - bickn...@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
>
>


-- 
Phil Fagan
Denver, CO
970-480-7618

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

Screw the pyramids. Look at that building Yeah we though about this
and currently in the process of training pigeons to carry
messages. Will keep everyone posted. :)

Nick.

Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Leo Bicknell]

On Jun 25, 2013, at 7:38 AM, Phil Fagan  wrote:

> Are these private links or customer links? Why encrypt at that layer? I'm
> looking for the niche usecase.

I was reading an article about the UK tapping undersea cables 
(http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa)
 and thought back to my time at AboveNet and dealing with undersea cables.  My 
initial reaction was doubt, there are thousands of users on the cables, ISP's 
and non-ISP's, and working with all of them to split off the data would be 
insanely complicated.  Then I read some more articles that included quotes like:

  Interceptors have been placed on around 200 fibre optic cables where they 
come ashore. This appears to have been done with the secret co-operation 
(http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)

Which made me immediately realize it would be far simpler to strong arm the 
cable operators to split off all channels before connecting them to the 
customer.  If done early enough they could all be split off as 10G channels, 
even if they are later muxed down to lower speeds reducing the number of 
handoffs to the spy apparatus.

Very few ISP's ever go to the landing stations, typically the cable operators 
provide cross connects to a small number of backhaul providers.  That makes a 
much smaller number of people who might ever notice the splitters and taps, and 
makes it totally transparent to the ISP.  But the big question is, does this 
happen?  I'm sure some people on this list have been to cable landing stations 
and looked around.  I'm not sure if any of them will comment.

If it does, it answers Phil's question.  An ISP encrypting such a link end to 
end foils the spy apparatus for their customers, protecting their privacy.  The 
US for example has laws that provide greater authority to tap "foreign" 
communications than domestic, so even though the domestic links may not be 
encrypted that may still pose a decent roadblock to siphoning off traffic.

Who's going to be the first ISP that advertises they encrypt their links that 
leave the country? :) 

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Security over SONET/SDH

[Phil Fagan]

Are these private links or customer links? Why encrypt at that layer? I'm
looking for the niche usecase.
On Jun 24, 2013 1:57 PM, "Scott Weeks"  wrote:

>
>
> - william.allen.simpson wrote: -
> And at $189,950 MSRP, obviously every ISP is dashing out the door
> for a pair for each and every long haul fiber link. ;-)
> 
>
> It's the same as buying, say, .nanog...  >;-)
>
>
>
>
> --- g...@gdt.id.au wrote:
> From: Glen Turner 
> On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:
>
> > What security protocols are folks using to protect SONET/SDH?
> > At what speeds?
>
> "Excuse me NSA, can I have export approval for one KG-530 SDH
> encryptor?" What are the odds :-)
>
> And how would we know that the "export model" isn't simply
> providing a more convenient backdoor for the NSA?
> --
>
> That's why I'm trying to follow up on the original question.  Is
> there something similar the global public can use to secure their
> connections that is not government designed.  This is even more
> important on microwave shots when security is desired.
>
> scott
>
>
>
>
>

Re: Security over SONET/SDH

[sam]

Even if your crypto is good enough end to end CALEA will require you to
hand over the keys and/or put in a backdoor if you have a US nexus.

>From Wikipedia
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

USA telecommunications providers must install new hardware or software, as
well as modify old equipment, so that it doesn't interfere with the
ability of a law enforcement agency (LEA) to perform real-time
surveillance of any telephone or Internet traffic. Modern voice switches
now have this capability built in, yet Internet equipment almost always
requires some kind of intelligent Deep Packet Inspection probe to get the
job done. In both cases, the intercept-function must single out a
subscriber named in a warrant for intercept and then immediately send some
(headers-only) or all (full content) of the intercepted data to an LEA.
The LEA will then process this data with analysis software that is
specialized towards criminal investigations.

All traditional voice switches on the U.S. market today have the CALEA
intercept feature built in. The IP-based "soft switches" typically do not
contain a built-in CALEA intercept feature; and other IP-transport
elements (routers, switches, access multiplexers) almost always delegate
the CALEA function to elements dedicated to inspecting and intercepting
traffic. In such cases, hardware taps or switch/router mirror-ports are
employed to deliver copies of all of a network's data to dedicated IP
probes.

Probes can either send directly to the LEA according to the industry
standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they
can deliver to an intermediate element called a mediation device, where
the mediation device does the formatting and communication of the data to
the LEA. A probe that can send the correctly formatted data to the LEA is
called a "self-contained" probe.

In order to be compliant, IP-based service providers (Broadband, Cable,
VoIP) must choose either a self-contained probe (such as made by
IPFabrics), or a "dumb" probe component plus a mediation device (such as
made by Verint, or they must implement the delivery of correctly formatted
for a named subscriber's data on their own.


>
> Link encryption isn't to protect the contents of the user's
> communication. There is no reason for users to trust their
> ISP more than a national institution full of people vetted
> to the highest level.
>
> What link encryption gets the user is protection from traffic
> analysis from parties other than the ISP.
>
> You've seen in the NSA documents how highly they regard this
> traffic analysis. I'd fully expect the NSA to collect it by
> other means.
>
> -glen
>
> --
> Glen Turner 
>

Re: Security over SONET/SDH

[Glen Turner]

Link encryption isn't to protect the contents of the user's
communication. There is no reason for users to trust their
ISP more than a national institution full of people vetted
to the highest level.

What link encryption gets the user is protection from traffic
analysis from parties other than the ISP.

You've seen in the NSA documents how highly they regard this
traffic analysis. I'd fully expect the NSA to collect it by
other means.

-glen

-- 
Glen Turner 

Re: Security over SONET/SDH

[Scott Weeks]

I hope I've gotten the quotations correct...

--- joe...@bogus.com wrote:
From: joel jaeggli 
On 6/24/13 1:19 PM, Scott Weeks wrote:
>  joe...@bogus.com wrote: 

>> That's why I'm trying to follow up on the original question.  Is
>> there something similar the global public can use to secure their
>> connections that is not government designed.  This is even more
>> important on microwave shots when security is desired.

> :: plenty of standardized RF link-layers support strong encryption.
> 
>
> Ah, thanks.  That comment gave me the the search terms I needed,
> but I keep seeing sentences like this "Due to the encryption
> employed in these products, they are export controlled items and
> are regulated by the Bureau of Industry and Security (BIS) of the
> U.S. Department of Commerce. They may not be exported or shipped
> for re-export to restricted countries..."  wheee! :-)

Yes, however note that the actual number of embargoed countries at this 
point is pretty small, and that if you are in a(n) (US) embargoed 
country and so  inclined you can likely buy such products manufactured 
in China by Chinese companies.

Securing the link layer however is not a replacement for an end to end 
solution so just because it's protecting the air interface(s) doesn't 
really mean somebody not looking at the traffic elsewhere.
--


Yeah, but I was just thinking through what the original question asked.
After reading his emails over the years, I am assuming he meant in 
addition to everything else "What security protocols are folks using to 
protect SONET/SDH?  At what speeds?"

I now see it quickly devolves into what various governments will allow 
its citizenry to do on the internet.  :-(

scott

Re: Security over SONET/SDH

[Philip Dorr]

On Mon, Jun 24, 2013 at 9:59 PM, Christopher Morrow
 wrote:
> it's fair to say, I think, that if you want to  say something on the
> network it's best that you consider:
>   1) is the communication something private between you and another party(s)
>   2) is the communication going to be seen by other than you +
> the-right-other-party(s)
>
> and probably assume 2 is always going to be the case... So, if 1) is
> true then make some way to keep it private:
>   ssl + checking certs 'properly' (where is dane?)
>   gpg + good key material security
>   private-key/shared-key - don't do this, everyone screws this up.

SSH + SSHFP + DNSSEC does public/private key pretty well

Re: Security over SONET/SDH

[Christopher Morrow]

On Mon, Jun 24, 2013 at 10:25 PM, joel jaeggli  wrote:
> Securing the link layer however is not a replacement for an end to end
> solution so just because it's protecting the air interface(s) doesn't really
> mean somebody not looking at the traffic elsewhere.

it's fair to say, I think, that if you want to  say something on the
network it's best that you consider:
  1) is the communication something private between you and another party(s)
  2) is the communication going to be seen by other than you +
the-right-other-party(s)

and probably assume 2 is always going to be the case... So, if 1) is
true then make some way to keep it private:
  ssl + checking certs 'properly' (where is dane?)
  gpg + good key material security
  private-key/shared-key - don't do this, everyone screws this up.

-chris

Re: Security over SONET/SDH

[joel jaeggli]

On 6/24/13 1:19 PM, Scott Weeks wrote:


 joe...@bogus.com wrote: 
From: joel jaeggli 


That's why I'm trying to follow up on the original question.  Is
there something similar the global public can use to secure their
connections that is not government designed.  This is even more
important on microwave shots when security is desired.

:: plenty of standardized RF link-layers support strong encryption.



Ah, thanks.  That comment gave me the the search terms I needed,
but I keep seeing sentences like this "Due to the encryption
employed in these products, they are export controlled items and
are regulated by the Bureau of Industry and Security (BIS) of the
U.S. Department of Commerce. They may not be exported or shipped
for re-export to restricted countries..."  wheee! :-)
Yes, however note that the actual number of embargoed countries at this 
point is pretty small, and that if you are in a(n) (US) embargoed 
country and so  inclined you can likely buy such products manufactured 
in China by Chinese companies.


Securing the link layer however is not a replacement for an end to end 
solution so just because it's protecting the air interface(s) doesn't 
really mean somebody not looking at the traffic elsewhere.

scott

Re: Security over SONET/SDH

[Mike A]

On Mon, Jun 24, 2013 at 10:14:19PM +, Gary Buhrmaster wrote:
> On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden  wrote:
> 
> > Actually, you CAN do that, but you have to apply for ITAR exceptions.  EXIM 
> > is complex and you really want a good legal team who are familiar with it 
> > hand holding you through it (and on extended retainer going forward...).
> 
> We used to joke that our export control officer was the "designated felon"
> (in the case that the process/decision was wrong, that person was the
> one going to go to prison (and note the US Govt takes ITAR controls very
> very seriously; do not guess, do not even think about guessing; do not
> even think that the words in the regs mean what you think they mean)).

This is especially true in the case of even civilian crypto gear. Have
lawyer(s) with experience in this stuff to bird-dog everything you do. It may
seem like a lot of money, until you look at the fines and jail time you may
wind up with if you drop a stitch somewhere. Then it all becomes quite
reasonable.

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

Re: Security over SONET/SDH

[Gary Buhrmaster]

On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden  wrote:

> Actually, you CAN do that, but you have to apply for ITAR exceptions.  EXIM 
> is complex and you really want a good legal team who are familiar with it 
> hand holding you through it (and on extended retainer going forward...).

We used to joke that our export control officer was the "designated felon"
(in the case that the process/decision was wrong, that person was the
one going to go to prison (and note the US Govt takes ITAR controls very
very seriously; do not guess, do not even think about guessing; do not
even think that the words in the regs mean what you think they mean)).

Gary

RE: Security over SONET/SDH

[Jamie Bowden]

> -Original Message-
> From: Scott Weeks [mailto:sur...@mauigateway.com]
>  joe...@bogus.com wrote: 
> From: joel jaeggli 
> 
> > That's why I'm trying to follow up on the original question.  Is
> > there something similar the global public can use to secure their
> > connections that is not government designed.  This is even more
> > important on microwave shots when security is desired.
> 
> :: plenty of standardized RF link-layers support strong encryption.
> 
> 
> 
> Ah, thanks.  That comment gave me the the search terms I needed,
> but I keep seeing sentences like this "Due to the encryption
> employed in these products, they are export controlled items and
> are regulated by the Bureau of Industry and Security (BIS) of the
> U.S. Department of Commerce. They may not be exported or shipped
> for re-export to restricted countries..."  wheee! :-)

Actually, you CAN do that, but you have to apply for ITAR exceptions.  EXIM is 
complex and you really want a good legal team who are familiar with it hand 
holding you through it (and on extended retainer going forward...).

Jamie

Re: Security over SONET/SDH

[Scott Weeks]

 joe...@bogus.com wrote: 
From: joel jaeggli 

> That's why I'm trying to follow up on the original question.  Is
> there something similar the global public can use to secure their
> connections that is not government designed.  This is even more
> important on microwave shots when security is desired.

:: plenty of standardized RF link-layers support strong encryption.



Ah, thanks.  That comment gave me the the search terms I needed,
but I keep seeing sentences like this "Due to the encryption 
employed in these products, they are export controlled items and 
are regulated by the Bureau of Industry and Security (BIS) of the 
U.S. Department of Commerce. They may not be exported or shipped 
for re-export to restricted countries..."  wheee! :-)

scott

Re: Security over SONET/SDH

[joel jaeggli]

On 6/24/13 12:55 PM, Scott Weeks wrote:


- william.allen.simpson wrote: -
And at $189,950 MSRP, obviously every ISP is dashing out the door
for a pair for each and every long haul fiber link. ;-)


It's the same as buying, say, .nanog...  >;-)




--- g...@gdt.id.au wrote:
From: Glen Turner 
On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:


What security protocols are folks using to protect SONET/SDH?
At what speeds?

"Excuse me NSA, can I have export approval for one KG-530 SDH
encryptor?" What are the odds :-)

And how would we know that the "export model" isn't simply
providing a more convenient backdoor for the NSA?
--

That's why I'm trying to follow up on the original question.  Is
there something similar the global public can use to secure their
connections that is not government designed.  This is even more
important on microwave shots when security is desired.

plenty of standardized RF link-layers support strong encryption.


scott

Re: Security over SONET/SDH

[Scott Weeks]

- william.allen.simpson wrote: -
And at $189,950 MSRP, obviously every ISP is dashing out the door
for a pair for each and every long haul fiber link. ;-)


It's the same as buying, say, .nanog...  >;-)




--- g...@gdt.id.au wrote:
From: Glen Turner 
On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:

> What security protocols are folks using to protect SONET/SDH?
> At what speeds?

"Excuse me NSA, can I have export approval for one KG-530 SDH 
encryptor?" What are the odds :-)

And how would we know that the "export model" isn't simply 
providing a more convenient backdoor for the NSA?
--

That's why I'm trying to follow up on the original question.  Is
there something similar the global public can use to secure their
connections that is not government designed.  This is even more 
important on microwave shots when security is desired.

scott

Re: Security over SONET/SDH

[Christopher Morrow]

On Sun, Jun 23, 2013 at 5:03 PM, William Allen Simpson
 wrote:
> And at $189,950 MSRP, obviously every ISP is dashing out the door
> for a pair for each and every long haul fiber link. ;-)

cheaper by the dozen?

Re: Security over SONET/SDH

[Christopher Morrow]

On Sun, Jun 23, 2013 at 10:18 PM, Glen Turner  wrote:
>
> On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:
>
>> What security protocols are folks using to protect SONET/SDH?
>> At what speeds?
>
>
> "Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" 
> What are the odds :-)
>
> And how would we know that the "export model" isn't simply providing a more 
> convenient backdoor for the NSA?


crypto-ag anyone?

Re: Security over SONET/SDH

[Larry Sheldon]

On 6/23/2013 9:18 PM, Glen Turner wrote:


On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:


What security protocols are folks using to protect SONET/SDH? At
what speeds?



"Excuse me NSA, can I have export approval for one KG-530 SDH
encryptor?" What are the odds :-)

And how would we know that the "export model" isn't simply providing
a more convenient backdoor for the NSA?


I assumed that the latter is what "NSA Approved" means.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Security over SONET/SDH

[Glen Turner]

On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:

> What security protocols are folks using to protect SONET/SDH?
> At what speeds?


"Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What 
are the odds :-)

And how would we know that the "export model" isn't simply providing a more 
convenient backdoor for the NSA?

-glen

Re: Security over SONET/SDH

[Valdis . Kletnieks]

On Sun, 23 Jun 2013 17:03:49 -0400, William Allen Simpson said:
> Hard to see the IETF multi-vendor interoperability specifications.  It
> does mention SNMPv3, unlike all their other products which use a
> proprietary management scheme.  Also HTTP,

Not HTTPS? :)


pgpquXDBR6uaH.pgp
Description: PGP signature

Re: Security over SONET/SDH

[Scott Weeks]

--- william.allen.simp...@gmail.com wrote:
From: William Allen Simpson 

On 6/23/13 12:48 AM, Scott Weeks wrote:
> By security protocol do you mean encrypting the traffic?
> Like what a Fastlane does?
>
> http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf
>
That's rather a surprising choice (ATM product) for an IP network.
Please describe what backbone you are running that uses a FASTLANE?

Hopefully, other folks are securing their PPP or ethernet packets?
---


A network that's going to change very soon. :-)  What I meant is that 
what you mean by security protocols.  I didn't follow completely.

scott

Re: Security over SONET/SDH

[William Allen Simpson]

On 6/23/13 10:57 AM, Christopher Morrow wrote:

On Sun, Jun 23, 2013 at 10:54 AM, Christopher Morrow
 wrote:

On Sun, Jun 23, 2013 at 9:47 AM, William Allen Simpson
 wrote:

On 6/23/13 12:48 AM, Scott Weeks wrote:

http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf


That's rather a surprising choice (ATM product) for an IP network.
Please describe what backbone you are running that uses a FASTLANE?


I'd be surprised if a civilian org could buy a fastlane device,..
maybe they moved out of the gov't only world though since the last
time I saw one? It does claim to do oc-48 rate sonet though.


http://www.gdc4s.com/kg-530.html

claims 40gbps... I don't know that a purely civilian org can purchase
these though, nor the kg-75, despite these being on the GD site.


And at $189,950 MSRP, obviously every ISP is dashing out the door
for a pair for each and every long haul fiber link. ;-)

Hard to see the IETF multi-vendor interoperability specifications.  It
does mention SNMPv3, unlike all their other products which use a
proprietary management scheme.  Also HTTP, although no mention of its
purpose.

At least the FASTLANE mentioned above specifies FIREFLY -- the mere
rumor of which was our basis for naming Photuris [RFC2522].



Hopefully, other folks are securing their PPP or ethernet packets?





But I don't see where you mention that Google is actually using
these to secure your fiber?

Re: Security over SONET/SDH

[Christopher Morrow]

On Sun, Jun 23, 2013 at 10:54 AM, Christopher Morrow
 wrote:
> On Sun, Jun 23, 2013 at 9:47 AM, William Allen Simpson
>  wrote:
>> On 6/23/13 12:48 AM, Scott Weeks wrote:
>>>
>>> By security protocol do you mean encrypting the traffic?
>>> Like what a Fastlane does?
>>>
>>>
>>> http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf
>>>
>> That's rather a surprising choice (ATM product) for an IP network.
>> Please describe what backbone you are running that uses a FASTLANE?
>
> I'd be surprised if a civilian org could buy a fastlane device,..
> maybe they moved out of the gov't only world though since the last
> time I saw one? It does claim to do oc-48 rate sonet though.

http://www.gdc4s.com/kg-530.html

claims 40gbps... I don't know that a purely civilian org can purchase
these though, nor the kg-75, despite these being on the GD site.

>> Hopefully, other folks are securing their PPP or ethernet packets?
>>
>>

Re: Security over SONET/SDH

[Christopher Morrow]

On Sun, Jun 23, 2013 at 9:47 AM, William Allen Simpson
 wrote:
> On 6/23/13 12:48 AM, Scott Weeks wrote:
>>
>> By security protocol do you mean encrypting the traffic?
>> Like what a Fastlane does?
>>
>>
>> http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf
>>
> That's rather a surprising choice (ATM product) for an IP network.
> Please describe what backbone you are running that uses a FASTLANE?

I'd be surprised if a civilian org could buy a fastlane device,..
maybe they moved out of the gov't only world though since the last
time I saw one? It does claim to do oc-48 rate sonet though.

> Hopefully, other folks are securing their PPP or ethernet packets?
>
>

Re: Security over SONET/SDH

[William Allen Simpson]

On 6/23/13 12:48 AM, Scott Weeks wrote:

By security protocol do you mean encrypting the traffic?
Like what a Fastlane does?

http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf


That's rather a surprising choice (ATM product) for an IP network.
Please describe what backbone you are running that uses a FASTLANE?

Hopefully, other folks are securing their PPP or ethernet packets?

Re: Security over SONET/SDH

[Scott Weeks]

--- william.allen.simp...@gmail.com wrote:
From: William Allen Simpson 

What security protocols are folks using to protect SONET/SDH?

At what speeds?
--


By security protocol do you mean encrypting the traffic?
Like what a Fastlane does?

http://www.gdc4s.com/Documents/Products/SecureVoiceData/NetworkEncryption/GD-FASTLANE-w.pdf

scott

Security over SONET/SDH

[William Allen Simpson]

What security protocols are folks using to protect SONET/SDH?

At what speeds?