Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

On 6/25/13, Warren Bailey  wrote:
> Is there a realistic way to deal with dropped packets in that situation? I
> would think packet loss could get really messy.. ;)
>
>

As you know this is not such a problem for UDP streams however, we
have not worked out all the bugs for services that run on TCP. Oh yeah
it's messy!!! You know it brings a different set of challenges (i.e.,
PITA, Pamela Anderson). It's a tuff world out there guys

We are however trying to conform to RFC standards as pointed out by
Jev. You guys really need to look at this. It's easily implementable:

http://tools.ietf.org/html/rfc1149

N.

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

On 6/25/13, Javier Henderson  wrote:
> RFC 1149 addresses the practice of avian carriers.
>
> -jav

Jav, this one takes the trump!!! You sir are a man of few words! :)

N.

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Warren Bailey]

>From the site:
Problem - federal integrator with a government customer needed to connect
geographically dispersed antenna sites to a central pool of monitoring
equipment.

Our Solution - With Glimmerglass managing the reconfiguration of optical
signals, 
the integrator was able to create an RF-over-fiber solution that
performed better and cost less than traditional implementations.


.. I would be *REALLY* interested in seeing how they did this. We've been
doing this (it's called Fiber IFL) for a long time, but the range with
nearly everything has been sub 40km for the most part. Getting
geographically diverse sites all linked up via rf to fiber would be a
nightmare unless you were planning on demodulating the signals and sending
them via IP, which wouldn't surprise me.


On 6/25/13 10:14 AM, "Hank Nussbacher"  wrote:

>At 10:38 25/06/2013 -0400, Christopher Morrow wrote:
>
>>this involved, I think, just intuiting signals from the nearfield
>>effects of the cable, no? 'drop a large sensor ontop-of/next-to the
>>cable, win!'
>>
>> > 
>>
>>this I thought included the capabilities to drag the fiber/line into
>>the hull for 'work' to be done... I'd note that introducing signal
>>loss on the longhaul fiber seems 'risky', you'd have to know (and this
>>isn't hard I bet) the tolerances of the link in question and have a
>>way to stay inside those tolerances and not introduce new
>>splice-points/junctions/etc and be careful for the undersea cable
>>power (electric) requirements as well.
>>
>>fun stuff!
>
>Fun stuff indeed...sell to one org or the other:
>http://www.glimmerglass.com/solutions/submarine-cable-landing-stations/
>http://www.glimmerglass.com/solutions/cyber-security-and-lawful-intercepti
>on/
>
>-Hank
>
>

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Hank Nussbacher]

At 10:38 25/06/2013 -0400, Christopher Morrow wrote:


this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'

> 

this I thought included the capabilities to drag the fiber/line into
the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this
isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new
splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.

fun stuff!


Fun stuff indeed...sell to one org or the other:
http://www.glimmerglass.com/solutions/submarine-cable-landing-stations/
http://www.glimmerglass.com/solutions/cyber-security-and-lawful-interception/

-Hank

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Warren Bailey]

Is there a realistic way to deal with dropped packets in that situation? I 
would think packet loss could get really messy.. ;)


Sent from my Mobile Device.


 Original message 
From: Javier Henderson 
Date: 06/25/2013 8:47 AM (GMT-08:00)
To: Nick Khamis 
Cc: NANOG 
Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: 
Security over SONET/SDH]


RFC 1149 addresses the practice of avian carriers.

-jav


On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis  wrote:

> Screw the pyramids. Look at that building Yeah we though about this
> and currently in the process of training pigeons to carry
> messages. Will keep everyone posted. :)
>
> Nick.
>
>
>
>

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Javier Henderson]

RFC 1149 addresses the practice of avian carriers.

-jav


On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis  wrote:

> Screw the pyramids. Look at that building Yeah we though about this
> and currently in the process of training pigeons to carry
> messages. Will keep everyone posted. :)
>
> Nick.
>
>
>
>

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 9:53 PM, Måns Nilsson wrote:

> IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, 
> and it did use EMI tapping (TEMPEST) to get to the traffic
> without tampering with the cable.

Fiber can be tapped, too, though it's not as easy as EMI.  Heck, it can even be 
potentially 'pre-tapped' prior to deployment.

> Having gotten that cleared, I'd argue that if you're on speaking terms with 
> the cable operator, it is much easier to use a full-spectrum monitor port on 
> the WDM system.

The issue is that the cable operator may be on speaking terms with reporters at 
the Guardian.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 9:38 PM, Christopher Morrow wrote:

> this I thought included the capabilities to drag the fiber/line into the hull 
> for 'work' to be done... I'd note that introducing signal
> loss on the longhaul fiber seems 'risky', you'd have to know (and this isn't 
> hard I bet) the tolerances of the link in question and have a
> way to stay inside those tolerances and not introduce new 
> splice-points/junctions/etc and be careful for the undersea cable
> power (electric) requirements as well.

Kind of makes one think about the spate of high-profile submarine cable breaks 
over the past couple of years in a different light, doesn't it?

;>

> and yea, why not just work with the landindstation operators to use the 
> existing monitoring ports they use? (or get a copy of the monitor ports)

Operational security in the original meaning of the term (i.e., what people 
don't know about, they can't talk to reporters from the Guardian about).

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Måns Nilsson]

Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: 
Security over SONET/SDH] Date: Tue, Jun 25, 2013 at 10:38:30AM -0400 Quoting 
Christopher Morrow (morrowc.li...@gmail.com):

> > It's potentially a lot simpler than that:
> >
> > <http://en.wikipedia.org/wiki/Operation_Ivy_Bells>
> 
> this involved, I think, just intuiting signals from the nearfield
> effects of the cable, no? 'drop a large sensor ontop-of/next-to the
> cable, win!'

IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era
project, and it did use EMI tapping (TEMPEST) to get to the traffic
without tampering with the cable.

Having gotten that cleared, I'd argue that if you're on speaking terms
with the cable operator, it is much easier to use a full-spectrum
monitor port on the WDM system.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no BOUNDS --


signature.asc
Description: Digital signature

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Christopher Morrow]

On Tue, Jun 25, 2013 at 10:23 AM, Dobbins, Roland  wrote:
>
> On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:
>
>> Which made me immediately realize it would be far simpler to strong arm the 
>> cable operators to split off all channels before connecting them to the 
>> customer.
>
> It's potentially a lot simpler than that:
>
> 

this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'

> 

this I thought included the capabilities to drag the fiber/line into
the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this
isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new
splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.

fun stuff!

and yea, why not just work with the landindstation operators to use
the existing monitoring ports they use? (or get a copy of the monitor
ports)

-chris

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Dobbins, Roland]

On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:

> Which made me immediately realize it would be far simpler to strong arm the 
> cable operators to split off all channels before connecting them to the 
> customer.  

It's potentially a lot simpler than that:





---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Phil Fagan]

Transnational seems like a good place to start. It seems like a tough space
to break into ( no PUN intended).



On Tue, Jun 25, 2013 at 7:15 AM, Leo Bicknell  wrote:

>
> On Jun 25, 2013, at 7:38 AM, Phil Fagan  wrote:
>
> > Are these private links or customer links? Why encrypt at that layer? I'm
> > looking for the niche usecase.
>
> I was reading an article about the UK tapping undersea cables (
> http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa)
> and thought back to my time at AboveNet and dealing with undersea cables.
>  My initial reaction was doubt, there are thousands of users on the cables,
> ISP's and non-ISP's, and working with all of them to split off the data
> would be insanely complicated.  Then I read some more articles that
> included quotes like:
>
>   Interceptors have been placed on around 200 fibre optic cables where
> they come ashore. This appears to have been done with the secret
> co-operation (
> http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)
>
> Which made me immediately realize it would be far simpler to strong arm
> the cable operators to split off all channels before connecting them to the
> customer.  If done early enough they could all be split off as 10G
> channels, even if they are later muxed down to lower speeds reducing the
> number of handoffs to the spy apparatus.
>
> Very few ISP's ever go to the landing stations, typically the cable
> operators provide cross connects to a small number of backhaul providers.
>  That makes a much smaller number of people who might ever notice the
> splitters and taps, and makes it totally transparent to the ISP.  But the
> big question is, does this happen?  I'm sure some people on this list have
> been to cable landing stations and looked around.  I'm not sure if any of
> them will comment.
>
> If it does, it answers Phil's question.  An ISP encrypting such a link end
> to end foils the spy apparatus for their customers, protecting their
> privacy.  The US for example has laws that provide greater authority to tap
> "foreign" communications than domestic, so even though the domestic links
> may not be encrypted that may still pose a decent roadblock to siphoning
> off traffic.
>
> Who's going to be the first ISP that advertises they encrypt their links
> that leave the country? :)
>
> --
>Leo Bicknell - bickn...@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
>
>


-- 
Phil Fagan
Denver, CO
970-480-7618

Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Nick Khamis]

Screw the pyramids. Look at that building Yeah we though about this
and currently in the process of training pigeons to carry
messages. Will keep everyone posted. :)

Nick.

Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH]

[Leo Bicknell]

On Jun 25, 2013, at 7:38 AM, Phil Fagan  wrote:

> Are these private links or customer links? Why encrypt at that layer? I'm
> looking for the niche usecase.

I was reading an article about the UK tapping undersea cables 
(http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa)
 and thought back to my time at AboveNet and dealing with undersea cables.  My 
initial reaction was doubt, there are thousands of users on the cables, ISP's 
and non-ISP's, and working with all of them to split off the data would be 
insanely complicated.  Then I read some more articles that included quotes like:

  Interceptors have been placed on around 200 fibre optic cables where they 
come ashore. This appears to have been done with the secret co-operation 
(http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)

Which made me immediately realize it would be far simpler to strong arm the 
cable operators to split off all channels before connecting them to the 
customer.  If done early enough they could all be split off as 10G channels, 
even if they are later muxed down to lower speeds reducing the number of 
handoffs to the spy apparatus.

Very few ISP's ever go to the landing stations, typically the cable operators 
provide cross connects to a small number of backhaul providers.  That makes a 
much smaller number of people who might ever notice the splitters and taps, and 
makes it totally transparent to the ISP.  But the big question is, does this 
happen?  I'm sure some people on this list have been to cable landing stations 
and looked around.  I'm not sure if any of them will comment.

If it does, it answers Phil's question.  An ISP encrypting such a link end to 
end foils the spy apparatus for their customers, protecting their privacy.  The 
US for example has laws that provide greater authority to tap "foreign" 
communications than domestic, so even though the domestic links may not be 
encrypted that may still pose a decent roadblock to siphoning off traffic.

Who's going to be the first ISP that advertises they encrypt their links that 
leave the country? :) 

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail