On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates@brightok.net> wrote:
On 2/20/2013 1:05 PM, Jon Lewis wrote:
See thread: nanog impossible circuit
Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the "real" circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits mighty suddenly end up on a satellite link. And we were only worrying about commercial-grade security.) --Steve Bellovin, https://www.cs.columbia.edu/~smb