Re: Security over SONET/SDH
----- william.allen.simpson wrote: ----- And at $189,950 MSRP, obviously every ISP is dashing out the door for a pair for each and every long haul fiber link. ;-) ---------------------------------------- It's the same as buying, say, .nanog... >;-) --- gdt@gdt.id.au wrote: From: Glen Turner <gdt@gdt.id.au> On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:
What security protocols are folks using to protect SONET/SDH? At what speeds?
"Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What are the odds :-) And how would we know that the "export model" isn't simply providing a more convenient backdoor for the NSA? -------------------------------------------------- That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired. scott
On 6/24/13 12:55 PM, Scott Weeks wrote:
----- william.allen.simpson wrote: ----- And at $189,950 MSRP, obviously every ISP is dashing out the door for a pair for each and every long haul fiber link. ;-) ----------------------------------------
It's the same as buying, say, .nanog... >;-)
--- gdt@gdt.id.au wrote: From: Glen Turner <gdt@gdt.id.au> On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:
What security protocols are folks using to protect SONET/SDH? At what speeds? "Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What are the odds :-)
And how would we know that the "export model" isn't simply providing a more convenient backdoor for the NSA? --------------------------------------------------
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired.
plenty of standardized RF link-layers support strong encryption.
scott
Are these private links or customer links? Why encrypt at that layer? I'm looking for the niche usecase. On Jun 24, 2013 1:57 PM, "Scott Weeks" <surfer@mauigateway.com> wrote:
----- william.allen.simpson wrote: ----- And at $189,950 MSRP, obviously every ISP is dashing out the door for a pair for each and every long haul fiber link. ;-) ----------------------------------------
It's the same as buying, say, .nanog... >;-)
--- gdt@gdt.id.au wrote: From: Glen Turner <gdt@gdt.id.au> On 23/06/2013, at 1:21 PM, William Allen Simpson wrote:
What security protocols are folks using to protect SONET/SDH? At what speeds?
"Excuse me NSA, can I have export approval for one KG-530 SDH encryptor?" What are the odds :-)
And how would we know that the "export model" isn't simply providing a more convenient backdoor for the NSA? --------------------------------------------------
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired.
scott
On Jun 25, 2013, at 7:38 AM, Phil Fagan <philfagan@gmail.com> wrote:
Are these private links or customer links? Why encrypt at that layer? I'm looking for the niche usecase.
I was reading an article about the UK tapping undersea cables (http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communicat...) and thought back to my time at AboveNet and dealing with undersea cables. My initial reaction was doubt, there are thousands of users on the cables, ISP's and non-ISP's, and working with all of them to split off the data would be insanely complicated. Then I read some more articles that included quotes like: Interceptors have been placed on around 200 fibre optic cables where they come ashore. This appears to have been done with the secret co-operation (http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101) Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer. If done early enough they could all be split off as 10G channels, even if they are later muxed down to lower speeds reducing the number of handoffs to the spy apparatus. Very few ISP's ever go to the landing stations, typically the cable operators provide cross connects to a small number of backhaul providers. That makes a much smaller number of people who might ever notice the splitters and taps, and makes it totally transparent to the ISP. But the big question is, does this happen? I'm sure some people on this list have been to cable landing stations and looked around. I'm not sure if any of them will comment. If it does, it answers Phil's question. An ISP encrypting such a link end to end foils the spy apparatus for their customers, protecting their privacy. The US for example has laws that provide greater authority to tap "foreign" communications than domestic, so even though the domestic links may not be encrypted that may still pose a decent roadblock to siphoning off traffic. Who's going to be the first ISP that advertises they encrypt their links that leave the country? :) -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Screw the pyramids. Look at that building!!!! Yeah we though about this.... and currently in the process of training pigeons to carry messages. Will keep everyone posted. :) Nick.
RFC 1149 addresses the practice of avian carriers. -jav On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis <symack@gmail.com> wrote:
Screw the pyramids. Look at that building!!!! Yeah we though about this.... and currently in the process of training pigeons to carry messages. Will keep everyone posted. :)
Nick.
Is there a realistic way to deal with dropped packets in that situation? I would think packet loss could get really messy.. ;) Sent from my Mobile Device. -------- Original message -------- From: Javier Henderson <javier@kjsl.org> Date: 06/25/2013 8:47 AM (GMT-08:00) To: Nick Khamis <symack@gmail.com> Cc: NANOG <nanog@nanog.org> Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH] RFC 1149 addresses the practice of avian carriers. -jav On Tue, Jun 25, 2013 at 10:16 AM, Nick Khamis <symack@gmail.com> wrote:
Screw the pyramids. Look at that building!!!! Yeah we though about this.... and currently in the process of training pigeons to carry messages. Will keep everyone posted. :)
Nick.
On 6/25/13, Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
Is there a realistic way to deal with dropped packets in that situation? I would think packet loss could get really messy.. ;)
As you know this is not such a problem for UDP streams however, we have not worked out all the bugs for services that run on TCP. Oh yeah it's messy!!! You know it brings a different set of challenges (i.e., PITA, Pamela Anderson). It's a tuff world out there guys.... We are however trying to conform to RFC standards as pointed out by Jev. You guys really need to look at this. It's easily implementable: http://tools.ietf.org/html/rfc1149 N.
On Tue, 25 Jun 2013, Nick Khamis wrote:
We are however trying to conform to RFC standards as pointed out by Jev. You guys really need to look at this. It's easily implementable:
That remind me I need to finish my April 1 submission to the RFC editor for next year..... This has been sitting in my todo pile for several years. RFCxxxx for publication on April 1, xxxx Assistance for Eavesdropping Legally on Avian Carriers (AELAC) Abstract The memo provides an overview and principles regarding Lawful Intercept(LI) of networks using RFC 1149, "A Standard for the Transmission of IP Datagrams on Avian Carriers." National requirements are not addressed. Overview and Rational Avian Carriers have not provided law enforcement with advanced capabilities to conduct covert surveillance of a subject's communications. When approached by law enforcement, Avian Carriers take flight leaving behind difficult to decode droppings of their activities. Identifying a specific packet stream within a large flock of carriers is difficult. Due to the 3D ether space available to carriers and their intrinsic collision avoidance systems, although sometimes poorly implemented with windows, performing full content communications interceptions can be hit or miss. This memo does not address specific national requirements for eavesdropping. Nevertheless, it may be important to public safety that carriers never use any communication technology which could hinder law enforcement.s access to the communications of a subject of a lawful order authorizing surveillance. Avian Carriers have a long and distinguished history in communications. For thousands of years they have been used to carry important messages to military and business leaders. However, they have also been used for nefarious purposes ranging from possible financial market manipulation after Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England during World War II.
On 2013-06-25, at 7:58 PM, Sean Donelan <sean@donelan.com> wrote:
The memo provides an overview and principles regarding Lawful Intercept(LI) of networks using RFC 1149, "A Standard for the Transmission of IP Datagrams on Avian Carriers." National requirements are not addressed.
Is scooping pigeon shit off my front lawn considered meta-data collection? --lyndon
Wow I can't believe this is still going around. All you apparently need for this is a .gov spook possessed by evil entity X and all these avians will come crashing right into their federal widows like a DDoS. Scary head spinning fun ;-) -- Jason Hellenthal Inbox: jhellenthal@DataIX.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jun 25, 2013, at 22:58, Sean Donelan <sean@donelan.com> wrote:
On Tue, 25 Jun 2013, Nick Khamis wrote:
We are however trying to conform to RFC standards as pointed out by Jev. You guys really need to look at this. It's easily implementable:
That remind me I need to finish my April 1 submission to the RFC editor for next year..... This has been sitting in my todo pile for several years.
RFCxxxx for publication on April 1, xxxx
Assistance for Eavesdropping Legally on Avian Carriers (AELAC)
Abstract
The memo provides an overview and principles regarding Lawful Intercept(LI) of networks using RFC 1149, "A Standard for the Transmission of IP Datagrams on Avian Carriers." National requirements are not addressed.
Overview and Rational
Avian Carriers have not provided law enforcement with advanced capabilities to conduct covert surveillance of a subject's communications. When approached by law enforcement, Avian Carriers take flight leaving behind difficult to decode droppings of their activities. Identifying a specific packet stream within a large flock of carriers is difficult. Due to the 3D ether space available to carriers and their intrinsic collision avoidance systems, although sometimes poorly implemented with windows, performing full content communications interceptions can be hit or miss.
This memo does not address specific national requirements for eavesdropping. Nevertheless, it may be important to public safety that carriers never use any communication technology which could hinder law enforcement.s access to the communications of a subject of a lawful order authorizing surveillance.
Avian Carriers have a long and distinguished history in communications. For thousands of years they have been used to carry important messages to military and business leaders. However, they have also been used for nefarious purposes ranging from possible financial market manipulation after Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England during World War II.
Matter of fact the sky is full of lightening right now... Anyone got a pentagram packet and a weje board ? -- Jason Hellenthal Inbox: jhellenthal@DataIX.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jun 25, 2013, at 22:58, Sean Donelan <sean@donelan.com> wrote:
On Tue, 25 Jun 2013, Nick Khamis wrote:
We are however trying to conform to RFC standards as pointed out by Jev. You guys really need to look at this. It's easily implementable:
That remind me I need to finish my April 1 submission to the RFC editor for next year..... This has been sitting in my todo pile for several years.
RFCxxxx for publication on April 1, xxxx
Assistance for Eavesdropping Legally on Avian Carriers (AELAC)
Abstract
The memo provides an overview and principles regarding Lawful Intercept(LI) of networks using RFC 1149, "A Standard for the Transmission of IP Datagrams on Avian Carriers." National requirements are not addressed.
Overview and Rational
Avian Carriers have not provided law enforcement with advanced capabilities to conduct covert surveillance of a subject's communications. When approached by law enforcement, Avian Carriers take flight leaving behind difficult to decode droppings of their activities. Identifying a specific packet stream within a large flock of carriers is difficult. Due to the 3D ether space available to carriers and their intrinsic collision avoidance systems, although sometimes poorly implemented with windows, performing full content communications interceptions can be hit or miss.
This memo does not address specific national requirements for eavesdropping. Nevertheless, it may be important to public safety that carriers never use any communication technology which could hinder law enforcement.s access to the communications of a subject of a lawful order authorizing surveillance.
Avian Carriers have a long and distinguished history in communications. For thousands of years they have been used to carry important messages to military and business leaders. However, they have also been used for nefarious purposes ranging from possible financial market manipulation after Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England during World War II.
On 2013-06-25, at 8:54 PM, Jason Hellenthal <jhellenthal@dataix.net> wrote:
Anyone got a pentagram packet and a weje board ?
Be careful, when you pull out the chalk to draw a pentaGRAM around your data centre, that you don't – accidentally – draw a pentaGONE.
Lol -- Jason Hellenthal Inbox: jhellenthal@DataIX.net Voice: +1 (616) 953-0176 JJH48-ARIN On Jun 26, 2013, at 0:04, Lyndon Nerenberg <lyndon@orthanc.ca> wrote:
On 2013-06-25, at 8:54 PM, Jason Hellenthal <jhellenthal@dataix.net> wrote:
Anyone got a pentagram packet and a weje board ?
Be careful, when you pull out the chalk to draw a pentaGRAM around your data centre, that you don't – accidentally – draw a pentaGONE.
On 6/25/13, Javier Henderson <javier@kjsl.org> wrote:
RFC 1149 addresses the practice of avian carriers.
-jav
Jav, this one takes the trump!!! You sir are a man of few words! :) N.
Transnational seems like a good place to start. It seems like a tough space to break into ( no PUN intended). On Tue, Jun 25, 2013 at 7:15 AM, Leo Bicknell <bicknell@ufp.org> wrote:
On Jun 25, 2013, at 7:38 AM, Phil Fagan <philfagan@gmail.com> wrote:
Are these private links or customer links? Why encrypt at that layer? I'm looking for the niche usecase.
I was reading an article about the UK tapping undersea cables ( http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communicat...) and thought back to my time at AboveNet and dealing with undersea cables. My initial reaction was doubt, there are thousands of users on the cables, ISP's and non-ISP's, and working with all of them to split off the data would be insanely complicated. Then I read some more articles that included quotes like:
Interceptors have been placed on around 200 fibre optic cables where they come ashore. This appears to have been done with the secret co-operation ( http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)
Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer. If done early enough they could all be split off as 10G channels, even if they are later muxed down to lower speeds reducing the number of handoffs to the spy apparatus.
Very few ISP's ever go to the landing stations, typically the cable operators provide cross connects to a small number of backhaul providers. That makes a much smaller number of people who might ever notice the splitters and taps, and makes it totally transparent to the ISP. But the big question is, does this happen? I'm sure some people on this list have been to cable landing stations and looked around. I'm not sure if any of them will comment.
If it does, it answers Phil's question. An ISP encrypting such a link end to end foils the spy apparatus for their customers, protecting their privacy. The US for example has laws that provide greater authority to tap "foreign" communications than domestic, so even though the domestic links may not be encrypted that may still pose a decent roadblock to siphoning off traffic.
Who's going to be the first ISP that advertises they encrypt their links that leave the country? :)
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
-- Phil Fagan Denver, CO 970-480-7618
On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:
Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer.
It's potentially a lot simpler than that: <http://en.wikipedia.org/wiki/Operation_Ivy_Bells> <http://defensetech.org/2005/02/21/jimmy-carter-super-spy/> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Tue, Jun 25, 2013 at 10:23 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Jun 25, 2013, at 8:15 PM, Leo Bicknell wrote:
Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer.
It's potentially a lot simpler than that:
this involved, I think, just intuiting signals from the nearfield effects of the cable, no? 'drop a large sensor ontop-of/next-to the cable, win!'
this I thought included the capabilities to drag the fiber/line into the hull for 'work' to be done... I'd note that introducing signal loss on the longhaul fiber seems 'risky', you'd have to know (and this isn't hard I bet) the tolerances of the link in question and have a way to stay inside those tolerances and not introduce new splice-points/junctions/etc and be careful for the undersea cable power (electric) requirements as well. fun stuff! and yea, why not just work with the landindstation operators to use the existing monitoring ports they use? (or get a copy of the monitor ports) -chris
Subject: Re: Are undersea cables tapped before they get to ISP's? [was Re: Security over SONET/SDH] Date: Tue, Jun 25, 2013 at 10:38:30AM -0400 Quoting Christopher Morrow (morrowc.lists@gmail.com):
It's potentially a lot simpler than that:
this involved, I think, just intuiting signals from the nearfield effects of the cable, no? 'drop a large sensor ontop-of/next-to the cable, win!'
IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, and it did use EMI tapping (TEMPEST) to get to the traffic without tampering with the cable. Having gotten that cleared, I'd argue that if you're on speaking terms with the cable operator, it is much easier to use a full-spectrum monitor port on the WDM system. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Your CHEEKS sit like twin NECTARINES above a MOUTH that knows no BOUNDS --
On Jun 25, 2013, at 9:53 PM, Måns Nilsson wrote:
IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, and it did use EMI tapping (TEMPEST) to get to the traffic without tampering with the cable.
Fiber can be tapped, too, though it's not as easy as EMI. Heck, it can even be potentially 'pre-tapped' prior to deployment.
Having gotten that cleared, I'd argue that if you're on speaking terms with the cable operator, it is much easier to use a full-spectrum monitor port on the WDM system.
The issue is that the cable operator may be on speaking terms with reporters at the Guardian. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Jun 25, 2013, at 9:38 PM, Christopher Morrow wrote:
this I thought included the capabilities to drag the fiber/line into the hull for 'work' to be done... I'd note that introducing signal loss on the longhaul fiber seems 'risky', you'd have to know (and this isn't hard I bet) the tolerances of the link in question and have a way to stay inside those tolerances and not introduce new splice-points/junctions/etc and be careful for the undersea cable power (electric) requirements as well.
Kind of makes one think about the spate of high-profile submarine cable breaks over the past couple of years in a different light, doesn't it? ;>
and yea, why not just work with the landindstation operators to use the existing monitoring ports they use? (or get a copy of the monitor ports)
Operational security in the original meaning of the term (i.e., what people don't know about, they can't talk to reporters from the Guardian about). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Date: Tue, 25 Jun 2013 06:38:23 -0600 From: Phil Fagan <philfagan@gmail.com> Subject: Re: Security over SONET/SDH
Are these private links or customer links? Why encrypt at that layer? I'm looking for the niche usecase.
If I recall correctly the PCI stuff says an MPLS network is sufficiently safe. If I were a financial, I would mandate at the very least that all my communications extra-country be encrypted. Since we know how "young" some of the languages and protocols on which our financial infrastructure is built are, we can bet the house you need link-layer-level encryption to make that work. Now, whether the institution puts it in place, or requires the international transport carrier to do so (hey, howdy, SONET/SDH) is another thing. Nortel at one point had an OC192 AES256 encryption option: http://www.igrid2005.org/media/press_09.28.05_nortel.html In the end remember, a lot of trans/inter-national bandwidth is still SONET/SDH based and only slowly changing to Ethernet-like transports. Kind regards, JP Velders
participants (14)
-
Christopher Morrow -
Dobbins, Roland -
Jason Hellenthal -
Javier Henderson -
joel jaeggli -
JP Velders -
Leo Bicknell -
Lyndon Nerenberg -
Måns Nilsson -
Nick Khamis -
Phil Fagan -
Scott Weeks -
Sean Donelan -
Warren Bailey