Re: Security over SONET/SDH
------------ joelja@bogus.com wrote: ------------ From: joel jaeggli <joelja@bogus.com>
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired.
:: plenty of standardized RF link-layers support strong encryption. ---------------------------------------------------- Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-) scott
-----Original Message----- From: Scott Weeks [mailto:surfer@mauigateway.com] ------------ joelja@bogus.com wrote: ------------ From: joel jaeggli <joelja@bogus.com>
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired.
:: plenty of standardized RF link-layers support strong encryption. ----------------------------------------------------
Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-)
Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...). Jamie
On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden <jamie@photon.com> wrote: ....
Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...).
We used to joke that our export control officer was the "designated felon" (in the case that the process/decision was wrong, that person was the one going to go to prison (and note the US Govt takes ITAR controls very very seriously; do not guess, do not even think about guessing; do not even think that the words in the regs mean what you think they mean)). Gary
On Mon, Jun 24, 2013 at 10:14:19PM +0000, Gary Buhrmaster wrote:
On Mon, Jun 24, 2013 at 9:37 PM, Jamie Bowden <jamie@photon.com> wrote: ....
Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...).
We used to joke that our export control officer was the "designated felon" (in the case that the process/decision was wrong, that person was the one going to go to prison (and note the US Govt takes ITAR controls very very seriously; do not guess, do not even think about guessing; do not even think that the words in the regs mean what you think they mean)).
This is especially true in the case of even civilian crypto gear. Have lawyer(s) with experience in this stuff to bird-dog everything you do. It may seem like a lot of money, until you look at the fines and jail time you may wind up with if you drop a stitch somewhere. Then it all becomes quite reasonable. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
On 6/24/13 1:19 PM, Scott Weeks wrote:
------------ joelja@bogus.com wrote: ------------ From: joel jaeggli <joelja@bogus.com>
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired. :: plenty of standardized RF link-layers support strong encryption.
Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-)
Yes, however note that the actual number of embargoed countries at this point is pretty small, and that if you are in a(n) (US) embargoed country and so inclined you can likely buy such products manufactured in China by Chinese companies. Securing the link layer however is not a replacement for an end to end solution so just because it's protecting the air interface(s) doesn't really mean somebody not looking at the traffic elsewhere.
scott
On Mon, Jun 24, 2013 at 10:25 PM, joel jaeggli <joelja@bogus.com> wrote:
Securing the link layer however is not a replacement for an end to end solution so just because it's protecting the air interface(s) doesn't really mean somebody not looking at the traffic elsewhere.
it's fair to say, I think, that if you want to say something on the network it's best that you consider: 1) is the communication something private between you and another party(s) 2) is the communication going to be seen by other than you + the-right-other-party(s) and probably assume 2 is always going to be the case... So, if 1) is true then make some way to keep it private: ssl + checking certs 'properly' (where is dane?) gpg + good key material security private-key/shared-key - don't do this, everyone screws this up. -chris
On Mon, Jun 24, 2013 at 9:59 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
it's fair to say, I think, that if you want to say something on the network it's best that you consider: 1) is the communication something private between you and another party(s) 2) is the communication going to be seen by other than you + the-right-other-party(s)
and probably assume 2 is always going to be the case... So, if 1) is true then make some way to keep it private: ssl + checking certs 'properly' (where is dane?) gpg + good key material security private-key/shared-key - don't do this, everyone screws this up.
SSH + SSHFP + DNSSEC does public/private key pretty well
On Mon, Jun 24, 2013 at 11:19:52PM -0500, Philip Dorr wrote:
On Mon, Jun 24, 2013 at 9:59 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
it's fair to say, I think, that if you want to say something on the network it's best that you consider: 1) is the communication something private between you and another party(s) 2) is the communication going to be seen by other than you + the-right-other-party(s)
and probably assume 2 is always going to be the case... So, if 1) is true then make some way to keep it private: ssl + checking certs 'properly' (where is dane?) gpg + good key material security private-key/shared-key - don't do this, everyone screws this up.
SSH + SSHFP + DNSSEC does public/private key pretty well
If one or another of the TLAs hasn't solved, say, the BIGNUM_factoring problem. If they have, then elliptic curve crypto looks interesting. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
participants (7)
-
Christopher Morrow
-
Gary Buhrmaster
-
Jamie Bowden
-
joel jaeggli
-
Mike A
-
Philip Dorr
-
Scott Weeks