I hope I've gotten the quotations correct... --- joelja@bogus.com wrote: From: joel jaeggli <joelja@bogus.com> On 6/24/13 1:19 PM, Scott Weeks wrote:
------------ joelja@bogus.com wrote: ------------
That's why I'm trying to follow up on the original question. Is there something similar the global public can use to secure their connections that is not government designed. This is even more important on microwave shots when security is desired.
:: plenty of standardized RF link-layers support strong encryption. ----------------------------------------------------
Ah, thanks. That comment gave me the the search terms I needed, but I keep seeing sentences like this "Due to the encryption employed in these products, they are export controlled items and are regulated by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. They may not be exported or shipped for re-export to restricted countries..." wheee! :-)
Yes, however note that the actual number of embargoed countries at this point is pretty small, and that if you are in a(n) (US) embargoed country and so inclined you can likely buy such products manufactured in China by Chinese companies. Securing the link layer however is not a replacement for an end to end solution so just because it's protecting the air interface(s) doesn't really mean somebody not looking at the traffic elsewhere. -------------------------------------------------- Yeah, but I was just thinking through what the original question asked. After reading his emails over the years, I am assuming he meant in addition to everything else "What security protocols are folks using to protect SONET/SDH? At what speeds?" I now see it quickly devolves into what various governments will allow its citizenry to do on the internet. :-( scott
Link encryption isn't to protect the contents of the user's communication. There is no reason for users to trust their ISP more than a national institution full of people vetted to the highest level. What link encryption gets the user is protection from traffic analysis from parties other than the ISP. You've seen in the NSA documents how highly they regard this traffic analysis. I'd fully expect the NSA to collect it by other means. -glen -- Glen Turner <http://www.gdt.id.au/~gdt/>
Even if your crypto is good enough end to end CALEA will require you to hand over the keys and/or put in a backdoor if you have a US nexus.
From Wikipedia http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_A...
USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic. Modern voice switches now have this capability built in, yet Internet equipment almost always requires some kind of intelligent Deep Packet Inspection probe to get the job done. In both cases, the intercept-function must single out a subscriber named in a warrant for intercept and then immediately send some (headers-only) or all (full content) of the intercepted data to an LEA. The LEA will then process this data with analysis software that is specialized towards criminal investigations. All traditional voice switches on the U.S. market today have the CALEA intercept feature built in. The IP-based "soft switches" typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes. Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a "self-contained" probe. In order to be compliant, IP-based service providers (Broadband, Cable, VoIP) must choose either a self-contained probe (such as made by IPFabrics), or a "dumb" probe component plus a mediation device (such as made by Verint, or they must implement the delivery of correctly formatted for a named subscriber's data on their own.
Link encryption isn't to protect the contents of the user's communication. There is no reason for users to trust their ISP more than a national institution full of people vetted to the highest level.
What link encryption gets the user is protection from traffic analysis from parties other than the ISP.
You've seen in the NSA documents how highly they regard this traffic analysis. I'd fully expect the NSA to collect it by other means.
-glen
-- Glen Turner <http://www.gdt.id.au/~gdt/>
On 6/25/13 3:55 AM, Scott Weeks wrote:
Yeah, but I was just thinking through what the original question asked. After reading his emails over the years, I am assuming he meant in addition to everything else "What security protocols are folks using to protect SONET/SDH? At what speeds?"
Correct. But the answer appears to be: none. Not Google. Not any public N/ISP.
I now see it quickly devolves into what various governments will allow its citizenry to do on the internet. :-(
With a lot of dithering by folks who have no operational or security responsibilities at any providers. :-(
participants (5)
-
Christopher Morrow -
Glen Turner -
sam@wwcandt.com -
Scott Weeks -
William Allen Simpson