Re: Security over SONET/SDH
--- morrowc.lists@gmail.com wrote: From: Christopher Morrow <morrowc.lists@gmail.com> On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson <william.allen.simpson@gmail.com> wrote: :: ...in addition to everything else "What security protocols :: are folks using to protect SONET/SDH? At what speeds?" : Correct. : But the answer appears to be: none. Not Google. Not any : public N/ISP.
would they say if they had?
Yes, especially in light of the current news regarding internet privacy. Could you imagine the advertising they'd be able to do to prospective customers? scott
The sticky problem remains for any communications carrier, we are looking for a technical solution to a legal problem. I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto. With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto. Regardless of how well built our networks are internally and externally we still must obey a court order. Sam
--- morrowc.lists@gmail.com wrote: From: Christopher Morrow <morrowc.lists@gmail.com> On Tue, Jun 25, 2013 at 2:02 PM, William Allen Simpson <william.allen.simpson@gmail.com> wrote:
:: ...in addition to everything else "What security protocols :: are folks using to protect SONET/SDH? At what speeds?"
: Correct.
: But the answer appears to be: none. Not Google. Not any : public N/ISP.
would they say if they had?
Yes, especially in light of the current news regarding internet privacy. Could you imagine the advertising they'd be able to do to prospective customers?
scott
Since we're no longer trying to dodge the NSA....why would one want to encrypt transport? I think protected links are a great business model. L3VPN encryption? Whats the best offering?
On Jun 25, 2013, at 6:34 PM, sam@wwcandt.com wrote:
I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto.
With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto.
The value here isn't preventing <insert federal agency> from getting the data, as you point out there are multiple tools at their disposal, and they will likely compel data at some other point in the stack. The value here is increasing the visibility of the tapping, making more people aware of how much is going on. Forcing the tapping out of the shadows and into the light. For instance if my theory that some cables are being tapped at the landing station is correct, there are likely ISP's on this list right now that have transatlantic links /and do not know that they are being tapped/. If the links were encrypted and they had to serve the ISP directly to get the unencrypted data or make them stop encrypting, that ISP would know their data was being tapped. It also has the potential to shift the legal proceedings to other courts. The FISA court can approve tapping a foreign cable as it enters the country in near perfect, unchallengeable secrecy. If encryption moved that to be a regular federal warrant under CALEA there would be a few more avenues for challenging the order legally. People can't challenge what they don't know about. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Well put Leo; defense-in-depth. On Jun 25, 2013 6:57 PM, "Leo Bicknell" <bicknell@ufp.org> wrote:
On Jun 25, 2013, at 6:34 PM, sam@wwcandt.com wrote:
I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto.
With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto.
The value here isn't preventing <insert federal agency> from getting the data, as you point out there are multiple tools at their disposal, and they will likely compel data at some other point in the stack. The value here is increasing the visibility of the tapping, making more people aware of how much is going on. Forcing the tapping out of the shadows and into the light.
For instance if my theory that some cables are being tapped at the landing station is correct, there are likely ISP's on this list right now that have transatlantic links /and do not know that they are being tapped/. If the links were encrypted and they had to serve the ISP directly to get the unencrypted data or make them stop encrypting, that ISP would know their data was being tapped.
It also has the potential to shift the legal proceedings to other courts. The FISA court can approve tapping a foreign cable as it enters the country in near perfect, unchallengeable secrecy. If encryption moved that to be a regular federal warrant under CALEA there would be a few more avenues for challenging the order legally.
People can't challenge what they don't know about.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Well put, and point taken :-). Sam
On Jun 25, 2013, at 6:34 PM, sam@wwcandt.com wrote:
I believe that if you encrypted your links sufficiently that it was impossible to siphon the wanted data from your upstream the response would be for the tapping to move down into your data center before the crypto.
With CALEA requirements and the Patriot Act they could easily compel you to give them a span port prior to the crypto.
The value here isn't preventing <insert federal agency> from getting the data, as you point out there are multiple tools at their disposal, and they will likely compel data at some other point in the stack. The value here is increasing the visibility of the tapping, making more people aware of how much is going on. Forcing the tapping out of the shadows and into the light.
For instance if my theory that some cables are being tapped at the landing station is correct, there are likely ISP's on this list right now that have transatlantic links /and do not know that they are being tapped/. If the links were encrypted and they had to serve the ISP directly to get the unencrypted data or make them stop encrypting, that ISP would know their data was being tapped.
It also has the potential to shift the legal proceedings to other courts. The FISA court can approve tapping a foreign cable as it enters the country in near perfect, unchallengeable secrecy. If encryption moved that to be a regular federal warrant under CALEA there would be a few more avenues for challenging the order legally.
People can't challenge what they don't know about.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
participants (4)
-
Leo Bicknell
-
Phil Fagan
-
sam@wwcandt.com
-
Scott Weeks