----- william.allen.simpson wrote: -----
And at $189,950 MSRP, obviously every ISP is dashing out the door
for a pair for each and every long haul fiber link. 
----- william.allen.simpson wrote: -----
And at $189,950 MSRP, obviously every ISP is dashing out the door
for a pair for each and every long haul fiber link.
----------------------------------------It's the same as buying, say, .nanog... >;-)
From: Glen Turner <gdt@gdt.id.au>
What security protocols are folks using to protect SONET/SDH?
At what speeds?"Excuse me NSA, can I have export approval for one KG-530 SDH
encryptor?" What are the oddsAnd how would we know that the "export model" isn't simply
providing a more convenient backdoor for the NSA?
--------------------------------------------------That's why I'm trying to follow up on the original question. Is
there something similar the global public can use to secure their
connections that is not government designed. This is even more
important on microwave shots when security is desired.
plenty of standardized RF link-layers support strong encryption.
Are these private links or customer links? Why encrypt at that layer? I'm
looking for the niche usecase.
I was reading an article about the UK tapping undersea cables (http://www.guardian.co.uk/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa) and thought back to my time at AboveNet and dealing with undersea cables. My initial reaction was doubt, there are thousands of users on the cables, ISP's and non-ISP's, and working with all of them to split off the data would be insanely complicated. Then I read some more articles that included quotes like:
  Interceptors have been placed on around 200 fibre optic cables where they come ashore. This appears to have been done with the secret co-operation (http://www.wired.co.uk/news/archive/2013-06/24/gchq-tempora-101)
Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer. If done early enough they could all be split off as 10G channels, even if they are later muxed down to lower speeds reducing the number of handoffs to the spy apparatus.
Very few ISP's ever go to the landing stations, typically the cable operators provide cross connects to a small number of backhaul providers. That makes a much smaller number of people who might ever notice the splitters and taps, and makes it totally transparent to the ISP. But the big question is, does this happen? I'm sure some people on this list have been to cable landing stations and looked around. I'm not sure if any of them will comment.
If it does, it answers Phil's question. An ISP encrypting such a link end to end foils the spy apparatus for their customers, protecting their privacy. The US for example has laws that provide greater authority to tap "foreign" communications than domestic, so even though the domestic links may not be encrypted that may still pose a decent roadblock to siphoning off traffic.
Who's going to be the first ISP that advertises they encrypt their links that leave the country? 
Screw the pyramids. Look at that building!!!! Yeah we though about this....
and currently in the process of training pigeons to carry
messages. Will keep everyone posted.
Nick.
Transnational seems like a good place to start. It seems like a tough space
to break into ( no PUN intended).
Which made me immediately realize it would be far simpler to strong arm the cable operators to split off all channels before connecting them to the customer.
It's potentially a lot simpler than that:
this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'
<http://defensetech.org/2005/02/21/jimmy-carter-super-spy/>
this I thought included the capabilities to drag the fiber/line into
the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this
isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new
splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.
fun stuff!
and yea, why not just work with the landindstation operators to use
the existing monitoring ports they use? (or get a copy of the monitor
ports)
-chris
> It's potentially a lot simpler than that:
>
> <http://en.wikipedia.org/wiki/Operation_Ivy_Bells>this involved, I think, just intuiting signals from the nearfield
effects of the cable, no? 'drop a large sensor ontop-of/next-to the
cable, win!'
IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era
project, and it did use EMI tapping (TEMPEST) to get to the traffic
without tampering with the cable.
Having gotten that cleared, I'd argue that if you're on speaking terms
with the cable operator, it is much easier to use a full-spectrum
monitor port on the WDM system.
this I thought included the capabilities to drag the fiber/line into the hull for 'work' to be done... I'd note that introducing signal
loss on the longhaul fiber seems 'risky', you'd have to know (and this isn't hard I bet) the tolerances of the link in question and have a
way to stay inside those tolerances and not introduce new splice-points/junctions/etc and be careful for the undersea cable
power (electric) requirements as well.
Kind of makes one think about the spate of high-profile submarine cable breaks over the past couple of years in a different light, doesn't it?
;>
and yea, why not just work with the landindstation operators to use the existing monitoring ports they use? (or get a copy of the monitor ports)
Operational security in the original meaning of the term (i.e., what people don't know about, they can't talk to reporters from the Guardian about).
IVY BELLS (USN is / was an ALL-CAPS org, right?) was a copper era project, and it did use EMI tapping (TEMPEST) to get to the traffic
without tampering with the cable.
Fiber can be tapped, too, though it's not as easy as EMI. Heck, it can even be potentially 'pre-tapped' prior to deployment.
Having gotten that cleared, I'd argue that if you're on speaking terms with the cable operator, it is much easier to use a full-spectrum monitor port on the WDM system.
The issue is that the cable operator may be on speaking terms with reporters at the Guardian.
RFC 1149 addresses the practice of avian carriers.
-jav
Is there a realistic way to deal with dropped packets in that situation? I would think packet loss could get really messy..
Fun stuff indeed...sell to one org or the other:
http://www.glimmerglass.com/solutions/submarine-cable-landing-stations/
http://www.glimmerglass.com/solutions/cyber-security-and-lawful-interception/
-Hank
From the site:
Problem - federal integrator with a government customer needed to connect
geographically dispersed antenna sites to a central pool of monitoring
equipment.
Our Solution - With Glimmerglass managing the reconfiguration of optical
signals,
the integrator was able to create an RF-over-fiber solution that
performed better and cost less than traditional implementations.
.. I would be *REALLY* interested in seeing how they did this. We've been
doing this (it's called Fiber IFL) for a long time, but the range with
nearly everything has been sub 40km for the most part. Getting
geographically diverse sites all linked up via rf to fiber would be a
nightmare unless you were planning on demodulating the signals and sending
them via IP, which wouldn't surprise me.
Jav, this one takes the trump!!! You sir are a man of few words!
N.
As you know this is not such a problem for UDP streams however, we
have not worked out all the bugs for services that run on TCP. Oh yeah
it's messy!!! You know it brings a different set of challenges (i.e.,
PITA, Pamela Anderson). It's a tuff world out there guys....
We are however trying to conform to RFC standards as pointed out by
Jev. You guys really need to look at this. It's easily implementable:
http://tools.ietf.org/html/rfc1149
N.
That remind me I need to finish my April 1 submission to the RFC editor
for next year..... This has been sitting in my todo pile for several
years.
RFCxxxx for publication on April 1, xxxx
Assistance for Eavesdropping Legally on Avian Carriers (AELAC)
Abstract
The memo provides an overview and principles regarding Lawful Intercept(LI) of networks using RFC 1149, "A Standard for the Transmission of IP Datagrams on Avian Carriers." National requirements are not addressed.
Overview and Rational
Avian Carriers have not provided law enforcement with advanced capabilities to conduct covert surveillance of a subject's communications. When approached by law enforcement, Avian Carriers take flight leaving behind difficult to decode droppings of their activities. Identifying a specific packet stream within a large flock of carriers is difficult. Due to the 3D ether space available to carriers and their intrinsic collision avoidance systems, although sometimes poorly implemented with windows, performing full content communications interceptions can be hit or miss.
This memo does not address specific national requirements for eavesdropping. Nevertheless, it may be important to public safety that carriers never use any communication technology which could hinder law enforcement.s access to the communications of a subject of a lawful order authorizing surveillance.
Avian Carriers have a long and distinguished history in communications. For thousands of years they have been used to carry important messages to military and business leaders. However, they have also been used for nefarious purposes ranging from possible financial market manipulation after Napoleo's defeat at Waterloo to reports of enemy pigeons operating in England during World War II.
Is scooping pigeon shit off my front lawn considered meta-data collection?
--lyndon
Then I am in favour of PRISM. NSA: come vacuum all the pigeon shit off my boat! Please!!!