Security over SONET/SDH

Scott_Weeks1 · June 24, 2013, 8:19pm

------------ joelja@bogus.com wrote: ------------

That's why I'm trying to follow up on the original question. Is
there something similar the global public can use to secure their
connections that is not government designed. This is even more
important on microwave shots when security is desired.

:: plenty of standardized RF link-layers support strong encryption.

Jamie_Bowden1 · June 24, 2013, 9:37pm

Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...).

Jamie

Gary_Buhrmaster · June 24, 2013, 10:14pm

....

Actually, you CAN do that, but you have to apply for ITAR exceptions. EXIM is complex and you really want a good legal team who are familiar with it hand holding you through it (and on extended retainer going forward...).

We used to joke that our export control officer was the "designated felon"
(in the case that the process/decision was wrong, that person was the
one going to go to prison (and note the US Govt takes ITAR controls very
very seriously; do not guess, do not even think about guessing; do not
even think that the words in the regs mean what you think they mean)).

Gary

_Mike_Andrews · June 24, 2013, 11:17pm

This is especially true in the case of even civilian crypto gear. Have
lawyer(s) with experience in this stuff to bird-dog everything you do. It may
seem like a lot of money, until you look at the fines and jail time you may
wind up with if you drop a stitch somewhere. Then it all becomes quite
reasonable.

Joel_Jaeggli · June 25, 2013, 2:25am

------------ joelja@bogus.com wrote: ------------
From: joel jaeggli <joelja@bogus.com>

That's why I'm trying to follow up on the original question. Is
there something similar the global public can use to secure their
connections that is not government designed. This is even more
important on microwave shots when security is desired.

:: plenty of standardized RF link-layers support strong encryption.
----------------------------------------------------

Ah, thanks. That comment gave me the the search terms I needed,
but I keep seeing sentences like this "Due to the encryption
employed in these products, they are export controlled items and
are regulated by the Bureau of Industry and Security (BIS) of the
U.S. Department of Commerce. They may not be exported or shipped
for re-export to restricted countries..." wheee!

Yes, however note that the actual number of embargoed countries at this point is pretty small, and that if you are in a(n) (US) embargoed country and so inclined you can likely buy such products manufactured in China by Chinese companies.

Securing the link layer however is not a replacement for an end to end solution so just because it's protecting the air interface(s) doesn't really mean somebody not looking at the traffic elsewhere.

Christopher_Morrow · June 25, 2013, 2:59am

it's fair to say, I think, that if you want to say something on the
network it's best that you consider:
1) is the communication something private between you and another party(s)
2) is the communication going to be seen by other than you +
the-right-other-party(s)

and probably assume 2 is always going to be the case... So, if 1) is
true then make some way to keep it private:
  ssl + checking certs 'properly' (where is dane?)
  gpg + good key material security
  private-key/shared-key - don't do this, everyone screws this up.

-chris

Philip_Dorr · June 25, 2013, 4:19am

SSH + SSHFP + DNSSEC does public/private key pretty well

_Mike_Andrews · June 25, 2013, 7:22pm

If one or another of the TLAs hasn't solved, say, the BIGNUM_factoring
problem. If they have, then elliptic curve crypto looks interesting.