Security over SONET/SDH

I hope I've gotten the quotations correct...

------------ wrote: ------------

That's why I'm trying to follow up on the original question. Is
there something similar the global public can use to secure their
connections that is not government designed. This is even more
important on microwave shots when security is desired.

:: plenty of standardized RF link-layers support strong encryption.

Ah, thanks. That comment gave me the the search terms I needed,
but I keep seeing sentences like this "Due to the encryption
employed in these products, they are export controlled items and
are regulated by the Bureau of Industry and Security (BIS) of the
U.S. Department of Commerce. They may not be exported or shipped
for re-export to restricted countries..." wheee! :slight_smile:

Yes, however note that the actual number of embargoed countries at this
point is pretty small, and that if you are in a(n) (US) embargoed
country and so inclined you can likely buy such products manufactured
in China by Chinese companies.

Securing the link layer however is not a replacement for an end to end
solution so just because it's protecting the air interface(s) doesn't
really mean somebody not looking at the traffic elsewhere.

Link encryption isn't to protect the contents of the user's
communication. There is no reason for users to trust their
ISP more than a national institution full of people vetted
to the highest level.

What link encryption gets the user is protection from traffic
analysis from parties other than the ISP.

You've seen in the NSA documents how highly they regard this
traffic analysis. I'd fully expect the NSA to collect it by
other means.


Even if your crypto is good enough end to end CALEA will require you to
hand over the keys and/or put in a backdoor if you have a US nexus.

From Wikipedia

USA telecommunications providers must install new hardware or software, as
well as modify old equipment, so that it doesn't interfere with the
ability of a law enforcement agency (LEA) to perform real-time
surveillance of any telephone or Internet traffic. Modern voice switches
now have this capability built in, yet Internet equipment almost always
requires some kind of intelligent Deep Packet Inspection probe to get the
job done. In both cases, the intercept-function must single out a
subscriber named in a warrant for intercept and then immediately send some
(headers-only) or all (full content) of the intercepted data to an LEA.
The LEA will then process this data with analysis software that is
specialized towards criminal investigations.

All traditional voice switches on the U.S. market today have the CALEA
intercept feature built in. The IP-based "soft switches" typically do not
contain a built-in CALEA intercept feature; and other IP-transport
elements (routers, switches, access multiplexers) almost always delegate
the CALEA function to elements dedicated to inspecting and intercepting
traffic. In such cases, hardware taps or switch/router mirror-ports are
employed to deliver copies of all of a network's data to dedicated IP

Probes can either send directly to the LEA according to the industry
standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they
can deliver to an intermediate element called a mediation device, where
the mediation device does the formatting and communication of the data to
the LEA. A probe that can send the correctly formatted data to the LEA is
called a "self-contained" probe.

In order to be compliant, IP-based service providers (Broadband, Cable,
VoIP) must choose either a self-contained probe (such as made by
IPFabrics), or a "dumb" probe component plus a mediation device (such as
made by Verint, or they must implement the delivery of correctly formatted
for a named subscriber's data on their own.

Yeah, but I was just thinking through what the original question asked.
After reading his emails over the years, I am assuming he meant in
addition to everything else "What security protocols are folks using to
protect SONET/SDH? At what speeds?"


But the answer appears to be: none. Not Google. Not any public N/ISP.

I now see it quickly devolves into what various governments will allow
its citizenry to do on the internet. :frowning:

With a lot of dithering by folks who have no operational or security
responsibilities at any providers. :frowning:

would they say if they had?