[160959] in North American Network Operators' Group
Re: Network security on multiple levels (was Re: NYT covers China
daemon@ATHENA.MIT.EDU (David Barak)
Wed Feb 20 14:49:11 2013
Date: Wed, 20 Feb 2013 11:48:29 -0800 (PST)
From: David Barak <thegameiam@yahoo.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <236723.6684.1361388122424.JavaMail.root@benjamin.baylink.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--- On Wed, 2/20/13, Jay Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
> > From: "Owen DeLong" <owen@delong.com>
> > The DACS question wasn't about DACS owned by the people
> using the
> > circuit, it was about DACS inside the circuit provider.
> When you buy a
> > DS1 that goes through more than one CO in between two
> points, you're
> > virtually guaranteed that it goes through one or more
> of {DS-3 Mux,
> > Fiber Mux, DACS, etc.}. All of these are under the
> control of the
> > circuit provider and not you.
>
> Correct, and they expand the attack surface in ways that
> even many
> network engineers may not consider unless prompted.
This is precisely the value of encryption on point to point links, preferably at the link layer rather than at the IP layer. When coupled with decent end-to-end application-layer encryption on top of that, the value proposition for sniffing traffic from the network drops a whole lot.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
