[160970] in North American Network Operators' Group
Re: Network security on multiple levels (was Re: NYT covers China
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Feb 20 20:47:58 2013
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <5125301D.2090905@brightok.net>
Date: Wed, 20 Feb 2013 20:43:45 -0500
To: Jack Bates <jbates@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates@brightok.net> wrote:
> On 2/20/2013 1:05 PM, Jon Lewis wrote:
>>=20
>> See thread: nanog impossible circuit
>>=20
>> Even your leased lines can have packets copied off or injected into =
them, apparently so easily it can be done by accident.
>>=20
>=20
> This is especially true with pseudo-wire and mpls. Most of my =
equipment can filter based mirror to alternative mpls circuits where I =
can drop packets into my analyzers. If I misconfigure, those packets =
could easily find themselves back on public networks.
>=20
An amazing percentage of "private" lines are pseudowires, and neither =
you nor your telco salesdroid can know or tell; even the "real" circuits =
are routed through DACS, ATM switches, and the like. This is what link =
encryptors are all about; use them. (Way back when, we had a policy of =
using link encryptors on all overseas circuits -- there was a high =
enough probability of underwater fiber cuts, perhaps by fishing trawlers =
or "fishing trawlers", that our circuits mighty suddenly end up on a =
satellite link. And we were only worrying about commercial-grade =
security.)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
