[167315] in North American Network Operators' Group
=?windows-1252?Q?Re=3A_Someone=92s_Been_Siphoning_Data_Through_a?=
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Sun Dec 8 16:47:17 2013
From: Merike Kaeo <merike@doubleshotsecurity.com>
In-Reply-To: <CALgc3C76GCMTOkaz_VE0HRNu9zZdJux=ib=c=sQTooh=dWO7gw@mail.gmail.com>
Date: Sun, 8 Dec 2013 13:46:22 -0800
To: Eugeniu Patrascu <eugen@imacandi.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_59838F4A-386D-471C-B69F-7BD478EB2832
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
On Dec 6, 2013, at 11:55 AM, Eugeniu Patrascu <eugen@imacandi.net> =
wrote:
> On Fri, Dec 6, 2013 at 9:48 PM, Jared Mauch <jared@puck.nether.net> =
wrote:
>=20
>>=20
>> On Dec 6, 2013, at 1:39 PM, Brandon Galbraith =
<brandon.galbraith@gmail.com>
>> wrote:
>>=20
>>> If your flows are a target, or your data is of an extremely =
sensitive
>>> nature (diplomatic, etc), why aren't you moving those bits over
>>> something more private than IP (point to point L2, MPLS)? This =
doesn't
>>> work for the VoIP target mentioned, but foreign ministries should =
most
>>> definitely not be trusting encryption alone.
>>=20
>> I will ruin someones weekend here, but:
>>=20
>> MPLS !=3D Encryption. MPLS VPN =3D "Stick a label before the still
>> unencrypted IP packet".
>> MPLS doesn't secure your data, you are responsible for keeping it =
secure
>> on the wire.
>>=20
>>=20
> It's always interesting to watch someone's expression when they hear =
that
> MPLS VPN, even if it says VPN in the name is not encrypted. Priceless =
every
> time :)
So, just to raise the bar=85I had someone once tell me they encrypted =
everything since they
were using IPsec. Since I only trust configurations, lo and behold the =
configuration was
IPsec AH. As exercise to reader=85.determine why using IPsec does not =
automagically equate to
encrypted traffic. =20
This was only 2 years ago while doing a security assessment for someone.
I greatly dislike the term 'VPN'=85..always have and always will. =
Marketechture is awesome!
- merike
--Apple-Mail=_59838F4A-386D-471C-B69F-7BD478EB2832
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSpOiuAAoJEA7gPO9LJuahFuwH/jlxZiIEPOpI3x2uY+a5Qlcg
HnqfxGKZ530xKUJnnAEUU13GKP4iKtVG4M6WR9TtuNk7bC2Gh8/6L0vgpW/ZacQ9
xT7yLWtPm7H4HkHD6wF1f0+x2HCkGNmOlhhuYk+ymiHK1f2mytiFe8/IF6kl53ll
d/MqKtfxgF+cOS4YFTDk/mSJ8iYpUCkbxschWFo5hFeJPUQoajKLmg+qYFl2ymF/
4XLPpcDhj+TKLAT/fD1pGRAbVewDdGwBIcVT7pW2qRPnhSjVNd8mS4TD1FDvGUD/
oCAT84AiRRHxrTTxiK3hrhhVxhFTsOSu9shDEQeHxcqsgqJkkCi9BEsNeeLih7g=
=DymK
-----END PGP SIGNATURE-----
--Apple-Mail=_59838F4A-386D-471C-B69F-7BD478EB2832--
