Search Mailing List Archives
[liberationtech] Security over SONET/SDH
eugen at leitl.org
Tue Jun 25 04:05:27 PDT 2013
----- Forwarded message from sam at wwcandt.com -----
Date: Tue, 25 Jun 2013 07:56:38 -0400 (EDT)
From: sam at wwcandt.com
To: Glen Turner <gdt at gdt.id.au>
Cc: nanog at nanog.org
Subject: Re: Security over SONET/SDH
Reply-To: sam at wwcandt.com
Even if your crypto is good enough end to end CALEA will require you to
hand over the keys and/or put in a backdoor if you have a US nexus.
USA telecommunications providers must install new hardware or software, as
well as modify old equipment, so that it doesn't interfere with the
ability of a law enforcement agency (LEA) to perform real-time
surveillance of any telephone or Internet traffic. Modern voice switches
now have this capability built in, yet Internet equipment almost always
requires some kind of intelligent Deep Packet Inspection probe to get the
job done. In both cases, the intercept-function must single out a
subscriber named in a warrant for intercept and then immediately send some
(headers-only) or all (full content) of the intercepted data to an LEA.
The LEA will then process this data with analysis software that is
specialized towards criminal investigations.
All traditional voice switches on the U.S. market today have the CALEA
intercept feature built in. The IP-based "soft switches" typically do not
contain a built-in CALEA intercept feature; and other IP-transport
elements (routers, switches, access multiplexers) almost always delegate
the CALEA function to elements dedicated to inspecting and intercepting
traffic. In such cases, hardware taps or switch/router mirror-ports are
employed to deliver copies of all of a network's data to dedicated IP
Probes can either send directly to the LEA according to the industry
standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they
can deliver to an intermediate element called a mediation device, where
the mediation device does the formatting and communication of the data to
the LEA. A probe that can send the correctly formatted data to the LEA is
called a "self-contained" probe.
In order to be compliant, IP-based service providers (Broadband, Cable,
VoIP) must choose either a self-contained probe (such as made by
IPFabrics), or a "dumb" probe component plus a mediation device (such as
made by Verint, or they must implement the delivery of correctly formatted
for a named subscriber's data on their own.
> Link encryption isn't to protect the contents of the user's
> communication. There is no reason for users to trust their
> ISP more than a national institution full of people vetted
> to the highest level.
> What link encryption gets the user is protection from traffic
> analysis from parties other than the ISP.
> You've seen in the NSA documents how highly they regard this
> traffic analysis. I'd fully expect the NSA to collect it by
> other means.
> Glen Turner <http://www.gdt.id.au/~gdt/>
----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the liberationtech