Network security on multiple levels (was Re: NYT covers China cyberthreat)
Steven Bellovin
smb at cs.columbia.edu
Thu Feb 21 01:43:45 UTC 2013
On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates at brightok.net> wrote:
> On 2/20/2013 1:05 PM, Jon Lewis wrote:
>>
>> See thread: nanog impossible circuit
>>
>> Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
>>
>
> This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
>
An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the "real" circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits mighty suddenly end up on a satellite link. And we were only worrying about commercial-grade security.)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list