Vulnerbilities of Interconnection
William B. Norton
wbn at equinix.com
Thu Sep 5 19:04:16 UTC 2002
At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
>This obviously would be a thesis of Equinix and other collo space providers,
>since this is exactly the service that they provide. It won't, hower, be a
>thesis of any major network that either already has a lot of infrastructure
>in place or has to be a network that is supposed to survive a physical
>attack.
Actually, the underlying assumption of this paper is that major networks
already have a large global backbone that need to interconnect in
n-regions. The choice between Direct Circuits and Colo-based cross connects
is discussed and documented with costs and tradeoffs. Surviving a major
attack was not the focus of the paper...but...
When I did this research I asked ISPs how many Exchange Points they felt
were needed in a region. Many said one was sufficient, that they were
resilient across multiple exchange points and transit relationships, and
preferred to engineer their own diversity separate from regional exchanges.
A bunch said that two was the right number, each with different operating
procedures, geographic locations, providers of fiber, etc. , as different
as possible. Folks seemed unanimous about there not being more than two
IXes in a region, that to do so would splinter the peering population.
Bill Woodcock was the exception to this last claim, positing (paraphrasing)
that peering is an local routing optimization and that many inexpensive
(relatively insecured) IXes are acceptable. The loss of any one simply
removes the local routing optimization and that transit is always an
alternative for that traffic.
>
> > A couple physical security considerations came out of that research:
> > 1) Consider that man holes are not always secured, providing access to
> > metro fiber runs, while there is generally greater security within
> > colocation environments
>
>This is all great, except that the same metro fiber runs are used to get
>carriers into the super-secure facility, and, since neither those who
>originate information, nor those who ultimately consume the information are
>located completely within facility, you still have the same problem. If we
>add to it that the diverse fibers tend to aggregate in the basement of the
>building that houses the facility, multiple carriers use the same manholes
>for their diverse fiber and so on.
Fine - we both agree that no transport provider is entirely protected from
physical tampering if its fiber travels through insecure passageways. Note
that some transport capacity into an IX doesn't necessarily travel along
the same path as the metro providers, particularly those IXes located
outside a metro region. There are also a multitude of paths, proportional
to the # of providers still around in the metro area, that provide
alternative paths into the IX. Within an IX therefore is a concentration of
alternative providers, and these alternative providers can be used as
needed in the event of a path cut.
> > 2) It is faster to repair physical disruptions at fewer points, leveraging
> > cutovers to alternative providers present in the collocation IX model, as
> > opposed to the Direct Circuit model where provisioning additional
> > capacities to many end points may take days or months.
>
>This again is great in theory, unless you are talking about someone who
>is planning on taking out the IX not accidently, but deliberately. To
>illustrate this, one just needs to recall the infamous fiber cut in McLean
>in 1999 when a backhoe not just cut Worldcom and Level(3) circuits, but
>somehow let a cement truck to pour cement into Verizon's manhole that was
>used by Level(3) and Worldcom.
Terrorists in cement trucks?
Again, it seems more likely and more technically effective to attack
internally than physically. Focus again here on the cost/benefit analysis
from both the provider and disrupter perspective and you will see what I mean.
>Alex
More information about the NANOG
mailing list