Vulnerbilities of Interconnection

Thu Sep 5 19:04:16 UTC 2002

At 02:45 PM 9/5/2002 -0400, alex at yuriev.com wrote:
>This obviously would be a thesis of Equinix and other collo space providers,
>since this is exactly the service that they provide. It won't, hower, be a
>thesis of any major network that either already has a lot of infrastructure
>in place or has to be a network that is supposed to survive a physical
>attack.

Actually, the underlying assumption of this paper is that major networks 
already have a large global backbone that need to interconnect in 
n-regions. The choice between Direct Circuits and Colo-based cross connects 
is discussed and documented with costs and tradeoffs. Surviving a major 
attack was not the focus of the paper...but...

When I did this research I asked ISPs how many Exchange Points they felt 
were needed in a region. Many said one was sufficient, that they were 
resilient across multiple exchange points and transit relationships, and 
preferred to engineer their own diversity separate from regional exchanges. 
A bunch said that two was the right number, each with different operating 
procedures, geographic locations, providers of fiber, etc. , as different 
as possible. Folks seemed unanimous about there not being more than two 
IXes in a region, that to do so would splinter the peering population.

Bill Woodcock was the exception to this last claim, positing (paraphrasing) 
that peering is an local routing optimization and that many inexpensive 
(relatively insecured) IXes are acceptable. The loss of any one simply 
removes the local  routing optimization and that transit is always an 
alternative for that traffic.

>
> > A couple physical security considerations came out of that research:
> > 1) Consider that man holes are not always secured, providing access to
> > metro fiber runs, while there is generally greater security within
> > colocation environments
>
>This is all great, except that the same metro fiber runs are used to get
>carriers into the super-secure facility, and, since neither those who
>originate information, nor those who ultimately consume the information are
>located completely within facility, you still have the same problem.  If we
>add to it that the diverse fibers tend to aggregate in the basement of the
>building that houses the facility, multiple carriers use the same manholes
>for their diverse fiber and so on.

Fine - we both agree that no transport provider is entirely protected from 
physical tampering if its fiber travels through insecure passageways. Note 
that some transport capacity into an IX doesn't necessarily travel along 
the same path as the metro providers, particularly those IXes located 
outside a metro region. There are also a multitude of paths, proportional 
to the # of providers still around in the metro area, that provide 
alternative paths into the IX. Within an IX therefore is a concentration of 
alternative providers,  and these alternative providers can be used as 
needed in the event of a path cut.

> > 2) It is faster to repair physical disruptions at fewer points, leveraging
> > cutovers to alternative providers present in the collocation IX model, as
> > opposed to the Direct Circuit model where provisioning additional
> > capacities to many end points may take days or months.
>
>This again is great in theory, unless you are talking about someone who
>is planning on taking out the IX not accidently, but deliberately. To
>illustrate this, one just needs to recall the infamous fiber cut in McLean
>in 1999 when a backhoe not just cut Worldcom and Level(3) circuits, but
>somehow let a cement truck to pour cement into Verizon's manhole that was
>used by Level(3) and Worldcom.

Terrorists in cement trucks?

Again, it seems more likely and more technically effective to attack 
internally than physically. Focus again here on the cost/benefit analysis 
from both the provider and disrupter perspective and you will see what I mean.

>Alex