Security over SONET/SDH

• Previous message (by thread): Security over SONET/SDH
• Next message (by thread): Security over SONET/SDH
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Even if your crypto is good enough end to end CALEA will require you to
hand over the keys and/or put in a backdoor if you have a US nexus.

>From Wikipedia
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

USA telecommunications providers must install new hardware or software, as
well as modify old equipment, so that it doesn't interfere with the
ability of a law enforcement agency (LEA) to perform real-time
surveillance of any telephone or Internet traffic. Modern voice switches
now have this capability built in, yet Internet equipment almost always
requires some kind of intelligent Deep Packet Inspection probe to get the
job done. In both cases, the intercept-function must single out a
subscriber named in a warrant for intercept and then immediately send some
(headers-only) or all (full content) of the intercepted data to an LEA.
The LEA will then process this data with analysis software that is
specialized towards criminal investigations.

All traditional voice switches on the U.S. market today have the CALEA
intercept feature built in. The IP-based "soft switches" typically do not
contain a built-in CALEA intercept feature; and other IP-transport
elements (routers, switches, access multiplexers) almost always delegate
the CALEA function to elements dedicated to inspecting and intercepting
traffic. In such cases, hardware taps or switch/router mirror-ports are
employed to deliver copies of all of a network's data to dedicated IP
probes.

Probes can either send directly to the LEA according to the industry
standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they
can deliver to an intermediate element called a mediation device, where
the mediation device does the formatting and communication of the data to
the LEA. A probe that can send the correctly formatted data to the LEA is
called a "self-contained" probe.

In order to be compliant, IP-based service providers (Broadband, Cable,
VoIP) must choose either a self-contained probe (such as made by
IPFabrics), or a "dumb" probe component plus a mediation device (such as
made by Verint, or they must implement the delivery of correctly formatted
for a named subscriber's data on their own.


>
> Link encryption isn't to protect the contents of the user's
> communication. There is no reason for users to trust their
> ISP more than a national institution full of people vetted
> to the highest level.
>
> What link encryption gets the user is protection from traffic
> analysis from parties other than the ISP.
>
> You've seen in the NSA documents how highly they regard this
> traffic analysis. I'd fully expect the NSA to collect it by
> other means.
>
> -glen
>
> --
> Glen Turner <http://www.gdt.id.au/~gdt/>
>

• Previous message (by thread): Security over SONET/SDH
• Next message (by thread): Security over SONET/SDH
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]