Back to the topic at hand, I'm sure they do policy updates via whatever channel they are recieving data. It's very common to just have a single out of band reporting/management link.
true, this is probably how it is done. would IPsec or some NSA built auth & privacy at layer 2 be more likely?
Well, how out of band? Do you mean the management VPN (or whatever) doesn't travel with the actual grabbed traffic? (Frankly, this would be my first candidate.) Of course, they could do it via SONET overhead bytes, thus avoiding the flakiness and vunerability that routers and switches still seem to have. One wonders too if they do anything with SS7. Of course, they could have a dedicated fiber for their management LAN, but due to latency issues &c I would suspect that can't be a LAN all the way across the country...they've got to Long-Haul the management traffic somehow, which implies packing it into a 100BaseT or whatever and then shipping that out either packed in SONET or with other circuit-switched traffic. Or of course, they might just have their management on something like STS-3C POS, and the rest of their OC-48/192 carries real traffic. Anyone know what telecom vendor NSA uses? -TD -TD