Many DSL modems contain a small switch, which if it's the only switch in a small home or office network, would make all packets among local nodes accessible to malware running in that DSL modem.
And most DSL modems are provided by your giant telco DSL provider -- such as AT&T -- which we already know has a long history of covertly sucking up to NSA. Besides their longstanding cooperation on domestic and foreign fiber taps, they also produced the first-and-only Clipper Chip subverted "telephone security device" for making voice calls that "nobody but NSA" could listen to. How hard would it be, really, for them to subvert all their DSL modems to wiretap your LAN? And how would you know if they had done so? It's so convenient that all AT&T DSL modems have a high bandwidth upstream connection to AT&T's central office switches. And even better that consumers have no idea what packets are going up and down over that DSL signalling, because they have no equipment for monitoring raw 2-wire DSL lines (the way they could fairly easily detect inappropriate packets traveling on an Ethernet, with a little free software and a little replugging of Ethernet equipment). Your DSL modem could be doing its main job (carrying your external Internet traffic) using whatever fraction of the available bandwith that requires in each millisecond, and using any spare capacity on the DSL wire to mirror a select fraction, or all, of your local LAN traffic up to the central office switch. The switch would nominally discard this 'filler traffic' -- but AT&T would be able to copy it to NSA upon request, either by individual targeting of particular customers, or wholesale. In the better subverted DSL modems, the filler/tap traffic would be fully encrypted between the modem and the switch, so that even if you got professional equipment for monitoring the DSL wire back to the central office, all you would see is 'random' filler packets all the time. Suppose AT&T and NSA really had no interest in doing this to you -- unlikely, I know -- but the Chinese manufacturers of DSL modems did have such an interest? The threat model is very similar, except the Chinese would have to subvert the AT&T central office switches covertly, without AT&T's willing cooperation, to extract your LAN traffic from them. You can guard against this threat by only plugging one Ethernet jack into your DSL modem, and having that lead directly to a Linux or BSD gateway box that is under your own control. That way, the DSL modem has no physical access to the rest of your LAN, and you can monitor the upstream Ethernet to make sure that the only packets going to the DSL modem are those that you intended to go upstream. John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography