private fiber security, large IPsec deployments [was: PRISM too much trouble? Get MUSCULAR]
On Wed, Oct 30, 2013 at 11:35 AM, Gregory Foster <gfoster@entersection.org> wrote:
... According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks ... The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers...
encryption between sites would eliminate the risk above on private fiber. you can easily accomplish this today via various means. (some businesses already VPN over private dedicated fiber) if you wanted to protect every host in every data center end-to-end would you go with IPsec or OpenVPN or other? what is the largest IPsec deployment on record? (transport, not tunnel mode) how would you handle key management / key exchange for such a system?
On Wed, Oct 30, 2013 at 10:55 PM, coderman <coderman@gmail.com> wrote:
On Wed, Oct 30, 2013 at 11:35 AM, Gregory Foster <gfoster@entersection.org> wrote:
... According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks ... The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers...
encryption between sites would eliminate the risk above on private fiber. you can easily accomplish this today via various means. (some businesses already VPN over private dedicated fiber)
if you wanted to protect every host in every data center end-to-end would you go with IPsec or OpenVPN or other?
what is the largest IPsec deployment on record? (transport, not tunnel mode)
how would you handle key management / key exchange for such a system?
Post the above to nanog. Anyone can put 10G nics in router pc's and easily pass more than 1G.. But big fiber links are 10/40/100G per wave. You'd need some very fast asic link encryptors for that or offload it to your hosts doing ipsec between your cages/dc's. Yahoo, Google, etc may peer but they almost certainly don't own the fiber they do it over, the tier-n's they buy from do, or the raw fiber providers do. Though they can often attach leased fiber direct to their shelves. These questions are a bit mixed into different areas. You're either talking bandwidth consumers trying to encrypt. Or the bandwidth providers getting together to encrypt their backbones. Very different things.
participants (2)
-
coderman
-
grarpamp