[IP] EFF: Secret Surveillance Evidence Unsealed in AT&T Spying Ca
Tyler Durden
camera_lumina at hotmail.com
Thu Jun 14 13:38:09 PDT 2007
>>Another thing worth thinking about is the control channels they must use
>>to
>>update the policies to one of these boxes. It's obviously in-band. One
>>wonders if one could tap one of the fibers and find the packet stream they
>>use to program one of these things.
>
>what makes you say this? i'd be surprised if the control channel is
>pulled from the monitored flows. you need bi directional transport,
>for control and backhaul, among other reasons.
>
>maybe we'll find out when congress/judiciary orders the devices
>removed? *cough*
Hum...it's interesting to think about this. I assumed the control channel
would be in-band for several reasons, all of which may be wrong.
Let me first of clarify, in case it wasn't clear: I'm talking about
downloading the policies that will 'program' what the Narus box looks at and
how it will respond. The Narus box itself likely needs it's own control
channel to upgrade its own software and do OAM&P, and this will probably be
over the SONET DCC overhead. But the policies itself, I think, could be in
band. Consider:
1) The Narus box already does layer 4: Since it's already opening up the
STS-Nc container and reading the packets, seems trivial for them to grab
their own control stream out of that.
2) Depending on the architecture, if the packets are in-band then they don't
need to worry about getting their control channel terminated by putting it
into SONET overhead. Of course, the path overhead might actually survive
untouched the whole way, but that would prevent them from terminating at an
intermediate router (which they might want the option to do so as to prevent
backhauling a whole nation's worth of traffic).
3) Although not a BIG deal, if they used SONET overhead they would have to
put their channel into unused overhead bytes. Some chipsets do that, but
it's a constraint better avoided for various reasons (including rare
interoperability issues if someone else along the way is using the same
bytes for something).
I don't understand the comment about bidirectional transport...this is
necessary anyway, no? At least the DCC of SONET NEs need bidirectional or
the SONET router (yes, there's a tiny OSI router inside SONET SEs) will
declare the DCC down. Or maybe I misunderstand you...
Of course, some of these considerations go away somewhat if NSA simply
backhauls all the traffic over a proprietary coast-to-coast optical network,
which is not inconceivable.
-TD
_________________________________________________________________
Play games, earn tickets, get cool prizes. Play nowit's FREE!
http://club.live.com/home.aspx?icid=CLUB_hotmailtextlink1
More information about the cypherpunks-legacy
mailing list