[IP] EFF: Secret Surveillance Evidence Unsealed in AT&T Spying Ca

Thu Jun 14 13:38:09 PDT 2007

>>Another thing worth thinking about is the control channels they must use 
>>to
>>update the policies to one of these boxes. It's obviously in-band. One
>>wonders if one could tap one of the fibers and find the packet stream they
>>use to program one of these things.
>
>what makes you say this?  i'd be surprised if the control channel is
>pulled from the monitored flows.  you need bi directional transport,
>for control and backhaul, among other reasons.
>
>maybe we'll find out when congress/judiciary orders the devices
>removed?  *cough*

Hum...it's interesting to think about this. I assumed the control channel 
would be in-band for several reasons, all of which may be wrong.

Let me first of clarify, in case it wasn't clear: I'm talking about 
downloading the policies that will 'program' what the Narus box looks at and 
how it will respond. The Narus box itself likely needs it's own control 
channel to upgrade its own software and do OAM&P, and this will probably be 
over the SONET DCC overhead. But the policies itself, I think, could be in 
band. Consider:

1) The Narus box already does layer 4: Since it's already opening up the 
STS-Nc container and reading the packets, seems trivial for them to grab 
their own control stream out of that.
2) Depending on the architecture, if the packets are in-band then they don't 
need to worry about getting their control channel terminated by putting it 
into SONET overhead. Of course, the path overhead might actually survive 
untouched the whole way, but that would prevent them from terminating at an 
intermediate router (which they might want the option to do so as to prevent 
backhauling a whole nation's worth of traffic).
3) Although not a BIG deal, if they used SONET overhead they would have to 
put their channel into unused overhead bytes. Some chipsets do that, but 
it's a constraint better avoided for various reasons (including rare 
interoperability issues if someone else along the way is using the same 
bytes for something).

I don't understand the comment about bidirectional transport...this is 
necessary anyway, no? At least the DCC of SONET NEs need bidirectional or 
the SONET router (yes, there's a tiny OSI router inside SONET SEs) will 
declare the DCC down. Or maybe I misunderstand you...

Of course, some of these considerations go away somewhat if NSA simply 
backhauls all the traffic over a proprietary coast-to-coast optical network, 
which is not inconceivable.

-TD

_________________________________________________________________
Play games, earn tickets, get cool prizes. Play nowit's FREE! 
http://club.live.com/home.aspx?icid=CLUB_hotmailtextlink1