NS&AT&T

Wed May 17 09:22:31 PDT 2006

I'd bet by the time this post reaches the list most Cypherpunks &c will have 
already seen the string of information posted on Wired and other places, 
about AT&T's network. This is a level of detail that I strongly suspect has 
NSA folks shitting bricks:

http://www.wired.com/news/technology/0,70908-0.html?tw=wn_index_2

Here's an interesting quote:

>One of the documents appears to describe AT&T's successful efforts to tap 
>into 16 fiber-optic >cables connecting the company's WorldNet internet 
>backbone to other internet service providers. >The document shows AT&T 
>technicians phasing in fiber-optic splitters throughout February 2003, 
> >cutting them in four at a time on a weekly schedule, ending with a link 
>to Mae West, an internet >exchange point for West Coast traffic.

Now this is REALLY interesting:

http://blog.wired.com/images/nsadocs2_f.jpg

OK, this means the 16 fibers mentioned above are single wavelength. From 
this document we can also view what the actual bandwidths are: OC-12s and 
OC-48s, a couple of OC-3s and no OC-192s. Now I don't see any documentation 
stating that there isn't more than this going into the room. The "four 
splitters at a time" almost certainly implies that this traffic is coming 
off a 4-fiber BLSR (most likely too NSA worked with the other carriers to 
move the traffic to protect prior to installing the splitters).*

Theoretically, they could actually just backhaul all of this traffic using 
pretty ordinary 16 wavelength WDM from any number of vendors. Getting that 
cross-country is difficult, but with ULH (Ultra Long Haul) this could be 
done with a relative minimum of repeater/amplifier sites. If they pre-sort 
the traffic before backhauling it they could then actually just buy a 
wavelength on AT&T's backbone, which has some nice features to it (I'd bet 
they also have their own encryption used for the entire wavelength pipe, 
though I could be wrong).

The pinchpoint here just might actually be the deep packet inspection. Does 
anyone know what kind of bandwidth the narus boxes can support?

What this will do is give us an idea of how much traffic they are actually 
taking back. From our discussions some months ago, I have assumed (and still 
believe) that they can't grab EVERYTHING and pull it back, because that 
would require too obvious and too huge a network. My other assumption is 
that the narus deep packet inspection is enforcing a prioritization prior to 
hockeying the most "juicy" traffic into their fiber or wavelegnths.

*: They would have first told the owner/carrier of one of those OC-N pipes 
to force a switch to protection bandwidth while they installed the 
splitters, and then switch back once the splitters were installed. It LOOKS 
like they did this ring-by-ring, diverting traffic away from the "break" and 
then installing splitters on all four fibers terminating across the break.