[4357] in cryptography@c2.net mail archive
Re: Newsnight Crypto Bazaar
daemon@ATHENA.MIT.EDU (Dave Emery)
Thu Mar 18 23:06:00 1999
Date: Thu, 18 Mar 1999 20:02:16 -0500
From: Dave Emery <die@die.com>
To: Bill Manning <bmanning@ISI.EDU>
Cc: cryptography@c2.net
Reply-To: die@die.com
Mail-Followup-To: Bill Manning <bmanning@ISI.EDU>, cryptography@c2.net
In-Reply-To: <199903182225.OAA19586@boreas.isi.edu>; from Bill Manning on Thu, Mar 18, 1999 at 02:25:15PM -0800
On Thu, Mar 18, 1999 at 02:25:15PM -0800, Bill Manning wrote:
>
> I find this an interesting statement as I run an IXP and
> am pretty intimate with the design/construction of most
> of the popular public IXPs.
Can you state unequivocally that your IXP does not in any way
support national security monitoring of, or access to traffic ? What
if any precautions have you taken to ensure that there are no
sophisticated penetrations of your routers or high speed digital (DACS)
circuit switching facilities that control circuits going in and out of
your facility ? Have you carefully audited the traffic on each and
every digital circuit into and out of your installation to be sure that
only traffic supposed to be going out the circuit really is ? Has this
audit taken place at the raw fiber interfaces where you can be confident
that you really do know what bits are flowing in and out ? Have you
accounted for all IP packets (and ATM cells) flowing on those interfaces
including those apparently encrypted ?
And are there a small number of fiber circuits going into and
out of your facility that if tapped would allow someone access to
virtually all the traffic transiting your facility ? I can well
imagine that for some IXPs there might actually be rather few distinct
physically separate fiber paths into and out of the facility which
actually carry all the circuits you route between multiplexed together.
It is even conceivable that this number might be as low as two or three
or even one depending on how the local telco engineered the physical
fiber links. A single fiber has very large capacity after all... and it
is quite usual to combine a whole bunch of unrelated logical circuits on
one physical facility...
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
