On Oct 16, 2013, at 5:21 PM, Mark Atwood <m...@mark.atwood.name> wrote:
> | One reason is that these e-mail access protocols are used in > | enterprise environment where passive wiretapping often not > | considered a viable attack. Internal to the enterprise net there > | is usually a perception of adequate physical security. > > I have discovered, in the last couple of months of investigation, to > my disappointment and horror, that many many very large IT shops in > the US that are doing telecoms between their various offices and > datacenters, do not encrypt. Large telecoms users typically use MPLS > or telco provided "dark fiber". Cleartext. No encryption. Not at > the wireline layer, not at the packet layer, and not at the > application layer. > > The statement I get back when I have been investigating this is has > always been along the lines of "it's OUR glass" / "it's OUR circuit", > "it makes doing packet tracing and intrusion detection harder" (that > one makes me headdesk hard), "why should we be afraid of our telco > partner?", and "just because Google is doing it doesn't mean it's > useful to us". > > I am working hard to assume ignorance and pollyanna-ism, instead of > malice and NSA-suborn-ism on the part of the CTOs and their security > people. > > But anyway, that means that corporate use of Outlook & Exchange, Lync, > SAML, Intranet HTTP, SIP, remote file stores, IMAP & SMTP, remote > database access, remote backup, and internal customer and financial > records are completely transparent to the NSA, and to most every other > major spook agency in the world. The NSA probably has a better view > into the second by second status of the health and wealth of the US > and world economy than any of the financial regulators. MPLS VPN is more virtually private not virtual private. If you consider that the functional equivalent of your own wavelength or your own glass then maybe it's good enough for your purposes. from my vantage point none of those things are the tautological equivalent of an ipsec vpn Wire-speed link-layer encryption is rather expensive at the feeds and speeds of modern routers. IP layer encapsulation in a ce-router in an MPLS hand-off is an expensive place to put it since that encryption complex is going on a asic in the fowarding path. For relatively slow links lots of these things are doable in a software forwarding engineā¦ for 16 x 10Gb/s it's going to cost you. operators and their customers make tradeoffs all the time, this is one of them. http://www.safenet-inc.com/products/data-protection/network-wan-encryption/ethernet-encryption/ > > ..m > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
