[Mesh] NSA and OpenWRT
Steve Berl
steveberl at gmail.com
Fri Dec 6 10:29:07 PST 2013
I was at Cisco when both TR-69 and CALEA support were active topics of
discussion and development.
CALEA support was required of us in order to sell equipment to all the big
Telco companies, because governments required those companies to allow law
enforcement to do local imtercept. It was never part of any consumer or
small business router or switch. It only went into the big routers and
switches that go into big central offices.
TR-69 came about as a reaction to CableLabs DOCSIS standard for remote
management of cable modems. Before this, every cable modem vendor had a
proprietary management protocol and applications and cable companies either
got locked in to one vendors modems, or had a terrible patchwork of
management applications. DOCSIS was a standard adopted by the cable
companies and forced on the modem vendors to help clean that up.
Meanwhile the DSL services and modem vendors were headed down the same road
and said they could come up with something better, that would also address
some problems specific to DSL. So they came up with the competing TR-69
standard.
Both DOCSIS and TR-69 have the capability to set up packet captures, and
filters and triggers for those captures. This was intended as a debugging
tool, but could certainly be used to ease drop. Neither would be very
efficient for capturing lots of local traffic and sending it someplace.
Capturing at the CO is more efficient on a working connection.
Steve
On Friday, December 6, 2013, Charles N Wyble wrote:
> Would someone mind setting reply to list instead of sender?
>
>
> -------- Original Message --------
> From: Charles N Wyble <charles at thefnf.org <javascript:;>>
> Sent: Fri Dec 06 08:29:40 CST 2013
> To: Mitar <mitar at tnode.com <javascript:;>>
> Subject: Re: [Mesh] NSA and OpenWRT
>
> Calea doesn't need to mod the end modem to do interception. If you are
> transiting the modem, you are going through the CO, where they can tap.
>
> Tr069 is a really nice standard for mass configuration at scale. Open
> source bits exist, I've not been able to play with them yet.
>
> So the linked technologies aren't really in support of the articles main
> point.
>
> Now in the case of all in one residential gateways, internal traffic is
> very susceptible to intercept.
>
> My home network is setup like this
>
> Cable modem -> pfsense edge router -> core switch (cisco 3550) -> core ap
> (wndr3800 running openwrt).
>
> I've also tapped the outside of the pfsense (modem Ethernet side) and seen
> very large amounts of neighborhood WAN traffic. So I don't even need to be
> the government or telco to spy. Just think, they only need to comp some
> modems per neighborhood to see everything.
>
> I run all my DNS lookups over a VPN connection to a non logging resolver
> in an on net facility. I've considered running all my traffic out the Colo
> and via tor, but I'm not that paranoid yet. He he.
>
> Interesting article for sure. Remember that openwrt can be comped as well
> and WiFi can be trivially tapped.
>
>
> Mitar <mitar at tnode.com <javascript:;>> wrote:
> >Hi!
> >
> >Maybe of interest to some:
> >
> >https://forum.openwrt.org/viewtopic.php?id=47703
> >
> >
> >Mitar
>
> --
> Charles Wyble charles at thefnf.org <javascript:;>
> 818 280 7059
> CTO / co founder thefnf.org and guifi.us
> --
> Charles Wyble charles at thefnf.org <javascript:;>
> 818 280 7059
> CTO / co founder thefnf.org and guifi.us
> _______________________________________________
> mesh mailing list
> mesh at lists.sudoroom.org <javascript:;>
> http://lists.sudoroom.org/listinfo/mesh
>
--
-steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://sudoroom.org/lists/private/mesh/attachments/20131206/38e45d53/attachment.html>
More information about the mesh
mailing list