FRA: Lowest layer of communication

I got a comment on a post about fetching the signals that crosses the country boundary, and thought a response in a separate posting would be in order. The question was elaborate on what problems exist with giving FRA access to the lowest layer of communications.

To be able to access the lowest layers in the communication, the optical signal, one have to first of all split the optical signal so that one signal go in, and two out, of a branch. One of the output go to a closed room, and one is the normal destination. In the closed room equipment exists to take care of the signal. Many products for this exists on the market. It is often called an optical split. Only problem with those is that if the split is pure passive, then one loose effect that imply the distance from the split to the receivers must be short. But strong development happens in this market, and also active equipment (with built-in amplifiers) exists.

Given the optical signal one have to be able to interpret the modulation used, and extract the digital signal. The evolution in this area is fast, and specifically in DWDM systems, the modulation can be quite complicated. More and more fiber optical systems do wavelength multiplexing by allowing dynamic allocation of frequencies.

The ones and zeros together create some transmission, or at least some framing mechanism like Ethernet, SDH, PPP etc. Many of them exists. And in some cases they are layered (Ethernet over SDH).

Over the transport protocol one send the IP packets, if IP is the protocol in use. Many IP packets with the same 5-tuple [sender, receiver, sender port, receiver port, protocol] create a flow, and in the flow data is sent and received in a full duplex connection. Most common protocols are TCP and UDP, but other exists.

Grabbing the data from such a flow, and using the search strings that the proposed regulation talk about is because of what I wrote above tricky, but definitely possible. It is what sometimes is called Deep Packet Inspection with the only difference that it is done on a branch of the optical fiber, and not inspection on the packets while passing by, for example in a router. Doing all of this in the speeds we talk about on global connections (multiple 40Gbps links in each pair of fibers in a DWDM system) do though require quite special (and expensive) hardware. There is also nothing that say this will be cheaper overall as the amount of traffic increases over time.

Other texts about how this can be carried out (and information on how it has been done) can for example be found in Wikipedia and Risking Communications Security: Potential hazards of the Protect America act, Bellovin, Steven M.; Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford (January/February 2008). “Risking Communications Security: Potential Hazards of the Protect America Act”. IEEE Security and Privacy 6 (1): pp. 24–33. IEEE Computer Society. doi:10.1109/MSP.2008.17.