Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: White House to Propose System for Wide Monitoring of Internet(fwd)

  • From: batz
  • Date: Fri Dec 20 15:56:03 2002

On Fri, 20 Dec 2002, David Lesher wrote:

:[This just jumped into the operational arena. Are you prepared
:with the router port for John Poindexter's vacuum? What changes
:will you need to make? What will they cost? Who will pay?]


There is a really easy way to accomplish this, and it has been
apparently partially implemented within UUNet as an overlaid 
network of GRE tunnels for a few years, at least based on a 
Nanog presentaton from October 1999.  

This can be accomplished quite cost effectively, provided the
government doesn't want to archive *everything*. 

I keep mentioning this, and for some reason few people seem to
recognize how profoundly simple it would be for the government
to legislate themselves into exchange points and have
the authority to announce certain prefixes to the IX, tunnel
the traffic of the affected route into their own network,
and monitor it without ever showing up in a traceroute.

MPLS makes this even simpler, where certain routes can be
tagged and switched invisibly into the Total Information Awareness
network for monitoring, and switched back out with nobody being
the wiser. Technically this is simple. The infrastructure is
in place, it just needs some legal teeth.

As soon as they figure out BGP, governments could seek
authority over exchange point routing tables so that they can
implement data sanctions against foreign and/or non-compliant
ASN's.  It's pretty easy to imagine, we'll just have to see 
how it plays out. 

Also, if you want to monitor massive amounts of data (something
people say can't be done easily) you just demux it using a device
like those at www.toplayer.com, or
http://www.radware.com/content/products/fire.asp .
Both solutions are adequate for breaking up massive amounts
of data. 

I could write snort signatures that will trigger
a session to be re-routed based on packet content. It's fugly, 
but if I can do it in my basement, a multi-billion dollar 
agency acting on behalf of the only global superpower can 
probably think up something a little more elegant. :) 

-- 
batz





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.