White House to Propose System for Wide Monitoring of Internet

Fri Dec 20 21:30:19 UTC 2002

On Fri, 20 Dec 2002, Ted Hardie wrote:

:"exchange point routing tables" seems to assume that the exchange
:point operator is operating at Layer 3.  The most popular exchanges at
:the moment (PAIX, LINX, EQIX) seem to be layer 2 (GigE) or layer 1
:(fiber strung from cage to cage, you run what you want over same).

My mistake, but I was just using routing tables as an example 
of how the redirection could be done on layer 3. It's important 
that the layer 3 traffic be redirected so that full sessions can 
be captured, instead of simply sniffing a span port and hoping
that you get everything. 

>From the perspective of gathering evidence, they just record 
enough to get a warrant to sieze the machine of 
the suspect, and all the physical evidence will be there. 
For example, IDS logs have varying levels of reliability, but 
their value is that they pinpoint and coroberate the source of 
physical evidence in the event of an incident.  

Asymmetric routes cause problems for IDS's that just watch a span
port or use a tap, as sessions get lost and alerts can't be 
correlated as easily. 

The idea being that a sensor sees a trigger, it alerts, and 
either the source gets staticly routed to a tunnel interface, 
or, depending on capacity and where the sensor is located, 
it just routes the traffics source network through the 
monitoring network. 

It's like diverting part of a stream. From what we have been seeing
in the papers, it isn't the data collection that is the difficult
part anyway, it's the administrative overhead and knowledge 
management that needs all the resources. When people criticize
these plans, they tend to attack the challenges of data collection. 

I think the technical challenges that data collection poses are 
overblown and serve as kind of a red herring that diverts attention
from the larger ethical (non-operational) problems of data aggregation
and response. 

-- 
batz