White House to Propose System for Wide Monitoring of Internet
batz
batsy at vapour.net
Fri Dec 20 21:30:19 UTC 2002
On Fri, 20 Dec 2002, Ted Hardie wrote:
:"exchange point routing tables" seems to assume that the exchange
:point operator is operating at Layer 3. The most popular exchanges at
:the moment (PAIX, LINX, EQIX) seem to be layer 2 (GigE) or layer 1
:(fiber strung from cage to cage, you run what you want over same).
My mistake, but I was just using routing tables as an example
of how the redirection could be done on layer 3. It's important
that the layer 3 traffic be redirected so that full sessions can
be captured, instead of simply sniffing a span port and hoping
that you get everything.
>From the perspective of gathering evidence, they just record
enough to get a warrant to sieze the machine of
the suspect, and all the physical evidence will be there.
For example, IDS logs have varying levels of reliability, but
their value is that they pinpoint and coroberate the source of
physical evidence in the event of an incident.
Asymmetric routes cause problems for IDS's that just watch a span
port or use a tap, as sessions get lost and alerts can't be
correlated as easily.
The idea being that a sensor sees a trigger, it alerts, and
either the source gets staticly routed to a tunnel interface,
or, depending on capacity and where the sensor is located,
it just routes the traffics source network through the
monitoring network.
It's like diverting part of a stream. From what we have been seeing
in the papers, it isn't the data collection that is the difficult
part anyway, it's the administrative overhead and knowledge
management that needs all the resources. When people criticize
these plans, they tend to attack the challenges of data collection.
I think the technical challenges that data collection poses are
overblown and serve as kind of a red herring that diverts attention
from the larger ethical (non-operational) problems of data aggregation
and response.
--
batz
More information about the NANOG
mailing list