North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: White House to Propose System for Wide Monitoring of Internet(fwd)

  • From: batz
  • Date: Fri Dec 20 19:51:15 2002

On Fri, 20 Dec 2002, Christopher L. Morrow wrote:


Heh. Bless you. ;) 

:This is incorrect, this isn't implemented, its not implementable, current
:routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER,
:juniper will allow you to copy packets on an interface in 5.5 or perhaps a
:bit later code, this is one way to implement this... however having a new
:oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the
:amount of fiber the OCS/NCS/NPIC wants to monitor?

I was told it was implemented when I called security a couple 
of years ago, and then my other questions were met with "no comment". 
"No comment" is the appropriate response to a stranger calling and 
asking for security information, and doesn't imply any other answer, 
and I am willing to accept that it is no longer implemented, but 
somebody told me it was. I am willing to accept that the person I 
spoke to misinterpreted my question. 

That said, I don't think it's economical to want to tap an oc-X, 
but being able to grab single sessions doesn't necessarily have to scale 
if they aren't grabbing lots of them, and can access them relatively
close to their source. It's the same issues as running IDS's.

Lets say you have a an IDS load balancer sitting on a GigE span 
port with a few sensors watching everything go by.  If an alert is 
triggered, a script is executed which goes out to the router closest
to the origin of the session and initiates the overlaid tunnel. 

:even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked
:right and scaled correctly things would still be 'expensive'... to

Well, one would assume that these features would be necessary for the
maintainance of a robust security policy and architecture 
implementation. The value is the same value that you get from 
regular IDS's, just with a new customer. 

:Sure, or they could ask carriers to tap lines for them silently... in fact
:they can do that today with a court order.

Indeed, and building features for automating the initialization of 
those taps into the network is not extrordinarily difficult. (I 
retract my "profoundly simple" comment.)  The cost of doing so is
another loss avoidance cost that would be integrated into the overhead
cost that we currently call security anyway. 

Are you suggesting that there might be money to be made by someone
who offered to integrate this sort of surviellence architecture into 
a network?