>Why would an eavesdropper need to modify the network configuration? I would
>just hook up a sniffer and set it to promiscuous mode.
This talk of monitoring traffic at ISPs has me kind of
perplexed.
I'm the CEO of a company that makes network monitoring
and traffic analysis systems: just the kind of thing that
would presumably appeal to the spooks who are supposedly
doing this stuff. We haven't heard from them! :)
But that's irrelevant. I wanted to comment on some of
the technical problems inherent in tapping large-scale
networks. We've been living with them at NFR for over
2 years and let me tell you it's not as easy as just
slapping a promiscuous mode interface on a network and
collecting all the packets. First off, when you're doing
packet capture of, say, a fairly saturated FDDI ring,
running at 80% capacity, you're looking at, perhaps,
17,000 packets/second of varying sizes. Sure, you can
get a network card that will be able to handle that
in promiscuous mode, but doing anything with the data
becomes a trick. For proper spooky purposes, you'd want
to do stream reassembly (so as not to miss key words
in context) which is pretty expensive. We've found it
takes most of a 400Mhz intel box to handle just reassembly
and capture at those kind of speeds. Searching gets
comparably more expensive. Let's suppose you're The Spooks
and can throw custom hardware at it: a 450Mhz machine
with a TRW fast data finder chip on top of a partial
IP reassembly stack, and a fast RAID, would be adequate
for doing searching and select recording on a single
FDDI. But some of the big ISPs, like UUnet, are running
multiple rings with split traffic, and are running almost
entirely on switched architectures. Collating traffic
at a packet level between multiple switches is a Hard
Problem (at least we think it is, anyhow) when you
are dealing with huge streams of data that simply never
stop coming. It's not like you can process it offline,
there are queueing problems to deal with.
I'm sure that an IP ECHELON project would be well funded,
but I'm not sure that it's practical or feasible. It's
certainly not practical or feasible with off the shelf
stuff. If it were done with custom stuff it'd be a pretty
interesting (and obtrusive) looking unit. In the last
3 years I've been in a _lot_ of ISP's machine rooms,
and never seen anything that would look like the kind of
packet sucker from hell we're talking about. I also tend
to disbelieve that the ISPs are being tapped because a
lot of the networkers there are not the kind of folks who
would keep their mouths shut if that sort of thing was
going on in a major, organized way. Too many tongues would
wag. Is there any _proof_ that this kind of thing is
going on? I'd like to see some of the specs of the packet
suckers in question, as well as photographs of one
installed. Call me a doubting thomas, if you will.
In short: if someone thinks the spooks are actually
tapping big ISP backbones, I want to know where I can
buy the kind of stuff they're using! :)
mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
