>-----Original Message-----
>From: Vernon Schryver [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, May 23, 2000 4:14 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Should IETF do more to fight computer crime?
>
>
>> From: "Dawson, Peter D" <[EMAIL PROTECTED]>
>
>> >Jacob Palme <[EMAIL PROTECTED]> wrote:
>> >
>> >> But would not better logg production in routers be an aid
>> >> in finding the villain behind computer crimes?
>> >
>> >What type of logging do you propose? It seems that the types
>> >of logging
>> >that are already done enable people to trace the origins of
>suspicious
>> >traffic.
>> >
>> >--gregbo
>
>> True, but only the origin of packets are determined. What is
>needed is
>> a code of ethics between ISPs , to share information.
>> i.e once a packet leaves isp1 cloud and travels across isp2 cloud,
>> very rarely would isp1 be willing to disclose to isp2,...
>> which (user) is leased that specific dynamic ip address.
>>
>> btw, this info would be required on the fly... so that net admin/sec
>> would be in a better position to pinpoint the perpetrator's habits/
>> physiological profile etc..
>
>
>Let's actually think for a moment about serious logging or sharing
>information about Internet traffic. State of the art large routers
>move Tbits/sec. If the average packet size is 500 bytes, you're
>talking about logging or sharing information about 100 Mpackets/second.
>If you only log or share the source and destination IPv4 addresses,
>TCP or UDP port numbers, in incoming interface, a timestamp, and 1 or
>2 bits saying the packet was not unusual (e.g. no TCP options other
>than window scaling or SAK and no IP options), you're talking about
>logging or sharing more than 20 bytes/packet or a few GBytes/second/big
>router. There are 86,400 seconds/day, so you're talking about logging
>or sharing about 100 TBytes/day per large router.
>
>Typical IP paths seem to be at least 10 hops long these days, and
>often 20 or 30. Most of those routers are not going to be Tbit/sec
>backbone routers, but more than one will be, and the rest can be
>counted or aggregated as if they were. Thus, you're talking about
>logging or sharing several 1000 TBytes/day.
>
>Perhaps it would not be a problem to burn 1,000,000 GByte CDROM, tapes,
>or other media per day, but what would you be able to do with
>those logs?
>Searching a 1000 TByte database on the fly, especially if it is merely
>a primitive sequential log, would be a serious challenge.
>
>Yes, not many Tbit routers have been deployed, but they will be, and I
>think the average packet size is less than 500, which
>increases the amount
>of logging. Yes, you might not need to keep those 1000's of TBytes for
>more than a few days, but you still need a way to do something
>with them.
>
>To put it another way, the complaints from the large ISP's
>that they cannot
>police Internet traffic to shield their customers from
>pornography, talk
>about World War II political parties, and the other things that various
>pressure groups and governments dislike have some technical reality.
I agree on the technical reality of tbyte storage/tcpdump etc...
>
>Technical reality always trumps political blather everywhere
>that matters.
>
Yes, but if I were behind a DMZ and my IDS triggers... and if I got a
source address .. my question is...
would 'THe ISP' provide any type of information to negate the threat ? is
this a political problem?? , beyond technical reality or just plain
non-compliance to 'Collabration' ???
/pd
