At 10:34 PM 11/19/00 -0500, Jim Dixon wrote: >> A PC, using off-the-shelf HW, is capable of filtering a full 100 Mbps link >> (144K packets/sec) as demonstrated by the BlackICE products >> http://www.networkice.com/html/blackice_sentry.html > >First, like any other manufacturer's claims, these should be treated >with some skepticism. > >Second, this is an intrusion detection system. I suspect that they >are looking for something simpler than what Carnivore is trying to >detect. Run a raw tcpdump on a machine with 2 cpus, maybe filter online with something simple (like IP addr) and reconstruct offline. You're not analyzing on line, you're recognizing addresses and DMAing buffers which are flushed to nonvolitile storage. Re: monitoring an OC-XXX with overt access is just a matter of how much you can pay for fast electronics. Take a look at the Caida.org folks' work on monitoring backbones. Carnivore in its current state may well be a point-tool intended for leaf-node ISPs, but you can certainly extrapolate to Carnivore 2.0 for Gigabit Ether. "Just plug your boxes through ours and you'll be CALEA-compliant, and no more hassles from us.." An optical tap (essentially a fiber optic beamsplitter) would be fairly fail-safe to the ISP. >Third, even if you believe that they can really analyse data at >100 Mbps, this still doesn't give them the ability to handle more >than one PoP with two DS3 connections. This is still orders of >magnitude away from being able to handle a major site with >multiple 2.5G connections, let alone all of the traffic handled by >a major ISP. > >The original claim was that Carnivore could monitor all of an ISP's >traffic. This isn't true for most ISPs. And the amazing growth >rates that we are seeing in bandwidth and network complexity make it >exceedingly unlikely that Carnivore or anything like it will ever >catch up. > >Qwest deployed 14,000 miles of fibre some years ago. This was >packaged as conduits carrying 48 fiber pairs, each pair using >wave division multiplexing to carry 8 to 16 optical channels, with >each channel running at 10 Gbps. That's 160 Gbps per fiber, >7,680 Gbps per conduit. Qwest is one of many carriers. 160 Gbps >over a fiber pair isn't state of the art. Qwest has many conduits. > >If a PC can monitor 100M of bandwidth, it would take, uhm, about >seventy seven thousand PCs to monitor one of Qwest's conduits. Not >that I believe that one PC can monitor traffic at 100 Mbps. > >> >The overall capacity and the complexity of the Internet is increasing >> >at an explosive rate. For better or for worse, this far exceeds the >> >growth in any government's capability of monitoring Internet traffic. > >-- >Jim Dixon VBCnet GB Ltd http://www.vbc.net >tel +44 117 929 1316 fax +44 117 927 2015 > > >
