On Dec 12, 2013, at 10:29 AM, Richard Barnes <[email protected]> wrote: > Maybe it's just me, but I consider a 100x cost increase significant. And I > don't buy your assertion that you can do real-time, line-rate scanning and > filtering with a $5k box. Otherwise routers wouldn't need ASICs.
$5K can easily handle 10 Gbps links on a single computer, with just a bit of hacking. You don't even need to do TCP stream reassembly, and there are trivial parallelizations. And if thats not fast enough, then add in a hardware load balancer in front to do tuple-distribution (those exist for the IDS application area, and are pretty simple, just a hash of the SRC/DST 2-tuple to rewrite the MAC address and toss at a switch), and use a $50K cluster. Its an insanely scalable problem, and there are off the shelf designs. Not to mention you can handle packet loss a lot easier on an on-path device rather than in-path device, which is one of And packet injection on backbone links is reality, with at least two major users: Packet injection on backbone links is USED by the NSA. The NSA calls it QUANTUM. Packet injection on backbone links is USED by China. We call it the "great firewall of China". They've only been using it for censorship to-date that we know of, but it is downright trivia to turn it into an exploitation tool. This is not rocket science, and it is not magic. Rather, the limitation of packet injection is the ability to place suitable hardware at suitable vantage points. The NSA has the ability to place their hardware throughout the world. Most other countries are limited to their national borders OR techniques they can install near the edge surreptitiously. And all it takes is a SINGLE request which identifies the potential victim as a VALID target passing a SINGLE adversarial wiretap for this type of attack to be launched. And, finally, don't underestimate the power of software running on commodity hardware: RouteBricks showed you can do 35 Gbps in software using Click on a single, 2 CPU, 4 cores/cpu server, back in 2009! -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
