I wasn't even going to answer the absurd "hypothetical", but since it's now in play... On Mon, 1 Sep 2003, Sunder wrote:
In that case, I would suspect the ISP itself would have incoming/outgoing feeds from other ISP's.
Obviously, every ISP does.
If that single moral objector ISP refuses to allow carnivores, the other, not quite as moral ISP's might be persuaded to allow it, in which case the fedZ get what they want, just one traceroute hop further up the chain. Perhaps not all of them, but perhaps enough of them... Duh!
Maybe I should have been clearer: the feds didn't show us at any of the small guys (AFAIK), such as the regional or small nationals - they showed up at the large multinationals (of which the one I work at was likely the smallest, with a mere 48 countries of footprint). They clearly understood that sniffing my peering/transit pipes wasn't technically *possible* (yet) - what they were interested in was sniffing my regional POPs, with [relatively] low speed OC3/OC12 pipes. To rephrase it: they were interested in *my* customers, not the traffic from other companies (they had other field officers at the other NSPs).
That's the thing about the internet - your packets must travel through other ISP's (unless you're communicating with other nodes hosted by that single ISP which is unlikely).
It's a lot more likely than you seem to realize. The internet is a collection of aggregation points (ISPs): get the individual aggregations, and the rest is as visible as a reconstructed RAID5 stripe.
From the fedZ point of view, you need not tap each and every single ISP. You can tap upstream, and still get the data without tipping off the target, or his moral objector friends at her ISP.
This type of thing certainly goes on, but not in the vaccum cleaner world of large pipes. This is only technically feasible for targetted investigations.
At some point every ISP goes through MCI, Sprint, and AT&T, and don't forget the local (phone company) loops.
The loops are too far out on the edge to be useful for anyone but the loop owner themselves, and there are *way* too many [ever changing] paths out of any individual ASN - the aggregation point is where this kind of action *must* happen.
Assuming that such a moral objector ISP would exist,
As I noted: much to my amazement, many do exist.
it would be foolish to assume that it would provide much of a measure of protection against tapping cleartext transmissions. Hence, encryption is important. Want privacy and security? It's up to you to provide it: encrypt.
Agrred. Encryption, properly implemented and executed, is the only real path to privacy. -- Yours, J.A. Terranson sysadmin@mfn.org "Every living thing dies alone." Donnie Darko