At 10:34 PM 11/19/00 -0500, Jim Dixon wrote:
A PC, using off-the-shelf HW, is capable of filtering a full 100 Mbps link (144K packets/sec) as demonstrated by the BlackICE products http://www.networkice.com/html/blackice_sentry.html
First, like any other manufacturer's claims, these should be treated with some skepticism.
Second, this is an intrusion detection system. I suspect that they are looking for something simpler than what Carnivore is trying to detect.
Run a raw tcpdump on a machine with 2 cpus, maybe filter online with something simple (like IP addr) and reconstruct offline. You're not analyzing on line, you're recognizing addresses and DMAing buffers which are flushed to nonvolitile storage. Re: monitoring an OC-XXX with overt access is just a matter of how much you can pay for fast electronics. Take a look at the Caida.org folks' work on monitoring backbones. Carnivore in its current state may well be a point-tool intended for leaf-node ISPs, but you can certainly extrapolate to Carnivore 2.0 for Gigabit Ether. "Just plug your boxes through ours and you'll be CALEA-compliant, and no more hassles from us.." An optical tap (essentially a fiber optic beamsplitter) would be fairly fail-safe to the ISP.
Third, even if you believe that they can really analyse data at 100 Mbps, this still doesn't give them the ability to handle more than one PoP with two DS3 connections. This is still orders of magnitude away from being able to handle a major site with multiple 2.5G connections, let alone all of the traffic handled by a major ISP.
The original claim was that Carnivore could monitor all of an ISP's traffic. This isn't true for most ISPs. And the amazing growth rates that we are seeing in bandwidth and network complexity make it exceedingly unlikely that Carnivore or anything like it will ever catch up.
Qwest deployed 14,000 miles of fibre some years ago. This was packaged as conduits carrying 48 fiber pairs, each pair using wave division multiplexing to carry 8 to 16 optical channels, with each channel running at 10 Gbps. That's 160 Gbps per fiber, 7,680 Gbps per conduit. Qwest is one of many carriers. 160 Gbps over a fiber pair isn't state of the art. Qwest has many conduits.
If a PC can monitor 100M of bandwidth, it would take, uhm, about seventy seven thousand PCs to monitor one of Qwest's conduits. Not that I believe that one PC can monitor traffic at 100 Mbps.
The overall capacity and the complexity of the Internet is increasing at an explosive rate. For better or for worse, this far exceeds the growth in any government's capability of monitoring Internet traffic.
-- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015