CDR: Re: Carnivore All-Consuming

Bill Stewart bill.stewart at pobox.com
Sun Nov 19 22:20:57 PST 2000 

>On Sun, 19 Nov 2000, Steve Schear wrote:
>> A PC, using off-the-shelf HW, is capable of filtering a full 100 Mbps link 
>> (144K packets/sec) as demonstrated by the BlackICE products 
>> http://www.networkice.com/html/blackice_sentry.html

At 03:20 AM 11/20/00 +0000, Jim Dixon wrote:

>Third, even if you believe that they can really analyse data at 
>100 Mbps, this still doesn't give them the ability to handle more 
>than one PoP with two DS3 connections.  This is still orders of 
>magnitude away from being able to handle a major site with 
>multiple 2.5G connections, let alone all of the traffic handled by 
>a major ISP.
>The original claim was that Carnivore could monitor all of an ISP's 
>traffic.  This isn't true for most ISPs.  

Actually, "most" ISPs probably don't have more than two T3s or OC3s,
because most ISPs are the 5000+ little ones; many only have a few T1s.
But big ISPs are a different issue; any of the Tier 1 providers could
melt a Pentium box if they directed a moderate fraction
of their traffic at it.

The question is how the carnivores tell the ISP's network what
they're looking for, and how much cooperation they need from the ISP.
Most ISP traffic is probably web, not email, and the email that's
actually handled by ISPs (as opposed to just passing through)
is handled by big mail servers that could perhaps be told to
forward all mail for targeted accounts, since they need to do
that level of indentification to handle the mail in the first place.

For email, the big player is of course AOL, followed by
specialized mail providers like iname.com, and the portal sites like 
Excite, Yahoo, and Hotmail, and a few ISPs like Earthlink/Mindspring.
(The business has gotten sufficiently specialized that I'm not sure
how many of those sites really provide their own service rather than
outsourcing to specialists.)   As with big ISPs, if they cooperate,
the job's possible, and if they don't it's pretty intractable.

If you know your target's IP address, it's a lot simpler -
get the routing protocols to shove their traffic your way
by advertising routes using OSPF, BGP, or whatever.

>Qwest deployed 14,000 miles of fibre some years ago.  This was
>packaged as conduits carrying 48 fiber pairs, each pair using 
>wave division multiplexing to carry 8 to 16 optical channels, with
>each channel running at 10 Gbps.  That's 160 Gbps per fiber, 
>7,680 Gbps per conduit.  Qwest is one of many carriers.  160 Gbps
>over a fiber pair isn't state of the art.  Qwest has many conduits.

They do have a nice _little_ network :-)  Actually, most of that fiber
isn't even lit yet, much less full, and much of their bandwidth 
isn't ISP traffic, it's private line sold to businesses or other ISPs.
The last AT&T marketing hype I saw placed us as #2, well behind UUNET.
The real bandwidth constraints are mainly the routers - most big ISPs
use Cisco 12000 GSRs or products from Juniper or other emerging competitors,
most of which like to call their products "terabit" routers
because they have reasonably large backplane capacity.

A totally different bandwidth segment is inside the big hosting centers -
Exodus, Globalcenter, etc.  Most of that's Gigabit Ether,
with various brands of switches and routers, and an amazing fraction
of their traffic stays in the building, between different colo customers.


				Thanks! 
					Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

More information about the cypherpunks-legacy mailing list