OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: new to crypto curiosity
From: Bill Stewart (bill.stewartpobox.com)
Date: Sat Sep 23 2000 - 02:47:37 CDT

At 09:37 AM 9/19/00 -0700, Eric Murray wrote:
>On Tue, Sep 19, 2000 at 08:36:43PM +0800, Craig Raskin wrote:
>> Or even more interesting, based on the position of the Carnivore box
>> in the network, it could be used to take down an ISP's Internet
>> connection for national security reasons. Since Carnivore would have
>> to be installed in a choke point for it to be effective, all that
>> would be required is for the box to spoof the arp and/or routing
>> tables and the ISP goes down. QED
>
>I've written a short paper explaining why this is an unlikely use of
>Carvivore. It's at http://www.lne.com/ericm/papers/carnivore.html.
>
>The basic points that're relevant to this discuission:
>-large ISPs (even small ones) have multiple points access points
>where they exchange traffic. Most have not designed their networks
>with Carnivore in mind, in fact their nets are usually designed to NOT
>have a central choke point as that's bad for performance.

Eric's points are much more convincing than Craig's.
There's certainly no "QED" to the conspiracy side of the discussion.

I have some minor quibbles with a few details in Eric's paper -
while you would have to kill the MAEs, the Tier 1 ISPs mainly connect
through private peering, and most of the smaller ISPs buy at least some
transit service from one or more bigger ISPs - so the interconnectedness
between ISPs is much higher than Eric's paper implies.
And as far as needing to attack "many different kinds of routers",
if you take out a couple of models of Cisco and maybe Lucent,
that's most of the core of most ISPs' Layer 3 services,
though there are a few manufacturers trying to crack the high end.
Some ISPs are switch-based, but they're tending to move toward
routers because there's more effort going into developing
big routers than big switches for the wide area, though the
hosting centers do lots of gigabit switches.

According to the testimony the FBI gave to Congress (with the
usual level of accuracy of non-technical bureaucrats lying to politicians :-),
the ISP sends the Carnivore box the traffic that might be the target's,
and the Carnivore box picks out the juicy parts. That doesn't mean that
each message is processed in series by the production system and Carnivore -
few ISPs could risk the service quality hit. Much more efficient to
let the Carnivore passively process traffic in parallel - and since some of it
is apparently derived from Ethernet packet sniffing products,
that's the obvious way to implement it.

That doesn't mean that transmitting lots of bogus BGP routes couldn't do
Bad Things to the Internet, like that small ISP a few years ago
that advertised that its T1 line was the best way to get anywhere on
the Internet. Most ISPs do a certain amount of self-protection against
bad routes, and some are developing technology to watch other ISPs and
make sure that other people aren't getting bad routes about them.
And Eric's point that ISPs would shut off boxes shipping bad traffic to them
is dead on, and if you're running a Conspiracy To Shut Down The Net
there are much easier and more effective places to locate your boxes,
and they're harder to find because the ISP wouldn't be paying as much
attention.

                                Thanks!
                                        Bill
Bill Stewart, bill.stewartpobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639